[Win32utils-devel] eventlog

Daniel Berger djberg96 at gmail.com
Mon Dec 3 23:59:19 EST 2007


Hi,

Hm, the string inserts are different, too. Any encoding issues? Your 
user name uses extended ASCII, too, right? Not sure if that's 
significant or not.

I've cc'd the win32utils-devel list to see if anyone has any ideas.

Thanks,

Dan

botp wrote:
> On 12/4/07, Daniel Berger <djberg96 at gmail.com> wrote:
>> Can you tell us which record numbers in particular are causing you
>> problems? We aren't finding any issues.
> 
> all of them. the description is not complete or empty.
> 
> in windows xp it works fine, eg
> 
> #<struct Struct::EventLogStruct record_number=268, time_generated=Tue Dec 04 12:
> 10:48 +0800 2007, time_written=Tue Dec 04 12:10:48 +0800 2007, event_id=642, eve
> nt_type="audit_success", category=7, source="Security", computer="BG-MIS-PBOT",
> user="Pe\361aIJM", string_inserts=["-", "Guest", "BG-MIS-PBOT", "%{S-1-5-21-3438
> 18398-1177238915-839522115-501}", "Pe\361aIJM", "DMPI", "(0x0,0x14863)", "-"], d
> escription="User Account Changed:\r\n\r\n\t-\r\n\r\n\tTarget Account Name:\tGues
> t\r\n\r\n\tTarget Domain:\tBG-MIS-PBOT\r\n\r\n\tTarget Account ID:\t%{S-1-5-21-3
> 43818398-1177238915-839522115-501}\r\n\r\n\tCaller User Name:\tPe\361aIJM\r\n\r\
> n\tCaller Domain:\tDMPI\r\n\r\n\tCaller Logon ID:\t(0x0,0x14863)\r\n\r\n\tPrivil
> eges:\t-">
> 
> note the description, it's in full text.
> 
> but running it in win 2003 server, i get something like
> 
> #<struct Struct::EventLogStruct record_number=674805, time_generated=Tue Dec 04
> 12:05:18 +0800 2007, time_written=Tue Dec 04 12:05:18 +0800 2007, event_id=560,
> event_type="audit_success", category=3, source="Security", computer="BGDC01", us
> er="pe\361aijm", string_inserts=["Security", "Key", "\\REGISTRY\\MACHINE\\SYSTEM
> \\ControlSet001\\Services\\Eventlog\\Security\\Security", "1884", "0", "17829690
> 9", "956", "C:\\tools\\psloglist.exe", "pe\361aijm", "DMPI", "(0x0,0xA9E1DBF)",
> "-", "-", "-", "%%1537\r\n\t\t\t%%1538\r\n\t\t\t%%1539\r\n\t\t\t%%1540\r\n\t\t\t
> %%4432\r\n\t\t\t%%4433\r\n\t\t\t%%4434\r\n\t\t\t%%4435\r\n\t\t\t%%4436\r\n\t\t\t
> %%4437\r\n\t\t\t", "-", "0", "0xF003F"], description="">
> 
> note the empty description
> 
> comparing it with sysinternals psloglist command, i get
> 
>   recno   : 674805
>   datetime: 12/4/2007 12:05:18 PM
>   eventid : 560
>   user    : pe±aijm\DMPI
>   description: Object Open:     Object Server: Security     Object Type: Key
>  Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Security\
> Security     Handle ID: 1884     Operation ID: {0,178296909}     Process ID: 956
>      Image File Name: C:\tools\psloglist.exe     Primary User Name: pe±aijm
> Primary Domain: DMPI     Primary Logon ID: (0x0,0xA9E1DBF)     Client User Name:
>  -     Client Domain: -     Client Logon ID: -     Accesses: DELETE       READ_C
> ONTROL       WRITE_DAC       WRITE_OWNER       Query key value       Set key val
> ue       Create sub-key       Enumerate sub-keys       Notify about changes to k
> eys       Create Link            Privileges: -     Restricted Sid Count: 0     A
> ccess Mask: 0xF003F
> 
> note how complete psloglist's description is.
> 
> but anyway, i think you'll be releasing 0.4.7. maybe i'll try that too.
> 
> kind regards -botp
> 



More information about the win32utils-devel mailing list