Skip to content

Instantly share code, notes, and snippets.

@williballenthin

williballenthin/record_structure.txt

Created April 19, 2013 00:24
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save williballenthin/5417248 to your computer and use it in GitHub Desktop.
Save williballenthin/5417248 to your computer and use it in GitHub Desktop.
Download ZIP
record_structure.py output
Raw
record_structure.txt
0000 2A 2A 00 00 D0 09 00 00 19 68 00 00 00 00 00 00 **.......h......
0010 64 82 38 8A FA 88 CC 01 0F 01 01 00 0C 01 84 30 d.8............0
0020 7C 5E 26 02 00 00 00 00 00 00 84 30 7C 5E 67 73 |^&........0|^gs
0030 6B 9F C7 6D 8C BB A4 C5 45 C8 96 04 00 00 0F 01 k..m....E.......
0040 01 00 41 11 00 8A 04 00 00 4D 02 00 00 00 00 00 ..A......M......
0050 00 BA 0C 05 00 45 00 76 00 65 00 6E 00 74 00 00 .....E.v.e.n.t..
0060 00 87 00 00 00 06 6A 02 00 00 00 00 00 00 BC 0F ......j.........
0070 05 00 78 00 6D 00 6C 00 6E 00 73 00 00 00 05 01 ..x.m.l.n.s.....
0080 35 00 68 00 74 00 74 00 70 00 3A 00 2F 00 2F 00 5.h.t.t.p.:././.
0090 73 00 63 00 68 00 65 00 6D 00 61 00 73 00 2E 00 s.c.h.e.m.a.s...
00A0 6D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 m.i.c.r.o.s.o.f.
00B0 74 00 2E 00 63 00 6F 00 6D 00 2F 00 77 00 69 00 t...c.o.m./.w.i.
00C0 6E 00 2F 00 32 00 30 00 30 00 34 00 2F 00 30 00 n./.2.0.0.4./.0.
00D0 38 00 2F 00 65 00 76 00 65 00 6E 00 74 00 73 00 8./.e.v.e.n.t.s.
00E0 2F 00 65 00 76 00 65 00 6E 00 74 00 02 01 FF FF /.e.v.e.n.t.....
00F0 DA 03 00 00 F8 02 00 00 00 00 00 00 6F 54 06 00 ............oT..
0100 53 00 79 00 73 00 74 00 65 00 6D 00 00 00 02 41 S.y.s.t.e.m....A
0110 FF FF 59 00 00 00 1A 03 00 00 00 00 00 00 F1 7B ..Y............{
0120 08 00 50 00 72 00 6F 00 76 00 69 00 64 00 65 00 ..P.r.o.v.i.d.e.
0130 72 00 00 00 36 00 00 00 46 3D 03 00 00 00 00 00 r...6...F=......
0140 00 4B 95 04 00 4E 00 61 00 6D 00 65 00 00 00 0E .K...N.a.m.e....
0150 0E 00 01 06 58 03 00 00 00 00 00 00 29 15 04 00 ....X.......)...
0160 47 00 75 00 69 00 64 00 00 00 0E 0F 00 0F 03 41 G.u.i.d........A
0170 03 00 4D 00 00 00 7A 03 00 00 00 00 00 00 F5 61 ..M...z........a
0180 07 00 45 00 76 00 65 00 6E 00 74 00 49 00 44 00 ..E.v.e.n.t.I.D.
0190 00 00 27 00 00 00 06 9B 03 00 00 58 03 00 00 29 ..'........X...)
01A0 DA 0A 00 51 00 75 00 61 00 6C 00 69 00 66 00 69 ...Q.u.a.l.i.f.i
01B0 00 65 00 72 00 73 00 00 00 0E 04 00 06 02 0E 03 .e.r.s..........
01C0 00 06 04 01 0B 00 22 00 00 00 CE 03 00 00 00 00 ......".........
01D0 00 00 18 09 07 00 56 00 65 00 72 00 73 00 69 00 ......V.e.r.s.i.
01E0 6F 00 6E 00 00 00 02 0E 0B 00 04 04 01 00 00 1E o.n.............
01F0 00 00 00 F7 03 00 00 00 00 00 00 64 CE 05 00 4C ...........d...L
0200 00 65 00 76 00 65 00 6C 00 00 00 02 0E 00 00 04 .e.v.e.l........
0210 04 01 02 00 1C 00 00 00 1C 04 00 00 00 00 00 00 ................
0220 45 7B 04 00 54 00 61 00 73 00 6B 00 00 00 02 0E E{..T.a.s.k.....
0230 02 00 06 04 01 01 00 20 00 00 00 3F 04 00 00 00 ....... ...?....
0240 00 00 00 AE 1E 06 00 4F 00 70 00 63 00 6F 00 64 .......O.p.c.o.d
0250 00 65 00 00 00 02 0E 01 00 04 04 01 05 00 24 00 .e............$.
0260 00 00 66 04 00 00 00 00 00 00 6A CF 08 00 4B 00 ..f.......j...K.
0270 65 00 79 00 77 00 6F 00 72 00 64 00 73 00 00 00 e.y.w.o.r.d.s...
0280 02 0E 05 00 15 04 41 FF FF 50 00 00 00 91 04 00 ......A..P......
0290 00 00 00 00 00 3B 8E 0B 00 54 00 69 00 6D 00 65 .....;...T.i.m.e
02A0 00 43 00 72 00 65 00 61 00 74 00 65 00 64 00 00 .C.r.e.a.t.e.d..
02B0 00 27 00 00 00 06 BA 04 00 00 6A 02 00 00 3C 7B .'........j...<{
02C0 0A 00 53 00 79 00 73 00 74 00 65 00 6D 00 54 00 ..S.y.s.t.e.m.T.
02D0 69 00 6D 00 65 00 00 00 0E 06 00 11 03 01 0A 00 i.m.e...........
02E0 2E 00 00 00 E8 04 00 00 00 00 00 00 46 03 0D 00 ............F...
02F0 45 00 76 00 65 00 6E 00 74 00 52 00 65 00 63 00 E.v.e.n.t.R.e.c.
0300 6F 00 72 00 64 00 49 00 44 00 00 00 02 0E 0A 00 o.r.d.I.D.......
0310 0A 04 41 FF FF 85 00 00 00 1D 05 00 00 00 00 00 ..A.............
0320 00 A2 F2 0B 00 43 00 6F 00 72 00 72 00 65 00 6C .....C.o.r.r.e.l
0330 00 61 00 74 00 69 00 6F 00 6E 00 00 00 5C 00 00 .a.t.i.o.n......
0340 00 46 46 05 00 00 00 00 00 00 0A F1 0A 00 41 00 .FF...........A.
0350 63 00 74 00 69 00 76 00 69 00 74 00 79 00 49 00 c.t.i.v.i.t.y.I.
0360 44 00 00 00 0E 07 00 0F 06 6D 05 00 00 7A 03 00 D........m...z..
0370 00 35 C5 11 00 52 00 65 00 6C 00 61 00 74 00 65 .5...R.e.l.a.t.e
0380 00 64 00 41 00 63 00 74 00 69 00 76 00 69 00 74 .d.A.c.t.i.v.i.t
0390 00 79 00 49 00 44 00 00 00 0E 0D 00 0F 03 41 FF .y.I.D........A.
03A0 FF 6D 00 00 00 A9 05 00 00 00 00 00 00 B8 B5 09 .m..............
03B0 00 45 00 78 00 65 00 63 00 75 00 74 00 69 00 6F .E.x.e.c.u.t.i.o
03C0 00 6E 00 00 00 48 00 00 00 46 CE 05 00 00 46 05 .n...H...F....F.
03D0 00 00 0A D7 09 00 50 00 72 00 6F 00 63 00 65 00 ......P.r.o.c.e.
03E0 73 00 73 00 49 00 44 00 00 00 0E 08 00 08 06 F3 s.s.I.D.........
03F0 05 00 00 1C 04 00 00 85 39 08 00 54 00 68 00 72 ........9..T.h.r
0400 00 65 00 61 00 64 00 49 00 44 00 00 00 0E 09 00 .e.a.d.I.D......
0410 08 03 01 10 00 22 00 00 00 1D 06 00 00 00 00 00 ....."..........
0420 00 83 61 07 00 43 00 68 00 61 00 6E 00 6E 00 65 ..a..C.h.a.n.n.e
0430 00 6C 00 00 00 02 0E 10 00 01 04 01 FF FF 42 00 .l............B.
0440 00 00 46 06 00 00 91 04 00 00 3B 6E 08 00 43 00 ..F.......;n..C.
0450 6F 00 6D 00 70 00 75 00 74 00 65 00 72 00 00 00 o.m.p.u.t.e.r...
0460 02 05 01 0F 00 57 00 49 00 4E 00 2D 00 49 00 47 .....W.I.N.-.I.G
0470 00 51 00 51 00 54 00 47 00 45 00 4D 00 55 00 55 .Q.Q.T.G.E.M.U.U
0480 00 4F 00 04 41 FF FF 42 00 00 00 8F 06 00 00 00 .O..A..B........
0490 00 00 00 A0 2E 08 00 53 00 65 00 63 00 75 00 72 .......S.e.c.u.r
04A0 00 69 00 74 00 79 00 00 00 1F 00 00 00 06 B2 06 .i.t.y..........
04B0 00 00 00 00 00 00 66 4C 06 00 55 00 73 00 65 00 ......fL..U.s.e.
04C0 72 00 49 00 44 00 00 00 0E 0C 00 13 03 04 0E 11 r.I.D...........
04D0 00 21 04 00 12 00 00 00 01 00 04 00 01 00 04 00 .!..............
04E0 02 00 06 00 02 00 06 00 02 00 00 00 08 00 15 00 ................
04F0 08 00 11 00 10 00 00 00 04 00 08 00 04 00 08 00 ................
0500 08 00 0A 00 01 00 04 00 00 00 00 00 00 00 00 00 ................
0510 46 00 01 00 10 00 0F 00 10 00 01 00 05 04 21 00 F.............!.
0520 00 00 04 31 40 12 01 00 00 00 00 00 00 00 20 80 ...1@......... .
0530 64 82 38 8A FA 88 CC 01 00 00 00 00 F8 00 00 00 d.8.............
0540 C0 E9 01 01 D0 E8 D6 00 10 02 00 00 40 02 00 00 ............@...
0550 19 68 00 00 00 00 00 00 00 4D 00 69 00 63 00 72 .h.......M.i.c.r
0560 00 6F 00 73 00 6F 00 66 00 74 00 2D 00 57 00 69 .o.s.o.f.t.-.W.i
0570 00 6E 00 64 00 6F 00 77 00 73 00 2D 00 53 00 65 .n.d.o.w.s.-.S.e
0580 00 63 00 75 00 72 00 69 00 74 00 79 00 2D 00 41 .c.u.r.i.t.y.-.A
0590 00 75 00 64 00 69 00 74 00 69 00 6E 00 67 00 25 .u.d.i.t.i.n.g.%
05A0 96 84 54 78 54 94 49 A5 BA 3E 3B 03 28 C3 0D 53 ..TxT.I..>;.(..S
05B0 00 65 00 63 00 75 00 72 00 69 00 74 00 79 00 0C .e.c.u.r.i.t.y..
05C0 01 AE 0F 78 AB C9 07 00 00 26 02 00 00 AE 0F 78 ...x.....&.....x
05D0 AB 43 1F 82 08 C5 93 C2 2D 02 05 9E 1C 68 01 00 .C......-....h..
05E0 00 0F 01 01 00 01 FF FF 5C 01 00 00 F0 07 00 00 ................
05F0 00 00 00 00 44 82 09 00 45 00 76 00 65 00 6E 00 ....D...E.v.e.n.
0600 74 00 44 00 61 00 74 00 61 00 00 00 02 41 FF FF t.D.a.t.a....A..
0610 45 00 00 00 18 08 00 00 CE 05 00 00 8A 6F 04 00 E............o..
0620 44 00 61 00 74 00 61 00 00 00 25 00 00 00 06 3D D.a.t.a...%....=
0630 03 00 00 05 01 0E 00 53 00 75 00 62 00 6A 00 65 .......S.u.b.j.e
0640 00 63 00 74 00 55 00 73 00 65 00 72 00 53 00 69 .c.t.U.s.e.r.S.i
0650 00 64 00 02 0D 00 00 13 04 41 FF FF 35 00 00 00 .d.......A..5...
0660 18 08 00 00 27 00 00 00 06 3D 03 00 00 05 01 0F ....'....=......
0670 00 53 00 75 00 62 00 6A 00 65 00 63 00 74 00 55 .S.u.b.j.e.c.t.U
0680 00 73 00 65 00 72 00 4E 00 61 00 6D 00 65 00 02 .s.e.r.N.a.m.e..
0690 0D 01 00 01 04 41 FF FF 39 00 00 00 18 08 00 00 .....A..9.......
06A0 2B 00 00 00 06 3D 03 00 00 05 01 11 00 53 00 75 +....=.......S.u
06B0 00 62 00 6A 00 65 00 63 00 74 00 44 00 6F 00 6D .b.j.e.c.t.D.o.m
06C0 00 61 00 69 00 6E 00 4E 00 61 00 6D 00 65 00 02 .a.i.n.N.a.m.e..
06D0 0D 02 00 01 04 41 FF FF 33 00 00 00 18 08 00 00 .....A..3.......
06E0 25 00 00 00 06 3D 03 00 00 05 01 0E 00 53 00 75 %....=.......S.u
06F0 00 62 00 6A 00 65 00 63 00 74 00 4C 00 6F 00 67 .b.j.e.c.t.L.o.g
0700 00 6F 00 6E 00 49 00 64 00 02 0D 03 00 15 04 41 .o.n.I.d.......A
0710 FF FF 31 00 00 00 18 08 00 00 23 00 00 00 06 3D ..1.......#....=
0720 03 00 00 05 01 0D 00 50 00 72 00 69 00 76 00 69 .......P.r.i.v.i
0730 00 6C 00 65 00 67 00 65 00 4C 00 69 00 73 00 74 .l.e.g.e.L.i.s.t
0740 00 02 0D 04 00 01 04 04 00 05 00 00 00 0C 00 13 ................
0750 00 0E 00 01 00 1A 00 01 00 08 00 15 00 26 02 01 .............&..
0760 00 01 01 00 00 00 00 00 05 12 00 00 00 53 00 59 .............S.Y
0770 00 53 00 54 00 45 00 4D 00 00 00 4E 00 54 00 20 .S.T.E.M...N.T.
0780 00 41 00 55 00 54 00 48 00 4F 00 52 00 49 00 54 .A.U.T.H.O.R.I.T
0790 00 59 00 00 00 E7 03 00 00 00 00 00 00 53 00 65 .Y...........S.e
07A0 00 41 00 73 00 73 00 69 00 67 00 6E 00 50 00 72 .A.s.s.i.g.n.P.r
07B0 00 69 00 6D 00 61 00 72 00 79 00 54 00 6F 00 6B .i.m.a.r.y.T.o.k
07C0 00 65 00 6E 00 50 00 72 00 69 00 76 00 69 00 6C .e.n.P.r.i.v.i.l
07D0 00 65 00 67 00 65 00 0D 00 0A 00 09 00 09 00 09 .e.g.e..........
07E0 00 53 00 65 00 54 00 63 00 62 00 50 00 72 00 69 .S.e.T.c.b.P.r.i
07F0 00 76 00 69 00 6C 00 65 00 67 00 65 00 0D 00 0A .v.i.l.e.g.e....
0800 00 09 00 09 00 09 00 53 00 65 00 53 00 65 00 63 .......S.e.S.e.c
0810 00 75 00 72 00 69 00 74 00 79 00 50 00 72 00 69 .u.r.i.t.y.P.r.i
0820 00 76 00 69 00 6C 00 65 00 67 00 65 00 0D 00 0A .v.i.l.e.g.e....
0830 00 09 00 09 00 09 00 53 00 65 00 54 00 61 00 6B .......S.e.T.a.k
0840 00 65 00 4F 00 77 00 6E 00 65 00 72 00 73 00 68 .e.O.w.n.e.r.s.h
0850 00 69 00 70 00 50 00 72 00 69 00 76 00 69 00 6C .i.p.P.r.i.v.i.l
0860 00 65 00 67 00 65 00 0D 00 0A 00 09 00 09 00 09 .e.g.e..........
0870 00 53 00 65 00 4C 00 6F 00 61 00 64 00 44 00 72 .S.e.L.o.a.d.D.r
0880 00 69 00 76 00 65 00 72 00 50 00 72 00 69 00 76 .i.v.e.r.P.r.i.v
0890 00 69 00 6C 00 65 00 67 00 65 00 0D 00 0A 00 09 .i.l.e.g.e......
08A0 00 09 00 09 00 53 00 65 00 42 00 61 00 63 00 6B .....S.e.B.a.c.k
08B0 00 75 00 70 00 50 00 72 00 69 00 76 00 69 00 6C .u.p.P.r.i.v.i.l
08C0 00 65 00 67 00 65 00 0D 00 0A 00 09 00 09 00 09 .e.g.e..........
08D0 00 53 00 65 00 52 00 65 00 73 00 74 00 6F 00 72 .S.e.R.e.s.t.o.r
08E0 00 65 00 50 00 72 00 69 00 76 00 69 00 6C 00 65 .e.P.r.i.v.i.l.e
08F0 00 67 00 65 00 0D 00 0A 00 09 00 09 00 09 00 53 .g.e...........S
0900 00 65 00 44 00 65 00 62 00 75 00 67 00 50 00 72 .e.D.e.b.u.g.P.r
0910 00 69 00 76 00 69 00 6C 00 65 00 67 00 65 00 0D .i.v.i.l.e.g.e..
0920 00 0A 00 09 00 09 00 09 00 53 00 65 00 41 00 75 .........S.e.A.u
0930 00 64 00 69 00 74 00 50 00 72 00 69 00 76 00 69 .d.i.t.P.r.i.v.i
0940 00 6C 00 65 00 67 00 65 00 0D 00 0A 00 09 00 09 .l.e.g.e........
0950 00 09 00 53 00 65 00 53 00 79 00 73 00 74 00 65 ...S.e.S.y.s.t.e
0960 00 6D 00 45 00 6E 00 76 00 69 00 72 00 6F 00 6E .m.E.n.v.i.r.o.n
0970 00 6D 00 65 00 6E 00 74 00 50 00 72 00 69 00 76 .m.e.n.t.P.r.i.v
0980 00 69 00 6C 00 65 00 67 00 65 00 0D 00 0A 00 09 .i.l.e.g.e......
0990 00 09 00 09 00 53 00 65 00 49 00 6D 00 70 00 65 .....S.e.I.m.p.e
09A0 00 72 00 73 00 6F 00 6E 00 61 00 74 00 65 00 50 .r.s.o.n.a.t.e.P
09B0 00 72 00 69 00 76 00 69 00 6C 00 65 00 67 00 65 .r.i.v.i.l.e.g.e
09C0 00 00 00 00 00 00 0A 08 00 00 1B 00 D0 09 00 00 ................
record(absolute_offset=20779520)
RootNode(offset=0x18)
StreamStartNode(offset=0x18)
TemplateInstanceNode(offset=0x1c, resident=True, length=0x496)
TemplateNode(offset=0x26)
StreamStartNode(offset=0x3e)
OpenStartElementNode(offset=0x42)
AttributeNode(offset=0x65)
ValueNode(offset=0x7e)
WstringTypeNode(offset=0x80) --> http://schemas.microsoft.com/win/2004/08/events/event
CloseStartElementNode(offset=0xec)
OpenStartElementNode(offset=0xed)
CloseStartElementNode(offset=0x10e)
OpenStartElementNode(offset=0x10f)
AttributeNode(offset=0x138)
ConditionalSubstitutionNode(offset=0x14f)
AttributeNode(offset=0x153)
ConditionalSubstitutionNode(offset=0x16a)
CloseEmptyElementNode(offset=0x16e)
OpenStartElementNode(offset=0x16f)
AttributeNode(offset=0x196)
ConditionalSubstitutionNode(offset=0x1b9)
CloseStartElementNode(offset=0x1bd)
ConditionalSubstitutionNode(offset=0x1be)
CloseElementNode(offset=0x1c2)
OpenStartElementNode(offset=0x1c3)
CloseStartElementNode(offset=0x1e6)
ConditionalSubstitutionNode(offset=0x1e7)
CloseElementNode(offset=0x1eb)
OpenStartElementNode(offset=0x1ec)
CloseStartElementNode(offset=0x20b)
ConditionalSubstitutionNode(offset=0x20c)
CloseElementNode(offset=0x210)
OpenStartElementNode(offset=0x211)
CloseStartElementNode(offset=0x22e)
ConditionalSubstitutionNode(offset=0x22f)
CloseElementNode(offset=0x233)
OpenStartElementNode(offset=0x234)
CloseStartElementNode(offset=0x255)
ConditionalSubstitutionNode(offset=0x256)
CloseElementNode(offset=0x25a)
OpenStartElementNode(offset=0x25b)
CloseStartElementNode(offset=0x280)
ConditionalSubstitutionNode(offset=0x281)
CloseElementNode(offset=0x285)
OpenStartElementNode(offset=0x286)
AttributeNode(offset=0x2b5)
ConditionalSubstitutionNode(offset=0x2d8)
CloseEmptyElementNode(offset=0x2dc)
OpenStartElementNode(offset=0x2dd)
CloseStartElementNode(offset=0x30c)
ConditionalSubstitutionNode(offset=0x30d)
CloseElementNode(offset=0x311)
OpenStartElementNode(offset=0x312)
AttributeNode(offset=0x341)
ConditionalSubstitutionNode(offset=0x364)
AttributeNode(offset=0x368)
ConditionalSubstitutionNode(offset=0x399)
CloseEmptyElementNode(offset=0x39d)
OpenStartElementNode(offset=0x39e)
AttributeNode(offset=0x3c9)
ConditionalSubstitutionNode(offset=0x3ea)
AttributeNode(offset=0x3ee)
ConditionalSubstitutionNode(offset=0x40d)
CloseEmptyElementNode(offset=0x411)
OpenStartElementNode(offset=0x412)
CloseStartElementNode(offset=0x435)
ConditionalSubstitutionNode(offset=0x436)
CloseElementNode(offset=0x43a)
OpenStartElementNode(offset=0x43b)
CloseStartElementNode(offset=0x460)
ValueNode(offset=0x461)
WstringTypeNode(offset=0x463) --> WIN-IGQQTGEMUUO
CloseElementNode(offset=0x483)
OpenStartElementNode(offset=0x484)
AttributeNode(offset=0x4ad)
ConditionalSubstitutionNode(offset=0x4c8)
CloseEmptyElementNode(offset=0x4cc)
CloseElementNode(offset=0x4cd)
ConditionalSubstitutionNode(offset=0x4ce)
CloseElementNode(offset=0x4d2)
EndOfStreamNode(offset=0x4d3)
Substitutions(offset=0x4d4)
UnsignedByteTypeNode(offset=0x520) --> 0
UnsignedByteTypeNode(offset=0x521) --> 0
UnsignedWordTypeNode(offset=0x522) --> 12548
UnsignedWordTypeNode(offset=0x524) --> 4672
NullTypeNode(offset=0x526) --> NULL
Hex64TypeNode(offset=0x528) --> 0x8020000000000000
FiletimeTypeNode(offset=0x530) --> 2011-10-12T16:18:12.906248Z
NullTypeNode(offset=0x538) --> NULL
UnsignedDwordTypeNode(offset=0x548) --> 528
UnsignedDwordTypeNode(offset=0x54c) --> 576
UnsignedQwordTypeNode(offset=0x550) --> 26649
UnsignedByteTypeNode(offset=0x558) --> 0
NullTypeNode(offset=0x559) --> NULL
NullTypeNode(offset=0x559) --> NULL
WstringTypeNode(offset=0x559) --> Microsoft-Windows-Security-Auditing
GuidTypeNode(offset=0x59f) --> {54849625-5478-4994-a5ba-3e3b0328c30d}
WstringTypeNode(offset=0x5af) --> Security
BXmlTypeNode(offset=0x5bf) --> RootNode(offset=0x13d17bf, length=0x404)
RootNode(offset=0x5bf)
TemplateInstanceNode(offset=0x5bf, resident=True, length=0x168)
TemplateNode(offset=0x5c9)
StreamStartNode(offset=0x5e1)
OpenStartElementNode(offset=0x5e5)
CloseStartElementNode(offset=0x60c)
OpenStartElementNode(offset=0x60d)
AttributeNode(offset=0x62e)
ValueNode(offset=0x633)
WstringTypeNode(offset=0x635) --> SubjectUserSid
CloseStartElementNode(offset=0x653)
NormalSubstitutionNode(offset=0x654)
CloseElementNode(offset=0x658)
OpenStartElementNode(offset=0x659)
AttributeNode(offset=0x668)
ValueNode(offset=0x66d)
WstringTypeNode(offset=0x66f) --> SubjectUserName
CloseStartElementNode(offset=0x68f)
NormalSubstitutionNode(offset=0x690)
CloseElementNode(offset=0x694)
OpenStartElementNode(offset=0x695)
AttributeNode(offset=0x6a4)
ValueNode(offset=0x6a9)
WstringTypeNode(offset=0x6ab) --> SubjectDomainName
CloseStartElementNode(offset=0x6cf)
NormalSubstitutionNode(offset=0x6d0)
CloseElementNode(offset=0x6d4)
OpenStartElementNode(offset=0x6d5)
AttributeNode(offset=0x6e4)
ValueNode(offset=0x6e9)
WstringTypeNode(offset=0x6eb) --> SubjectLogonId
CloseStartElementNode(offset=0x709)
NormalSubstitutionNode(offset=0x70a)
CloseElementNode(offset=0x70e)
OpenStartElementNode(offset=0x70f)
AttributeNode(offset=0x71e)
ValueNode(offset=0x723)
WstringTypeNode(offset=0x725) --> PrivilegeList
CloseStartElementNode(offset=0x741)
NormalSubstitutionNode(offset=0x742)
CloseElementNode(offset=0x746)
CloseElementNode(offset=0x747)
EndOfStreamNode(offset=0x748)
Substitutions(offset=0x749)
SIDTypeNode(offset=0x761) --> S-1-5-18
WstringTypeNode(offset=0x76d) --> SYSTEM
WstringTypeNode(offset=0x77b) --> NT AUTHORITY
Hex64TypeNode(offset=0x795) --> 0x00000000000003e7
WstringTypeNode(offset=0x79d) --> SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4672</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12548</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2011-10-12T16:18:12.906248Z" />
<EventRecordID>26649</EventRecordID>
<Execution ProcessID="528" ThreadID="576" />
<Channel>Security</Channel>
<Computer>WIN-IGQQTGEMUUO</Computer></System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">SYSTEM</Data>
<Data Name="SubjectDomainName">NT AUTHORITY</Data>
<Data Name="SubjectLogonId">0x00000000000003e7</Data>
<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege</Data></EventData></Event>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment