Auditing Access (Network Steve Forum)

Auditing Access

From where we can get the below documentation please ? I cannot seem to find an official documentation anywhere. The below are event 4656 access mapping

1537 DELETE
1538 READ_CONTROL
1539 WRITE_DAC
1540 WRITE_OWNER
1541 SYNCHRONIZE
1542 ACCESS_SYS_SEC

September 10th, 2015 3:39am

Hi scitech,

Thank you for your question.

The code which you list is high level generic code, we could refer to the following link:

https://social.technet.microsoft.com/Forums/windows/en-US/0ec39516-5dcc-4453-9761-c1f94439a1cc/windows-7-security-audit-logs-how-do-i-translate-4421-1537-and-other-xxxx-data-fields?forum=w7itprosecurity

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim

Free Windows Admin Tool Kit Click here and download it now

September 11th, 2015 4:20am

Can you please help me to understand how to translate or from where to get such codes ? Were are they defined ? in which documentation ? And how to map them to the access bit mask ?

September 11th, 2015 5:20am

How do you translate the below hex to the decimal values earlier in the thread:

Source (https://msdn.microsoft.com/en-us/library/aa446632%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396)

My PC : Windows 8.1 64bits
winnt.h file location : C:\Program Files (x86)\Windows Kits\8.1\Include\um\winnt.h

#define DELETE                                           (0x00010000L)
#define READ_CONTROL                             (0x00020000L)
#define WRITE_DAC                                    (0x00040000L)
#define WRITE_OWNER                               (0x00080000L)
#define SYNCHRONIZE                                (0x00100000L)

#define STANDARD_RIGHTS_REQUIRED       (0x000F0000L)
#define STANDARD_RIGHTS_READ              (READ_CONTROL)
#define STANDARD_RIGHTS_WRITE            (READ_CONTROL)
#define STANDARD_RIGHTS_EXECUTE        (READ_CONTROL)
#define STANDARD_RIGHTS_ALL               (0x001F0000L)

For example delete 0x00010000L is 1537, how do you translate that hex to 1537 and the rest please ?

Free Windows Admin Tool Kit Click here and download it now

September 11th, 2015 5:25am

Long story short: do not use those codes to find out what means what. Use Access Mask, which is (badly) documented but there's everything. If you want more informations, see this answer of mine https://social.technet.microsoft.com/Forums/en-US/541bad5d-19eb-4de5-8ef7-1b144f0b6113/translate-xxxx-values-in-events?forum=w7itprosecurity

September 11th, 2015 6:32pm

Hi scitech,

You could redirect this case to Windows MSDN to get amswer.

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim

Free Windows Admin Tool Kit Click here and download it now

September 12th, 2015 2:01am

This topic is archived. No further replies will be accepted.