While looking through security audit logs, certain event types have fields with "%%xxxx" instead of a human readable fields. An example of this is (from PowerShell) the following output from a 4663 event type. Note that Accesses has a field of %%4421 instead of an expected human readable form like DELETE or WriteData, as in the examples in http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4663
"4663","IE11Win7","System.Byte[]","137219","(12800)","12800","SuccessAudit","An
attempt was made to access an object.
Subject:
Security ID: S-1-5-21-3463664321-2923530833-3546627382-1000
Account Name: IEUser
Account Domain: IE11WIN7
Logon ID: 0x18da2
Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\System32\IPHLPAPI.DLL
Handle ID: 0x20c
Process Information:
Process ID: 0x648
Process Name: C:\Windows\odb.exe
Access Request Information:
Accesses: %%4421
Access Mask: 0x20","Microsoft-Windows-Security-Auditing","System.String[]","46
63","8/21/2014 2:00:20 PM","8/21/2014 2:00:20 PM"
Looking at the events from the Event Viewer gui has the same information (%%4421). These sort of fields show up elsewhere also, such as in event 4688 in the Token Elevation Type field, I get %%1936 instead of the expected Type 1 or Type 2 or Type 3. Is there any way to translate these %% values into something human readable, or is there a problem with my audit logs that is fixable in another way?