microsoft · stephenegriffin · Feb 6, 2026 · Feb 6, 2026 · Feb 6, 2026 · Feb 6, 2026
diff --git a/.github/workflows/clang.yml b/.github/workflows/clang.yml
@@ -19,9 +19,22 @@ jobs:
         egress-policy: audit
 
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-    - name: Run clang-format style check for C/C++ programs.
-      uses: jidicula/clang-format-action@6cd220de46c89139a0365edae93eee8eb30ca8fe # v4.16.0
-      with:
-        clang-format-version: '17'
-        exclude-regex: 'include/*'
-        fallback-style: 'Microsoft'
+
+    - name: Install clang-format
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y clang-format-17
+
+    - name: Run clang-format style check
+      run: |
+        # Find all C/C++ files, excluding include directory
+        files=$(find . -type f \( -name "*.cpp" -o -name "*.h" -o -name "*.c" \) \
+          ! -path "./include/*" ! -path "./.git/*" | sort)
+
+        if [ -z "$files" ]; then
+          echo "No C/C++ files found"
+          exit 0
+        fi
+
+        # Check formatting (--dry-run -Werror exits non-zero if changes needed)
+        echo "$files" | xargs clang-format-17 --verbose --dry-run -Werror --style=file --fallback-style=Microsoft
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -15,7 +15,8 @@ permissions:
 jobs:
   analyze:
     name: Analyze (${{ matrix.language }})
-    runs-on: windows-latest
+    # Use VS 2026 preview runner (GA May 4, 2026, then switch to windows-2025)
+    runs-on: windows-2025-vs2026
     permissions:
       packages: read
       actions: read
@@ -39,9 +40,42 @@ jobs:
         with:
           submodules: 'recursive'
 
+      - name: Install Windows 11 SDK (10.0.22621.0)
+        shell: pwsh
+        run: |
+          $sdkPath = "${env:ProgramFiles(x86)}\Windows Kits\10\Include\10.0.22621.0"
+          if (Test-Path $sdkPath) {
+            Write-Host "Windows SDK 10.0.22621.0 already installed"
+            exit 0
+          }
+
+          # Download and verify installer
+          $installer = "$env:TEMP\winsdksetup.exe"
+          $expectedHash = "73FE3CC0E50D946D0C0A83A1424111E60DEE23F0803E305A8974A963B58290C0"
+          Write-Host "Downloading Windows 11 SDK 10.0.22621.0..."
+          Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/?linkid=2196241" -OutFile $installer
+
+          # Verify SHA256 hash
+          $actualHash = (Get-FileHash -Path $installer -Algorithm SHA256).Hash
+          if ($actualHash -ne $expectedHash) {
+            Write-Error "SHA256 hash mismatch! Expected: $expectedHash, Got: $actualHash"
+            exit 1
+          }
+          Write-Host "SHA256 verified: $actualHash"
+
+          # Install SDK
+          Write-Host "Installing SDK (this may take a few minutes)..."
+          $proc = Start-Process -FilePath $installer -ArgumentList "/features OptionId.DesktopCPPx64 OptionId.DesktopCPPx86 OptionId.DesktopCPParm64 /quiet /norestart /log $env:TEMP\sdk_install.log" -Wait -PassThru
+          if (!(Test-Path $sdkPath)) {
+            Get-Content "$env:TEMP\sdk_install.log" -ErrorAction SilentlyContinue | Select-Object -Last 50
+            Write-Error "Windows SDK installation failed"
-          if (!(Test-Path $sdkPath)) {
-            Get-Content "$env:TEMP\sdk_install.log" -ErrorAction SilentlyContinue | Select-Object -Last 50
-            Write-Error "Windows SDK installation failed"
+          if ($proc.ExitCode -ne 0 -or !(Test-Path $sdkPath)) {
+            Write-Host "Last 50 lines of SDK install log (if available):"
+            Get-Content "$env:TEMP\sdk_install.log" -ErrorAction SilentlyContinue | Select-Object -Last 50
+            if ($proc.ExitCode -ne 0) {
+              Write-Error "Windows SDK installer exited with code $($proc.ExitCode)."
+            } elseif (!(Test-Path $sdkPath)) {
+              Write-Error "Windows SDK installation may have failed: SDK path '$sdkPath' not found after installer completed successfully."
+            }
-          if (!(Test-Path $sdkPath)) {
-            Get-Content "$env:TEMP\sdk_install.log" -ErrorAction SilentlyContinue | Select-Object -Last 50
-            Write-Error "Windows SDK installation failed"
+          if ($proc.ExitCode -ne 0 -or !(Test-Path $sdkPath)) {
+            Write-Host "Last 50 lines of SDK install log (if available):"
+            Get-Content "$env:TEMP\sdk_install.log" -ErrorAction SilentlyContinue | Select-Object -Last 50
+            if ($proc.ExitCode -ne 0) {
+              Write-Error "Windows SDK installer exited with code $($proc.ExitCode)."
+            } elseif (!(Test-Path $sdkPath)) {
+              Write-Error "Windows SDK installation may have failed: SDK path '$sdkPath' not found after installer completed successfully."
+            }
+            exit 1
+          }
+          Write-Host "Windows SDK 10.0.22621.0 installed successfully"
+
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v3.29.5
+        uses: github/codeql-action/init@b5ebac6f4c00c8ccddb7cdcd45fdb248329f808a # v3.32.2
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
@@ -53,11 +87,11 @@ jobs:
           # queries: security-extended,security-and-quality
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v3.29.5
+        uses: github/codeql-action/autobuild@b5ebac6f4c00c8ccddb7cdcd45fdb248329f808a # v3.32.2
 
       - name: Perform CodeQL Analysis
         id: analyze
-        uses: github/codeql-action/analyze@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v3.29.5
+        uses: github/codeql-action/analyze@b5ebac6f4c00c8ccddb7cdcd45fdb248329f808a # v3.32.2
         with:
           category: "/language:${{matrix.language}}"
 

diff --git a/.github/workflows/devskim.yml b/.github/workflows/devskim.yml
@@ -29,11 +29,11 @@ jobs:
         uses: microsoft/DevSkim-Action@4b5047945a44163b94642a1cecc0d93a3f428cc6 # v1.0.16
 
       - name: Upload DevSkim scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v3.29.5
+        uses: github/codeql-action/upload-sarif@b5ebac6f4c00c8ccddb7cdcd45fdb248329f808a # v3.32.2
         with:
           sarif_file: devskim-results.sarif
 
       - name: Upload DevSkim scan results as an artifact
         uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
-          path: devskim-results.sarif
+          path: devskim-results.sarif
diff --git a/.github/workflows/github-ci.yml b/.github/workflows/github-ci.yml
@@ -13,13 +13,25 @@ permissions:
 
 jobs:
   build:
-    runs-on: windows-latest
+    # Use VS 2026 preview runner (GA May 4, 2026, then switch to windows-2025)
+    runs-on: windows-2025-vs2026
     permissions:
       security-events: write
     strategy:
+      fail-fast: false
       matrix:
         configuration: [ 'Release', 'Debug', 'Release_Unicode', 'Debug_Unicode' ]
-        platform: [ 'Win32', 'x64' ]
+        platform: [ 'Win32', 'x64', 'ARM64', 'ARM64EC' ]
+        exclude:
+          # ARM64/ARM64EC only need Unicode builds
+          - platform: ARM64
+            configuration: Release
+          - platform: ARM64
+            configuration: Debug
+          - platform: ARM64EC
+            configuration: Release
+          - platform: ARM64EC
+            configuration: Debug
 
     steps:
     - name: Harden Runner
@@ -32,6 +44,39 @@ jobs:
       with:
         submodules: 'recursive'
 
+    - name: Install Windows 11 SDK (10.0.22621.0)
+      shell: pwsh
+      run: |
+        $sdkPath = "${env:ProgramFiles(x86)}\Windows Kits\10\Include\10.0.22621.0"
+        if (Test-Path $sdkPath) {
+          Write-Host "Windows SDK 10.0.22621.0 already installed"
+          exit 0
+        }
+
+        # Download and verify installer
+        $installer = "$env:TEMP\winsdksetup.exe"
+        $expectedHash = "73FE3CC0E50D946D0C0A83A1424111E60DEE23F0803E305A8974A963B58290C0"
+        Write-Host "Downloading Windows 11 SDK 10.0.22621.0..."
+        Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/?linkid=2196241" -OutFile $installer
+
+        # Verify SHA256 hash
+        $actualHash = (Get-FileHash -Path $installer -Algorithm SHA256).Hash
+        if ($actualHash -ne $expectedHash) {
+          Write-Error "SHA256 hash mismatch! Expected: $expectedHash, Got: $actualHash"
+          exit 1
+        }
+        Write-Host "SHA256 verified: $actualHash"
+
+        # Install SDK
+        Write-Host "Installing SDK (this may take a few minutes)..."
+        $proc = Start-Process -FilePath $installer -ArgumentList "/features OptionId.DesktopCPPx64 OptionId.DesktopCPPx86 OptionId.DesktopCPParm64 /quiet /norestart /log $env:TEMP\sdk_install.log" -Wait -PassThru
+        if (!(Test-Path $sdkPath)) {
+          Get-Content "$env:TEMP\sdk_install.log" -ErrorAction SilentlyContinue | Select-Object -Last 50
-        $proc = Start-Process -FilePath $installer -ArgumentList "/features OptionId.DesktopCPPx64 OptionId.DesktopCPPx86 OptionId.DesktopCPParm64 /quiet /norestart /log $env:TEMP\sdk_install.log" -Wait -PassThru
-        if (!(Test-Path $sdkPath)) {
-          Get-Content "$env:TEMP\sdk_install.log" -ErrorAction SilentlyContinue | Select-Object -Last 50
+        $logPath = Join-Path $env:TEMP "sdk_install.log"
+        $proc = Start-Process -FilePath $installer -ArgumentList "/features OptionId.DesktopCPPx64 OptionId.DesktopCPPx86 OptionId.DesktopCPParm64 /quiet /norestart /log `"$logPath`"" -Wait -PassThru
+        if ($proc.ExitCode -ne 0) {
+          Get-Content $logPath -ErrorAction SilentlyContinue | Select-Object -Last 50
+          Write-Error "Windows SDK installer exited with code $($proc.ExitCode)"
+          exit 1
+        }
+        if (!(Test-Path $sdkPath)) {
+          Get-Content $logPath -ErrorAction SilentlyContinue | Select-Object -Last 50
-        $proc = Start-Process -FilePath $installer -ArgumentList "/features OptionId.DesktopCPPx64 OptionId.DesktopCPPx86 OptionId.DesktopCPParm64 /quiet /norestart /log $env:TEMP\sdk_install.log" -Wait -PassThru
-        if (!(Test-Path $sdkPath)) {
-          Get-Content "$env:TEMP\sdk_install.log" -ErrorAction SilentlyContinue | Select-Object -Last 50
+        $logPath = Join-Path $env:TEMP "sdk_install.log"
+        $proc = Start-Process -FilePath $installer -ArgumentList "/features OptionId.DesktopCPPx64 OptionId.DesktopCPPx86 OptionId.DesktopCPParm64 /quiet /norestart /log `"$logPath`"" -Wait -PassThru
+        if ($proc.ExitCode -ne 0) {
+          Get-Content $logPath -ErrorAction SilentlyContinue | Select-Object -Last 50
+          Write-Error "Windows SDK installer exited with code $($proc.ExitCode)"
+          exit 1
+        }
+        if (!(Test-Path $sdkPath)) {
+          Get-Content $logPath -ErrorAction SilentlyContinue | Select-Object -Last 50
+          Write-Error "Windows SDK installation failed"
+          exit 1
+        }
+        Write-Host "Windows SDK 10.0.22621.0 installed successfully"
+
     - name: "Build"
       shell: pwsh
       run: |
@@ -63,4 +108,4 @@ jobs:
       - name: Publish Test Results
         uses: EnricoMi/publish-unit-test-result-action@27d65e188ec43221b20d26de30f4892fad91df2f # v2.22.0
         with:
-          files: "artifacts/**/*.trx"
+          files: "artifacts/**/*.trx"
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -71,6 +71,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v3.29.5
+        uses: github/codeql-action/upload-sarif@b5ebac6f4c00c8ccddb7cdcd45fdb248329f808a # v3.32.2
         with:
           sarif_file: results.sarif
diff --git a/.vsconfig b/.vsconfig
@@ -29,7 +29,7 @@
 		  "Microsoft.VisualStudio.Component.VC.Tools.ARM64",
 		  "Microsoft.VisualStudio.Component.VC.Tools.ARM64EC",
 		  "Microsoft.VisualStudio.Component.VC.Tools.x86.x64",
-		  "Microsoft.VisualStudio.Component.Windows10SDK.18362",
+		  "Microsoft.VisualStudio.Component.Windows11SDK.22621",
 		  "Microsoft.VisualStudio.ComponentGroup.ArchitectureTools.Native",
 		  "Microsoft.VisualStudio.ComponentGroup.NativeDesktop.Core",
 		  "Microsoft.VisualStudio.Workload.CoreEditor",

diff --git a/Directory.Build.props b/Directory.Build.props
@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project>
+  <PropertyGroup>
+    <!-- VS 2026 Toolset -->
+    <PlatformToolset>v145</PlatformToolset>
+
+    <!-- Windows 11 SDK (pinned for reproducible builds) -->
+    <WindowsTargetPlatformVersion>10.0.22621.0</WindowsTargetPlatformVersion>
+
+    <!-- Security Features (PropertyGroup level) -->
+    <!-- Note: Spectre mitigated libs may not be available for ARM64/ARM64EC -->
+    <SpectreMitigation Condition="'$(Platform)' != 'ARM64' AND '$(Platform)' != 'ARM64EC'">Spectre</SpectreMitigation>
+    <SpectreMitigation Condition="'$(Platform)' == 'ARM64' OR '$(Platform)' == 'ARM64EC'">false</SpectreMitigation>
+    <ControlFlowGuard>Guard</ControlFlowGuard>
+    <GuardEHContMetadata>true</GuardEHContMetadata>
+  </PropertyGroup>
+
+  <!-- Compiler Settings - Quality & Security Baseline -->
+  <!-- CET (Control-flow Enforcement Technology) enabled by default, disabled for ARM64/ARM64EC below -->
+  <ItemDefinitionGroup>
+    <ClCompile>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <SDLCheck>true</SDLCheck>
+      <LanguageStandard>stdcpplatest</LanguageStandard>
+    </ClCompile>
+    <Link>
+      <CETCompat>true</CETCompat>
+    </Link>
+  </ItemDefinitionGroup>
+
+  <!-- Disable CET for ARM64/ARM64EC (not supported) -->
+  <ItemDefinitionGroup Condition="'$(Platform)' == 'ARM64' OR '$(Platform)' == 'ARM64EC'">
+    <Link>
+      <CETCompat>false</CETCompat>
+    </Link>
+  </ItemDefinitionGroup>
+</Project>
diff --git a/mapistub.sln b/mapistub.sln
@@ -1,7 +1,6 @@
-
 Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio 15
-VisualStudioVersion = 15.0.28307.779
+# Visual Studio Version 18
+VisualStudioVersion = 18.0.0.0
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "mapistub", "mapistub.vcxproj", "{ACD4DD9F-0FB8-42C8-BC1C-25A5A29CB40C}"
 EndProject
@@ -15,10 +14,6 @@ Global
 		Debug|Win32 = Debug|Win32
 		Debug|ARM64 = Debug|ARM64
 		Debug|ARM64EC = Debug|ARM64EC
-		Prefast|x64 = Prefast|x64
-		Prefast|Win32 = Prefast|Win32
-		Prefast|ARM64 = Prefast|ARM64
-		Prefast|ARM64EC = Prefast|ARM64EC
 		Release_Unicode|x64 = Release_Unicode|x64
 		Release_Unicode|Win32 = Release_Unicode|Win32
 		Release_Unicode|ARM64 = Release_Unicode|ARM64
@@ -45,14 +40,6 @@ Global
 		{ACD4DD9F-0FB8-42C8-BC1C-25A5A29CB40C}.Debug|ARM64.Build.0 = Debug|ARM64
 		{ACD4DD9F-0FB8-42C8-BC1C-25A5A29CB40C}.Debug|ARM64EC.ActiveCfg = Debug|ARM64EC
 		{ACD4DD9F-0FB8-42C8-BC1C-25A5A29CB40C}.Debug|ARM64EC.Build.0 = Debug|ARM64EC
-		{ACD4DD9F-0FB8-42C8-BC1C-25A5A29CB40C}.Prefast|x64.ActiveCfg = Prefast|x64
-		{ACD4DD9F-0FB8-42C8-BC1C-25A5A29CB40C}.Prefast|x64.Build.0 = Prefast|x64
-		{ACD4DD9F-0FB8-42C8-BC1C-25A5A29CB40C}.Prefast|Win32.ActiveCfg = Prefast|Win32
-		{ACD4DD9F-0FB8-42C8-BC1C-25A5A29CB40C}.Prefast|Win32.Build.0 = Prefast|Win32
-		{ACD4DD9F-0FB8-42C8-BC1C-25A5A29CB40C}.Prefast|ARM64.ActiveCfg = Prefast|ARM64
-		{ACD4DD9F-0FB8-42C8-BC1C-25A5A29CB40C}.Prefast|ARM64.Build.0 = Prefast|ARM64
-		{ACD4DD9F-0FB8-42C8-BC1C-25A5A29CB40C}.Prefast|ARM64EC.ActiveCfg = Prefast|ARM64EC
-		{ACD4DD9F-0FB8-42C8-BC1C-25A5A29CB40C}.Prefast|ARM64EC.Build.0 = Prefast|ARM64EC
 		{ACD4DD9F-0FB8-42C8-BC1C-25A5A29CB40C}.Release_Unicode|x64.ActiveCfg = Release_Unicode|x64
 		{ACD4DD9F-0FB8-42C8-BC1C-25A5A29CB40C}.Release_Unicode|x64.Build.0 = Release_Unicode|x64
 		{ACD4DD9F-0FB8-42C8-BC1C-25A5A29CB40C}.Release_Unicode|Win32.ActiveCfg = Release_Unicode|Win32