none
Windows 7 Security Audit Logs - How do I translate %%4421, %%1537 and other %%xxxx data fields?

    Question

  • While looking through security audit logs, certain event types have fields with "%%xxxx" instead of a human readable fields. An example of this is (from PowerShell) the following output from a 4663 event type. Note that Accesses has a field of %%4421 instead of an expected human readable form like DELETE or WriteData, as in the examples in http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4663

    "4663","IE11Win7","System.Byte[]","137219","(12800)","12800","SuccessAudit","An

     attempt was made to access an object.

    Subject:

        Security ID:        S-1-5-21-3463664321-2923530833-3546627382-1000

        Account Name:       IEUser

        Account Domain:     IE11WIN7

        Logon ID:       0x18da2

    Object:

        Object Server:  Security

        Object Type:    File

        Object Name:    C:\Windows\System32\IPHLPAPI.DLL

        Handle ID:  0x20c

    Process Information:

        Process ID: 0x648

        Process Name:   C:\Windows\odb.exe

    Access Request Information:

        Accesses:   %%4421

        Access Mask:    0x20","Microsoft-Windows-Security-Auditing","System.String[]","46

    63","8/21/2014 2:00:20 PM","8/21/2014 2:00:20 PM"

    Looking at the events from the Event Viewer gui has the same information (%%4421). These sort of fields show up elsewhere also, such as in event 4688 in the Token Elevation Type field, I get %%1936 instead of the expected Type 1 or Type 2 or Type 3. Is there any way to translate these %% values into something human readable, or is there a problem with my audit logs that is fixable in another way?

    Friday, September 5, 2014 1:48 PM

Answers

  • Hi,

    Here is what I can find the relationship between these codes and accesses rights:

    High level Generic Codes

    1537 DELETE 
    1538 READ_CONTROL
    1539 WRITE_DAC 
    1540 WRITE_OWNER
    1541 SYNCHRONIZE
    1542 ACCESS_SYS_SEC

    File codes

    4416 ReadData
    4417 WriteData
    4418 AppendData
    4419 ReadEA
    4420 WriteEA
    4421 Execute/Traverse
    4422 
    4423 ReadAttributes
    4424 WriteAttributes


    Registry Codes

    4432 Query Key Value
    4433 Set Key Value
    4434 Create Sub Key
    4435 Enumerate sub-keys
    4436 Notify about changes to keys
    4437 Create Link

    As I known, the Accesses rights are defined in system. An access right is a bit flag that corresponds to a particular set of operations that a thread can perform on a securable object. For example, a registry key has the KEY_SET_VALUE access right, which corresponds to the ability of a thread to set a value under the key. If a thread tries to perform an operation on an object, but does not have the necessary access right to the object, the system does not carry out the operation.

    And there are some standard values and generic values:

    Generic Access Rights
    http://msdn.microsoft.com/en-us/library/aa446632(v=vs.85).aspx

    Standard Access Rights
    http://msdn.microsoft.com/en-us/library/aa379607.aspx

    The Windows API provides functions enabling an administrator to monitor security-related events.

    The security descriptor for a securable object can have a system access control list (SACL). A SACL contains access control entries (ACEs) that specify the types of access attempts that generate audit reports. Each ACE identifies a trustee, a set of access rights, and a set of flags that indicate whether the system generates audit messages for failed access attempts, successful access attempts, or both.

    The system writes audit messages to the security event log.


    Kate Li
    TechNet Community Support


    Monday, September 8, 2014 9:58 AM
    Owner

All replies

  • Hi,

    Here is what I can find the relationship between these codes and accesses rights:

    High level Generic Codes

    1537 DELETE 
    1538 READ_CONTROL
    1539 WRITE_DAC 
    1540 WRITE_OWNER
    1541 SYNCHRONIZE
    1542 ACCESS_SYS_SEC

    File codes

    4416 ReadData
    4417 WriteData
    4418 AppendData
    4419 ReadEA
    4420 WriteEA
    4421 Execute/Traverse
    4422 
    4423 ReadAttributes
    4424 WriteAttributes


    Registry Codes

    4432 Query Key Value
    4433 Set Key Value
    4434 Create Sub Key
    4435 Enumerate sub-keys
    4436 Notify about changes to keys
    4437 Create Link

    As I known, the Accesses rights are defined in system. An access right is a bit flag that corresponds to a particular set of operations that a thread can perform on a securable object. For example, a registry key has the KEY_SET_VALUE access right, which corresponds to the ability of a thread to set a value under the key. If a thread tries to perform an operation on an object, but does not have the necessary access right to the object, the system does not carry out the operation.

    And there are some standard values and generic values:

    Generic Access Rights
    http://msdn.microsoft.com/en-us/library/aa446632(v=vs.85).aspx

    Standard Access Rights
    http://msdn.microsoft.com/en-us/library/aa379607.aspx

    The Windows API provides functions enabling an administrator to monitor security-related events.

    The security descriptor for a securable object can have a system access control list (SACL). A SACL contains access control entries (ACEs) that specify the types of access attempts that generate audit reports. Each ACE identifies a trustee, a set of access rights, and a set of flags that indicate whether the system generates audit messages for failed access attempts, successful access attempts, or both.

    The system writes audit messages to the security event log.


    Kate Li
    TechNet Community Support


    Monday, September 8, 2014 9:58 AM
    Owner
  • From where we can get the below documentation please ? I cannot seem to find an official documentation anywhere

    1537 DELETE 
    1538 READ_CONTROL
    1539 WRITE_DAC 
    1540 WRITE_OWNER
    1541 SYNCHRONIZE
    1542 ACCESS_SYS_SEC



    Glenn Camilleri


    • Edited by scitech2 Friday, September 11, 2015 9:23 AM
    Thursday, September 10, 2015 7:30 AM
  • Has anybody found a fix for this?

    I'm facing exactly the same scenario when I try to get this type of logs through the C# EventLog.

    I wouldn't want to use a dictionary to solve this issue.

    Thanks!.

    Friday, December 21, 2018 6:51 PM