AccessList values map

[NicolasWinckler]

Parsing the AccessList field for example for the AD 4656 events gives, with the python-evtx, a list of codes like %%1537, %%1538, %%1539, %%1540, %%1541, %%4480 ... while the windows evtx viewer shows a list with human readable codes like below DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE ...

Any idea how i can remap to human readable format? Thanks

[Robo210]

• Get the parameterFileName for the publisher/provider from the registry. Use kernel32.dll as the default value.
• Call hMod = LoadLibrary(parameterFileName)
• Extract the value you want to format and remove the first %.
• Call FormatMessage(FORMAT_MESSAGE_FROM_HMODULE, hMod, ... "%xyz", ...)
  • If this fails, call FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, ... "%xyz", ...)
• Substitute the string back into the original message you're trying to generate.
• Repeat/recurse as necessary.

See the Remarks here for slightly more context.