the details of eventid:560 is not correct in Chinese OS (Windows XP, Windows server 2003/2008, Windows vista/7)
In Windows XP, Windows server 2003/2008, Windows vista/7 Chinese editin, when I use event viewer to check the details of event 560, the access mask always be 0.
following is the details shown in Chinese OS:
:
: Security
: File
: C:\shared\new folder\QQQ.txt
ID: -
ID: {0,716204}
ID: 3168
: C:\WINDOWS\system32\notepad.exe
: Administrator
: ADAP
ID: (0x0,0x22530)
: -
: -
ID: -
: -
: READ_CONTROL
SYNCHRONIZE
ReadData ( ListDirectory)
ReadEA
ReadAttributes
Sid : -
: 0 (This means "Access Mask", it always be 0)
Following are same event data display in English OS:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\shared\new folder\QQQ.txt
Handle ID: -
Operation ID: {0,716204}
Process ID: 3168
Image File Name: C:\WINDOWS\system32\notepad.exe
Primary User Name: Administrator
Primary Domain: ADAP
Primary Logon ID: (0x0,0x22530)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x120089
You will see the Access Mask is not 0.
I found in Chinese OS, from the "Accesses" Entries, its values are not correct!!!
Please check this and give me a hotfix.
Thanks & Regards,
October 13th, 2011 2:49am