Whetting your appetite for Windows Vista - Windows Security Logging and Other Esoterica - Site Home

Here's a cut & paste from one of my Vista machines. This is one of our new events. I'm including the human-formatted view which you'll see in Event Viewer, and the XML view that apps will see (you can see this in the Viewer, too, if you're into that).

Look closely- I'll bet you'll be pleasantly surprised.

Eric

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          12/20/2005 5:11:19 PM
Event ID:      4657
Task:          Registry (Object Access)
Level:         Information
Keywords:      Audit Success
User:          SYSTEM
Computer:      HIDDEN
Description:
Registry value modified:
  Subject User Sid: S-1-5-21-HIDDEN
  Subject User Name: ericf
  Subject Domain: HIDDEN
  Subject Logon ID: 638700
  Object Name: \REGISTRY\USER\S-1-5-21-HIDDEN\testkey
  Object Value Name: testvalue
  Handle ID: 536
  Operation Type: Existing registry value modified
  Old Value Type: REG_SZ
  Old Value: old
  New Value Type: REG_SZ
  New Value: new
  Process ID: 6108
  Process Name: D:\Windows\regedit.exe

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c91d}" />
    <EventID Qualifiers="">4657</EventID>
    <Level>0</Level>
    <Task>12801</Task>
    <Opcode>0</Opcode>
    <Keywords>9232379236109516800</Keywords>
    <TimeCreated SystemTime="2005-12-21T01:11:19.215Z" />
    <EventRecordID>40354</EventRecordID>
    <Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" RelatedActivityID="" />
    <Execution ProcessID="4" ThreadID="68" />
    <Channel>Security</Channel>
    <Computer>HIDDEN</Computer>
    <Security UserID="S-1-5-18" />
</System>
<EventData>
    <Data name="SubjectUserSid">S-1-5-21-HIDDEN</Data>
    <Data name="SubjectUserName">ericf</Data>
    <Data name="SubjectDomainName">HIDDEN</Data>
    <Data name="SubjectLogonId">638700</Data>
    <Data name="ObjectName">\REGISTRY\USER\S-1-5-21-HIDDEN\testkey</Data>
    <Data name="ObjectValueName">testvalue</Data>
    <Data name="HandleId">218</Data>
    <Data name="OperationType">%%1905</Data>
    <Data name="OldValueType">%%1873</Data>
    <Data name="OldValue">old</Data>
    <Data name="NewValueType">%%1873</Data>
    <Data name="NewValue">new</Data>
    <Data name="ProcessId">17dc</Data>
    <Data name="ProcessName">D:\Windows\regedit.exe</Data>
</EventData>
</Event>