While looking through security audit logs, certain event types have fields with "%%xxxx" instead of a human readable fields. An example of this is (from PowerShell) the following output from a 4663 event type. Note that Accesses has a field of %%4421 instead of an expected human readable form like DELETE or WriteData, as in the examples in http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4663

"4663","IE11Win7","System.Byte[]","137219","(12800)","12800","SuccessAudit","An

 attempt was made to access an object.

Subject:

    Security ID:        S-1-5-21-3463664321-2923530833-3546627382-1000

    Account Name:       IEUser

    Account Domain:     IE11WIN7

    Logon ID:       0x18da2

Object:

    Object Server:  Security

    Object Type:    File

    Object Name:    C:\Windows\System32\IPHLPAPI.DLL

    Handle ID:  0x20c

Process Information:

    Process ID: 0x648

    Process Name:   C:\Windows\odb.exe

Access Request Information:

    Accesses:   %%4421

    Access Mask:    0x20","Microsoft-Windows-Security-Auditing","System.String[]","46

63","8/21/2014 2:00:20 PM","8/21/2014 2:00:20 PM"

Looking at the events from the Event Viewer gui has the same information (%%4421). These sort of fields show up elsewhere also, such as in event 4688 in the Token Elevation Type field, I get %%1936 instead of the expected Type 1 or Type 2 or Type 3. Is there any way to translate these %% values into something human readable, or is there a problem with my audit logs that is fixable in another way?

Hi,

Here is what I can find the relationship between these codes and accesses rights:

High level Generic Codes

1537 DELETE 
1538 READ_CONTROL
1539 WRITE_DAC 
1540 WRITE_OWNER
1541 SYNCHRONIZE
1542 ACCESS_SYS_SEC

File codes

4416 ReadData
4417 WriteData
4418 AppendData
4419 ReadEA
4420 WriteEA
4421 Execute/Traverse
4422 
4423 ReadAttributes
4424 WriteAttributes


Registry Codes

4432 Query Key Value
4433 Set Key Value
4434 Create Sub Key
4435 Enumerate sub-keys
4436 Notify about changes to keys
4437 Create Link

As I known, the Accesses rights are defined in system. An access right is a bit flag that corresponds to a particular set of operations that a thread can perform on a securable object. For example, a registry key has the KEY_SET_VALUE access right, which corresponds to the ability of a thread to set a value under the key. If a thread tries to perform an operation on an object, but does not have the necessary access right to the object, the system does not carry out the operation.

And there are some standard values and generic values:

Generic Access Rights
http://msdn.microsoft.com/en-us/library/aa446632(v=vs.85).aspx

Standard Access Rights
http://msdn.microsoft.com/en-us/library/aa379607.aspx

The Windows API provides functions enabling an administrator to monitor security-related events.

The security descriptor for a securable object can have a system access control list (SACL). A SACL contains access control entries (ACEs) that specify the types of access attempts that generate audit reports. Each ACE identifies a trustee, a set of access rights, and a set of flags that indicate whether the system generates audit messages for failed access attempts, successful access attempts, or both.

The system writes audit messages to the security event log.

From where we can get the below documentation please ? I cannot seem to find an official documentation anywhere

1537 DELETE 
1538 READ_CONTROL
1539 WRITE_DAC 
1540 WRITE_OWNER
1541 SYNCHRONIZE
1542 ACCESS_SYS_SEC