Windows Syscall Tracing Using ETW – Value of DesiredAccess

  etw, kernel, system-calls, winapi, windows

I am trying programmatically to monitor windows system calls in real-time.
I’ve come across a log provider called "Microsoft-Windows-Kernel-Audit-API-Calls".
Event data looks like this:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-Kernel-Audit-API-Calls" Guid="{e02a841c-75a3-4fa7-afc8-ae09cf9b7f23}" />
    <EventID>5</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x0</Keywords>
    <TimeCreated SystemTime="2017-06-01T11:59:05.831179100-0500" />
    <Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" />
    <Execution ProcessID="1860" ThreadID="9628" ProcessorID="1" KernelTime="210" UserTime="1260" />
    <Channel />
    <Computer />
</System>
<EventData>
    <Data Name="TargetProcessId">4294967295</Data>
    <Data Name="DesiredAccess"> 1052672</Data>
    <Data Name="ReturnCode">3221225483</Data>
</EventData>
<RenderingInfo Culture="en-US">
    <Level>Information </Level>
    <Opcode>Info </Opcode>
    <Provider>Microsoft-Windows-Kernel-Audit-API-Calls </Provider>
</RenderingInfo>

I’m interested in the value of the parameter “DesiredAccess”. It seems to only have integer values. Is there any way to somehow “translate” that integer into something that would be useful for further analysis?
Source: Windows Questions

LEAVE A COMMENT