I might just be tired here, but the list he has is complete as far as the way it’s listed on the Microsoft site. What i may be missing here is maybe those AccessMasks can be added together to form the value? Not sure where 0x1209f comes from.
https://msdn.microsoft.com/en-us/library/windows/desktop/aa822867(v=vs.85).aspx
Yes, the property is a bitmap, so it is a conglomeration of all of the different masks together. In the first result “0x100080” is the result of "FILE_READ_ATTRIBUTES (0x80) and “SYNCHRONIZE (0x100000)”
0x12019f is:
Access Request Information:
Access Mask: 0x12019f
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes
WriteAttributes
Ahh ok. That makes complete sense. So yeah… time to maybe run a script to come up with all possible options. That’s rough though, because many of them won’t ever happen if you do that.
Hey 37mm, this should help. Instead of having to build out a static list of all of the combinations, I created a function called “Expand-AccessRights” that will convert your AccessMask into an array containing all of the Access Rights the mask represents. I then use this function to populate the “WhatHappenedText” property of the custom object. Hope this helps.
Function Expand-AccessRights {
[CmdLetBinding()]
Param (
[int]$AccessMask
)#param
$AccessRightsConstants = @(
(0x1, "FILE_READ_DATA, FILE_LIST_DIRECTORY"),
(0x2, "FILE_WRITE_DATA, FILE_ADD_FILE"),
(0x4, "FILE_APPEND_DATA, FILE_ADD_SUBDIRECTORY"),
(0x8, "FILE_READ_EA"),
(0x10, "FILE_WRITE_EA"),
(0x20, "FILE_EXECUTE, FILE_TRAVERSE"),
(0x40, "FILE_DELETE_CHILD"),
(0x80, "FILE_READ_ATTRIBUTES"),
(0x100, "FILE_WRITE_ATTRIBUTES"),
(0x10000, "DELETE"),
(0x20000, "READ_CONTROL"),
(0x40000, "WRITE_DAC"),
(0x80000, "WRITE_OWNER"),
(0x100000, "SYNCHRONIZE")
)
($AccessRightsConstants.Count - 1) .. 0 | ForEach-Object {
If ($AccessRightsConstants[$_][0] -le $AccessMask) {
$AccessRights += @($AccessRightsConstants[$_][1])
$AccessMask = $AccessMask - $AccessRightsConstants[$_][0]
}#if
}#foreach
$AccessRights
}#function
$Events = Get-WinEvent -ComputerName server1 -FilterHashtable @{LogName="Security"; ID=5145}
Foreach ($Event in $Events) {
$EventDataXML = ([xml]$Event.ToXML()).Event.EventData.Data
[PSCustomObject]@{
TimeCreated = $Event.TimeCreated;
UserName = ($EventDataXML | Where-Object {$_.Name -eq 'SubjectUserName'}).'#text';
Object = ($EventDataXML | Where-Object {$_.Name -eq 'ObjectType'}).'#text';
HostIP = ($EventDataXML | Where-Object {$_.Name -eq 'IpAddress'}).'#text';
FileLocation = ($EventDataXML | Where-Object {$_.Name -eq 'ShareName'}).'#text';
WhatFile = ($EventDataXML | Where-Object {$_.Name -eq 'ShareLocalPath'}).'#text';
WhatHappenedCode = ($EventDataXML | Where-Object {$_.Name -eq 'AccessMask'}).'#text';
WhatHappenedText = Expand-AccessRights -AccessMask ($EventDataXML | Where-Object {$_.Name -eq 'AccessMask'}).'#text'
}#pscustomobject
}#foreach
Results:
TimeCreated : 9/24/2015 10:00:20 PM
UserName : user1
Object : File
HostIP : 111.111.111.111
FileLocation : \\*\IPC$
WhatFile :
WhatHappenedCode : 0x12019f
WhatHappenedText : {SYNCHRONIZE, READ_CONTROL, FILE_WRITE_ATTRIBUTES, FILE_READ_ATTRIBUTES...}
TimeCreated : 9/24/2015 10:00:19 PM
UserName : user1
Object : File
HostIP : 111.11.111.111
FileLocation : \\*\test$
WhatFile : \??\C:\Users\Public\Desktop\Automation
WhatHappenedCode : 0x100081
WhatHappenedText : {SYNCHRONIZE, FILE_READ_ATTRIBUTES, FILE_READ_DATA, FILE_LIST_DIRECTORY}
TimeCreated : 9/24/2015 10:00:19 PM
UserName : user1
Object : File
HostIP : 111.111.111.111
FileLocation : \\*\test$
WhatFile : \??\C:\Users\Public\Desktop\Automation
WhatHappenedCode : 0x120089
WhatHappenedText : {SYNCHRONIZE, READ_CONTROL, FILE_READ_ATTRIBUTES, FILE_READ_EA...}
TimeCreated : 9/24/2015 10:00:19 PM
UserName : user1
Object : File
HostIP : 111.111.111.111
FileLocation : \\*\test$
WhatFile : \??\C:\Users\Public\Desktop\Automation
WhatHappenedCode : 0x100081
WhatHappenedText : {SYNCHRONIZE, FILE_READ_ATTRIBUTES, FILE_READ_DATA, FILE_LIST_DIRECTORY}
TimeCreated : 9/24/2015 10:00:19 PM
UserName : user1
Object : File
HostIP : 111.111.111.111
FileLocation : \\*\IPC$
WhatFile :
WhatHappenedCode : 0x12019f
WhatHappenedText : {SYNCHRONIZE, READ_CONTROL, FILE_WRITE_ATTRIBUTES, FILE_READ_ATTRIBUTES...}
TimeCreated : 9/24/2015 10:00:19 PM
UserName : user1
Object : File
HostIP : 111.111.111.111
FileLocation : \\*\test$
WhatFile : \??\C:\Users\Public\Desktop\Automation
WhatHappenedCode : 0x100080
WhatHappenedText : {SYNCHRONIZE, FILE_READ_ATTRIBUTES}
TimeCreated : 9/24/2015 10:00:05 PM
UserName : user1
Object : File
HostIP : ::1
FileLocation : \\*\test$
WhatFile : \??\C:\Users\Public\Desktop\Automation
WhatHappenedCode : 0x100080
WhatHappenedText : {SYNCHRONIZE, FILE_READ_ATTRIBUTES}
TimeCreated : 9/24/2015 10:00:05 PM
UserName : user1
Object : File
HostIP : ::1
FileLocation : \\*\test$
WhatFile : \??\C:\Users\Public\Desktop\Automation
WhatHappenedCode : 0x100080
WhatHappenedText : {SYNCHRONIZE, FILE_READ_ATTRIBUTES}
That is a great solution to the problem! Basically 99% of the way. amazing
instead of Expand-AccessRights may be just use
[System.Security.AccessControl.FileSystemRights] (for simplicity 
? )
PS D:\> [System.Security.AccessControl.FileSystemRights]0x10080
ReadAttributes, Delete
PS D:\> [System.Security.AccessControl.FileSystemRights]0x12019f
Write, Read, Synchronize
Very Nice Max. Didn’t know that was out there.
$AuditEvents = @();
Get-WinEvent -ComputerName sql -FilterHashTable @{ LogName ="Security"; ID = 5145 } -MaxEvents 100 | %{
$AccessListDesc = [System.Security.AccessControl.FileSystemRights]($_.Properties[10].Value)
$auditevent = New-Object System.Object
$auditevent | Add-Member -Type NoteProperty -Name TimeCreated -Value $_.TimeCreated.ToString("o") # output in sortable format
$auditevent | Add-Member -type NoteProperty -Name UserName -Value $_.Properties[1].Value # username
$auditevent | Add-Member -type NoteProperty -Name Object -Value $_.Properties[4].Value # Object Type
$auditevent | Add-Member -type NoteProperty -Name HostIP -Value $_.Properties[5].Value # originating IP
$auditevent | Add-Member -type NoteProperty -Name ShareName -Value $_.Properties[8].Value # Share name
$auditevent | Add-Member -type NoteProperty -Name ShareLocalPath -Value $_.Properties[9].Value # Share local path
$auditevent | Add-Member -type NoteProperty -Name WhatHappened -Value $AccessListDesc # access List
$AuditEvents += $auditEvent
}
$auditevents | Export-Csv -Path .\foo.csv -NoTypeInformation -Encoding ASCII
[System.Security.AccessControl.FileSystemRights] the problem with this is it doesn’t tell me if it was deleted.
Curtis Smith code allows me too look for 0x10080 which is basically a delete. Another way after talking with curtis would be to use the handle ID I presume not sure if it would or how but WE would run a if then else loop when event id 0x10080 shows up and see if the corresponding handle ID is link to an event id 4663. I am pretty much passed my scope of coding here but I think that would give me an affirmative DELETE output.
we = All the brilliant mind that have contributed to this piece
I also want to be able to exclude certain share names for instance " ??\C:\EIS\ " anything that returns that value I want to exclude from the output. This would allow me to exclude an access database that fills this log up with info I don’t want. It probably be easier to move the share I want to audit to a different VM honestly.
This will be a great open source tool for file auditing for the community and small shops!
Very informative. Also many time there is a need to Export Error log events using Powershell. I read this article explaining exactly that. Read this Exporting event logs with Windows PowerShell | Event Log Explorer blog