Access Mask Windows 2003 Security

Hi, I have configured Audit in some folders in my Windows 2003 Servers, and I have some events in the security log that I want to understand, exactly the meaning of the Access Mask option, I want to know if a user or a process is creating, changing or deleting a file.
The information isn't clear and I think the clue is in the Access Mask information, I haven't found tecnichal information about it.

I copied and event below:

Event Type:      Sucess Audit
Event Source:      Security
Event Category:      Object Access
Event ID:      560
Date:            12/28/2007
Time:            6:36:04 AM
User:            somedomain\some.user
Computer:      some computer
Object Open:
Object Server:      Security
Object Type:      File
Object Name:      N:\ifs\a081900\ifs\exec\genbin\KEYS.ICO
Handle ID:      -
Operation ID:      {0,141566014}
Process ID:      8912
Image File Name:      N:\oracle\oraifs1\BIN\ifrun60.EXE
Primary User Name:      walter.mathison.ifs
Primary Domain:      NAE
Primary Logon ID:      (0x0,0x86EE23A)
Client User Name:      -
Client Domain:      -
Client Logon ID:      -
Accesses:      READ_CONTROL
ReadData (or ListDirectory)

Privileges:      -
Restricted Sid Count:      0
Access Mask:      0x120189

I find 0x120189 and 0x10080 values normally in the Access Mask field, but i want to know the meaning of this field and if there exist some documentation about it, or if there is a way to know if a user or a process is creating, changing or deleting a file.

Any help will be apreciated.

Who is Participating?
zelron22Connect With a Mentor Commented:
portiz60Author Commented:
Thank you zelron22, but this page doesn't help to much to undestand the meaning of the values in the access Mask, for example in the events I have 0x10080 or 0x120196, this numbers are decimal or hexadecimal? or how can I locate them in the table?
0x indicates that it's a hexadecimal.  (I'm learning too :) )  Take the number, convert it to binary (you can use the Windows calculator in scientific mode to do this) and then you can compare it to that link.

If when you convert it to binary you come up with fewer than 32 characters, then pad the left side with zeros.
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

portiz60Author Commented:
Ok, I undertand the Hexadecimal thing, but I have converted the values and I still don't know how to use the table in the page, it only says that the first 16 bits are Object-specific Access Rigths and next 8 bits are Standard Access Rigths, but how do I know if 0x120189 and 0x10080 values are creating, modifing, reading or deleting a file?
portiz60Author Commented:
Or maybe the clue to know the diference is in another field, but wich one?
zelron22Connect With a Mentor Commented:
When you compare the mask to the table, each place you have a 1 indicates that permission is granted.

As to what the object specific permissions are, that's beyond my knowledge.

Good luck!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.