new log format for Win10 / Server 2012 Expand / Collapse
Author
Message
Posted 5/30/2017 5:40:20 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 5/30/2017 5:02:20 AM
Posts: 1, Visits: 0
Log format for 4688 seems to have changed for Win10 / Server 2012:
There's now a creator subject and a target subject.
https://docs.microsoft.com/en-us/windows/device-security/auditing/event-4688

Doing a bit of testing revealed that the target subject seem always to be NULL SID except if the creator subject is the machine account. So if you issue a “run as” the user the process runs as is logged as creator subject not as target subject as one might expect.
Post #7379
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 6:09pm