Convert SDDL changes to readable format

jayrbarrios
jayrbarrios used Ask the Experts™
on
It there any way to have this in a readable format? We need to generate a SDDL to a report for investigation purposes focusing on event id 4670. Thanks in advance.

Process:
      Process ID:      0x137c
      Process Name:      C:\Windows\explorer.exe

Permissions Change:
      Original Security Descriptor:      D:PAI(A;OICI;0x1201bf;;;S-1-5-21-1216582894-834684500-1334827815-316441)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;FA;;;S-1-5-21-1216582894-834684500-1334827815-458061)
      New Security Descriptor:      D:PARAI(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1201bf;;;S-1-5-21-1216582894-834684500-1334827815-316441)
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2012
Top Expert 2014
Commented:
Hi, as an example, see the SDDLParse tool here:
http://blogs.dirteam.com/blogs/jorge/archive/2008/03/26/parsing-sddl-strings.aspx

With that, this code can decode an SDDL descriptor:
strSDDLParse = "C:\Tools\SDDLParse.exe"
strSDDL = "D:PAI(A;OICI;0x1201bf;;;S-1-5-21-1216582894-834684500-1334827815-316441)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;FA;;;S-1-5-21-1216582894-834684500-1334827815-458061)"
Set objShell = CreateObject("WScript.Shell")
Set objExec = objShell.Exec(strSDDLParse & " " & strSDDL)
While objExec.Status = 0
	WScript.Sleep 100
Wend
WScript.Echo objExec.StdOut.ReadAll

Open in new window


So, all that's left is to grab the SDDL string from the event log entry, and parse that.  Have you got code that grabs the event log entries?

Regards,

Rob.

Author

Commented:
Thanks, Rob... no I don't have the code to grab the event log. I'm exporting it manually.
Most Valuable Expert 2012
Top Expert 2014

Commented:
What are you exporting it to?  Something we can pick up the string from?
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Author

Commented:
From the event viewer, i'm just copying the details of event id 4670 into a text file. actually we want to track the following in the file servers:

Who made changes in the permission
Who was added to the share
Who changed the ownership
To Whom was the permission was given
To Whom was the ownership was given
Who took ownership
What permission was change
Compare the new and old permission

this if for incident purposes and not doing a proactive monitoring. again, thanks for the info Rob, i'm able to decode the SDDL.
Most Valuable Expert 2012
Top Expert 2014

Commented:
Hi, well, here's some code I have that will pull the information for event id 4670 into a CSV file.  I haven't changed it to use SDDLParse to decode it, but it's a basis for you.

Regards,

Rob

strOutput = "Events.csv"
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objOutput = objFSO.CreateTextFile(strOutput, True)
objOutput.WriteLine """Event Date"",""Event ID"",""Description"""
strComputer = "."
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery("Select * from Win32_NTLogEvent Where Logfile='System' And (EventID=4670)")
For Each objEvent In colLoggedEvents
    objOutput.WriteLine """" & objEvent.TimeGenerated & """" & _
    	",""" & objEvent.EventID & """" & _
    	",""" & objEvent.Message & """"
Next
objOutput.Close
MsgBox "Done. Please see " & strOutput

Open in new window

Author

Commented:
Ok, i'll give it a try. thank you.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial