Access Mask Windows 2003 Security

Posted on 2009-04-16
Last Modified: 2012-05-06
Hi, I have configured Audit in some folders in my Windows 2003 Servers, and I have some events in the security log that I want to understand, exactly the meaning of the Access Mask option, I want to know if a user or a process is creating, changing or deleting a file.
The information isn't clear and I think the clue is in the Access Mask information, I haven't found tecnichal information about it.

I copied and event below:

Event Type:      Sucess Audit
Event Source:      Security
Event Category:      Object Access
Event ID:      560
Date:            12/28/2007
Time:            6:36:04 AM
User:            somedomain\some.user
Computer:      some computer
Object Open:
Object Server:      Security
Object Type:      File
Object Name:      N:\ifs\a081900\ifs\exec\genbin\KEYS.ICO
Handle ID:      -
Operation ID:      {0,141566014}
Process ID:      8912
Image File Name:      N:\oracle\oraifs1\BIN\ifrun60.EXE
Primary User Name:      walter.mathison.ifs
Primary Domain:      NAE
Primary Logon ID:      (0x0,0x86EE23A)
Client User Name:      -
Client Domain:      -
Client Logon ID:      -
Accesses:      READ_CONTROL
ReadData (or ListDirectory)

Privileges:      -
Restricted Sid Count:      0
Access Mask:      0x120189

I find 0x120189 and 0x10080 values normally in the Access Mask field, but i want to know the meaning of this field and if there exist some documentation about it, or if there is a way to know if a user or a process is creating, changing or deleting a file.

Any help will be apreciated.

Question by:portiz60
    LVL 15

    Accepted Solution

    LVL 3

    Author Comment

    Thank you zelron22, but this page doesn't help to much to undestand the meaning of the values in the access Mask, for example in the events I have 0x10080 or 0x120196, this numbers are decimal or hexadecimal? or how can I locate them in the table?
    LVL 15

    Expert Comment

    0x indicates that it's a hexadecimal.  (I'm learning too :) )  Take the number, convert it to binary (you can use the Windows calculator in scientific mode to do this) and then you can compare it to that link.

    If when you convert it to binary you come up with fewer than 32 characters, then pad the left side with zeros.
    LVL 3

    Author Comment

    Ok, I undertand the Hexadecimal thing, but I have converted the values and I still don't know how to use the table in the page, it only says that the first 16 bits are Object-specific Access Rigths and next 8 bits are Standard Access Rigths, but how do I know if 0x120189 and 0x10080 values are creating, modifing, reading or deleting a file?
    LVL 3

    Author Comment

    Or maybe the clue to know the diference is in another field, but wich one?
    LVL 15

    Assisted Solution

    When you compare the mask to the table, each place you have a 1 indicates that permission is granted.

    As to what the object specific permissions are, that's beyond my knowledge.

    Good luck!

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Join & Write a Comment

    Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
    This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now