If I understand correctly, that's _not_ what evt_resolve_ad_obj option should affect, right? That option affects only resolving (or not) SID-s to usernames/groups and this is something completely different, right?
What is it then? And can I force my UF to forward the same contents that I see in Event Log Viewer?
In this case it's
Read Operation: Enumerate Credentials
I understand that it's something that event log viewer is rendering on its own, because in detail view of the event, it does indeed show %%8100 as ReadOperation so it's apparently the program's intepretation of this data that says "Enumerate Credentials".
So I suppose there'd have to be some lookups to "humanize" the events, right?