Auditing Access
From where we can get the below documentation please ? I cannot seem to find an official documentation anywhere. The below are event 4656 access mapping
1537 DELETE
1538 READ_CONTROL
1539 WRITE_DAC
1540 WRITE_OWNER
1541 SYNCHRONIZE
1542 ACCESS_SYS_SEC
September 10th, 2015 3:39am
Hi scitech,
Thank you for your question.
The code which you list is high level generic code, we could refer to the following link:
https://social.technet.microsoft.com/Forums/windows/en-US/0ec39516-5dcc-4453-9761-c1f94439a1cc/windows-7-security-audit-logs-how-do-i-translate-4421-1537-and-other-xxxx-data-fields?forum=w7itprosecurity
If there are any questions regarding this issue, please be free to let me know.
Best Regard,
Jim
September 11th, 2015 4:20am
Can you please help me to understand how to translate or from where to get such codes ? Were are they defined ? in which documentation ? And how to map them to the access bit mask ?
September 11th, 2015 5:20am
How do you translate the below hex to the decimal values earlier in the thread:
Source (https://msdn.microsoft.com/en-us/library/aa446632%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396)
My PC : Windows 8.1 64bits
winnt.h file location : C:\Program Files (x86)\Windows Kits\8.1\Include\um\winnt.h
#define DELETE
(0x00010000L)
#define READ_CONTROL (0x00020000L)
#define WRITE_DAC (0x00040000L)
#define WRITE_OWNER (0x00080000L)
#define SYNCHRONIZE (0x00100000L)
#define STANDARD_RIGHTS_REQUIRED (0x000F0000L)
#define STANDARD_RIGHTS_READ (READ_CONTROL)
#define STANDARD_RIGHTS_WRITE (READ_CONTROL)
#define STANDARD_RIGHTS_EXECUTE (READ_CONTROL)
#define STANDARD_RIGHTS_ALL (0x001F0000L)
For example delete 0x00010000L is 1537, how do you translate that hex to 1537 and the rest please ?
September 11th, 2015 5:25am
Long story short: do not use those codes to find out what means what. Use Access Mask, which is (badly) documented but there's everything. If you want more informations, see this answer of mine https://social.technet.microsoft.com/Forums/en-US/541bad5d-19eb-4de5-8ef7-1b144f0b6113/translate-xxxx-values-in-events?forum=w7itprosecurity
September 11th, 2015 6:32pm
Hi scitech,
You could redirect this case to Windows MSDN to get amswer.
If there are any questions regarding this issue, please be free to let me know.
Best Regard,
Jim
September 12th, 2015 2:01am