Getting Data In

Windows events and %%something entries

PickleRick
Champion

Hi.

I'm using TA for Windows and everything is mostly working OK. But.

In some events I'm receiving values like

ReadOperation%%8100

If I understand correctly, that's _not_ what evt_resolve_ad_obj option should affect, right? That option affects only resolving (or not) SID-s to usernames/groups and this is something completely different, right?

What is it then? And can I force my UF to forward the same contents that I see in Event Log Viewer?

In this case it's

Read Operation: Enumerate Credentials

I understand that it's something that event log viewer is rendering on its own, because in detail view of the event, it does indeed show %%8100 as ReadOperation so it's apparently the program's intepretation of this data that says "Enumerate Credentials".

So I suppose there'd have to be some lookups to "humanize" the events, right?

Labels (1)
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!