the details of eventid:560 is not correct in Chinese OS (Windows XP, Windows server 2003/2008, Windows vista/7)
In Windows XP, Windows server 2003/2008, Windows vista/7 Chinese editin, when I use event viewer to check the details of event 560, the access mask always be 0. following is the details shown in Chinese OS: : : Security : File : C:\shared\new folder\QQQ.txt ID: - ID: {0,716204} ID: 3168 : C:\WINDOWS\system32\notepad.exe : Administrator : ADAP ID: (0x0,0x22530) : - : - ID: - : - : READ_CONTROL SYNCHRONIZE ReadData ( ListDirectory) ReadEA ReadAttributes Sid : - : 0 (This means "Access Mask", it always be 0) Following are same event data display in English OS: Object Open: Object Server: Security Object Type: File Object Name: C:\shared\new folder\QQQ.txt Handle ID: - Operation ID: {0,716204} Process ID: 3168 Image File Name: C:\WINDOWS\system32\notepad.exe Primary User Name: Administrator Primary Domain: ADAP Primary Logon ID: (0x0,0x22530) Client User Name: - Client Domain: - Client Logon ID: - Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Privileges: - Restricted Sid Count: 0 Access Mask: 0x120089 You will see the Access Mask is not 0. I found in Chinese OS, from the "Accesses" Entries, its values are not correct!!! Please check this and give me a hotfix. Thanks & Regards,
October 13th, 2011 2:49am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics