AccessList values map

Question

AccessList values map

NicolasWinckler opened this issue 4 years ago · 1 comments

Parsing the AccessList field for example for the AD 4656 events gives, with the python-evtx, a list of codes like
%%1537, %%1538, %%1539, %%1540, %%1541, %%4480 ...
while the windows evtx viewer shows a list with human readable codes like below
DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE ...

Any idea how i can remap to human readable format?
Thanks

Answer 1 · 2021-03-31T08:03:00.000Z

Get the parameterFileName for the publisher/provider from the registry. Use kernel32.dll as the default value.
Call hMod = LoadLibrary(parameterFileName)
Extract the value you want to format and remove the first %.
Call FormatMessage(FORMAT_MESSAGE_FROM_HMODULE, hMod, ... "%xyz", ...)
- If this fails, call FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, ... "%xyz", ...)
Substitute the string back into the original message you're trying to generate.
Repeat/recurse as necessary.

See the Remarks here for slightly more context.