Security Descriptor Auditing Methodology: Investigating Event Log Security

Upon gaining access to a system, what level of access is granted to an attacker who has yet to elevate their privileges?

Rather than experiment on the host, ultimately be denied access, and generate noisy logs in the process, a better strategy would be to first have a sense of what permissions Windows implicitly grants unprivileged users in the first place.

In Windows, nearly all access is controlled by security descriptors. The goal of this post is to establish a methodology for auditing potential exposure caused by security descriptor misconfigurations. Upon establishing the methodology, we will apply it to a practical use case: What potentially abusable accesses are granted to unprivileged groups in the Windows Event Log? In order to answer these questions, we ought to define the following:

  1. What constitutes a misconfiguration?
  2. What constitutes an “abusable” access?

Before answering these questions, let’s first establish the means by which security descriptors are obtained.

Target audience: Anyone already familiar with security descriptors, access control lists, and SACLs wanting to formalize their approach to the automation of auditing. Those unfamiliar with these concepts would benefit from reading the resources in the References section below.


Obtaining Security Descriptors

It is generally understood knowledge that things like files, directories, and registry keys are securable via security descriptors but how might we go about identifying all securable items? For starters, the kernel considers many things to be “securable” and we call these things securable objects. There are several ways to enumerate securable object types but the way I personally find easiest is with James Forshaw’s Get-NtType cmdlet in his NtObjectManager PowerShell module. Running Get-NtType without any arguments returns the following securable objects on my Windows 10 host:

ActivationObject, ActivityReference, Adapter, ALPC Port, Callback, Composition, Controller, CoreMessaging, CoverageSampler, DebugObject, Desktop, Device, Directory, DmaAdapter, Driver, DxgkCompositionObject, DxgkCurrentDxgProcessObject, DxgkDisplayManagerObject, DxgkSharedBundleObject, DxgkSharedKeyedMutexObject, DxgkSharedProtectedSessionObject, DxgkSharedResource, DxgkSharedSwapChainObject, DxgkSharedSyncObject, EnergyTracker, EtwConsumer, EtwRegistration, EtwSessionDemuxEntry, Event, File, FilterCommunicationPort, FilterConnectionPort, IoCompletion, IoCompletionReserve, IRTimer, Job, Key, KeyedEvent, Mutant, NdisCmState, Partition, PcwObject, PowerRequest, Process, Profile, PsSiloContextNonPaged, PsSiloContextPaged, RawInputManager, RegistryTransaction, Section, Semaphore, Session, SymbolicLink, Thread, Timer, TmEn, TmRm, TmTm, TmTx, Token, TpWorkerFactory, Type, UserApcReserve, VRegConfigurationContext, WaitCompletionPacket, WindowStation, WmiGuid

None of the securable objects returned seem to be related to our particular use case, however: event logs. So the question remains, are event logs securable? Intuitively, they must be considering, for example, that an unprivileged user is unable to view or clear the Security event log. At this point, this is when it might be wise to start Googling. Upon searching for “event log security descriptor,” the following relevant post surfaced:

In this post, it references the ability to set a custom security descriptor via the “CustomSD” registry value. It also references default security permissions in the “Isolation” value documentation.

So now that we know that security descriptors can be applied to event logs, how do we retrieve them? Fortunately, when you call Get-WinEvent -ListLog in PowerShell, it will return an EventLogConfiguration object for each event log which includes a SecurityDescriptor property.

> Get-WinEvent -ListLog Security | Select -ExpandProperty SecurityDescriptorO:BAG:SYD:(A;;CCLCSDRCWDWO;;;SY)(A;;CCLC;;;BA)(A;;CC;;;ER)

For reference, the string above is an SDDL string which is a convenient way to represent security descriptors. A tool like ConvertFrom-SddlString is extremely useful for making sense of them.

As someone who prefers to know the underlying Win32 APIs, tracing the implementation of the SecurityDescriptor property in dnSpy led to calling the EvtGetChannelConfigProperty function in wevtapi.dll, specifying the EvtChannelConfigAccess enum value. Knowing the DLL in which relevant Win32 API functions are called is also valuable because it can point to the respective header file (winevt.h in this case) in the Windows SDK that will often supply valuable information beyond what is documented on MSDN.

Now, if we’re going to audit event log security descriptors, we need to know what access rights apply to them.


Determining Relevant Access Rights

There are four portions of an access mask that we will need to make sense of for event log access control entries:

  1. Object-specific access rights — rights that are specific to the securable object, in this case event logs
  2. Standard access rights — rights that apply to the security descriptor itself
  3. Generic access rights — rights that map to standard and/or object-specific rights
  4. SACL access rights — rights that control logging and access is granted and/or denied to the object

As for object-specific access rights, they are documented here. Occasionally though, access rights are added or removed and the documentation fails to keep pace. This is why I prefer to have knowledge of the corresponding Windows SDK header file — winevt.h which has the latest object-specific access right definitions:

#define EVT_READ_ACCESS    0x1
#define EVT_WRITE_ACCESS 0x2
#define EVT_CLEAR_ACCESS 0x4
#define EVT_ALL_ACCESS 0x7

For those unfamiliar with bitwise operations, EVT_ALL_ACCESS is the result of binary ORing EVT_READ_ACCESS | EVT_WRITE_ACCESS | EVT_CLEAR_ACCESS.

Now, mapping generic access rights can often be a bit trickier. Generic access rights are used to map one or more standard and/or object-specific access rights. For “lesser-known” securable objects, documentation of generic rights mapping is either lacking or non-existent and in the case of event logs, this is no exception. So without documentation or a header file to provide us with this information, we are left to hunting for our answer in code. The first question to ask though is, “what code?” We’ll have to use some guesswork and intuition to answer that question. The approach I took was to take the “CustomSD” term explained earlier as a search term within DLLs considering it is related to event log security enforcement. Once I find that reference, then perhaps code related to generic access rights might lie in proximity to it. I used the following PowerShell code to identify DLL candidates:

$EventLogAccess = ls C:\Windows\System32\*.dll | sls 'CustomSD' -Encoding unicode
$EventLogAccess.Path | Sort -Unique

This returned the following results:

C:\Windows\System32\acmigration.dll
C:\Windows\System32\aeinv.dll
C:\Windows\System32\apphelp.dll
C:\Windows\System32\appraiser.dll
C:\Windows\System32\d3d9.dll
C:\Windows\System32\drvstore.dll
C:\Windows\System32\dxdiagn.dll
C:\Windows\System32\dxgi.dll
C:\Windows\System32\generaltel.dll
C:\Windows\System32\kernel32.dll
C:\Windows\System32\opengl32.dll
C:\Windows\System32\setupapi.dll
C:\Windows\System32\vbsapi.dll
C:\Windows\System32\vfluapriv.dll
C:\Windows\System32\wevtsvc.dll

The DLL that stood out to me as the most relevant was wevtsvc.dll — the DLL associated with the Event Log service.

Upon loading wevtsvc.dll into IDA with symbols, one of the cross-references to “CustomSD” took me to the “ChannelConfigReader::GetChannelAccessSddl” function.

While this function and its cross-references did not yield anything related to generic access rights, the GetDefaultSDDL function was very interesting and upon doing a minimal amount of reversing, I was able to see that the event log service defines the following security descriptors in the case where a custom security descriptor is not applied:

Security logs

O:BAG:SYD:(A;;CCLCSDRCWDWO;;;SY)(A;;CCLC;;;BA)(A;;CC;;;ER)

System logs

O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x3;;;BO)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x3;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)

Application logs

O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0x2;;;S-1-15-3-1024-3153509613-960666767-3724611135-2725662640-12138253-543910227-1950414635-4190290187)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)

These correspond somewhat but are not identical to the documentation on the “Isolation” registry value. This is yet another instance of where you can’t rely upon documentation if you want to be accurate. Now that we have the context around default event log security descriptors, this will become relevant soon in explaining why so many event logs have the same security descriptor applied. Back to generic access rights, though…

Upon hunting around the wevtsvc.dll binary, I stumbled upon a call to the AccessCheck function within the internal EvtCheckAccess function:

Upon seeing this call, and referring to the documentation, I could see that this function is used to check the access of any object that can support having a security descriptor applied. It also requires a GenericMapping argument. In this case, wevtsvc.dll supplied AccessCheck with a global variable consisting of the required GENERIC_MAPPING structure. In IDA, it displays the following:

This is translated as follows:

  • GENERIC_READ maps to EVT_READ_ACCESS
  • GENERIC_WRITE maps to EVT_WRITE_ACCESS
  • GENERIC_EXECUTE doesn’t map to any object-specific access rights.
  • GENERIC_ALL maps to EVT_ALL_ACCESS

There you go. Now you have documentation for this on the internet.

At this point, we now have all the required components to build out automation around auditing event log security descriptors.


Access Right Abuse Considerations

Upon completion of enumerating all supported access rights for your target securable object, you can begin to ponder the individual benefits that each access right might grant an unprivileged attacker. Upon consideration, I came up with the following implications for each event log access right:

Object-specific access right implications:

  • EVT_READ_ACCESS: The user/group is granted the ability to read the events within the specific event log. There is an opportunity for abuse if the event log has the potential to store sensitive information. Additionally, most event logs have events written to them from the context of any process so an opportunity exists to read event logs written by a privileged process from the context of an unprivileged user.
  • EVT_WRITE_ACCESS: The user/group is granted the ability to write events to the specific event log. Using event log writing APIs, this affords an attacker the ability to generate fake event log entries that might give the impression of being benign. They might also consider flooding the event log with benign entries after performing a logged action, resulting in logs rolling and losing the context of their actual malicious action. An attacker may also choose to write data to event logs as a crude data storage mechanism that will not be subject to security product quarantining.
  • EVT_CLEAR_ACCESS: The user/group is granted the ability to clear the specific event log. Unprivileged users should never be granted this right. A mitigating detective control, however, would be event ID 104 in the System event log (source: EventLog) that indicates when a specific event log is cleared.

Standard access right implications:

  • WRITE_DAC: The user/group is granted the ability to add/remove/modify access control entries from the discretionary ACL (DACL). The practical implication in the case of event logs would allow for an attacker running in an unprivileged context to grant themselves read, write, and/or clear access to the specific event log. They could also remove access to other users/groups so that they would, for example, become unable to read an event log.
  • WRITE_OWNER: The user/group is granted the ability to take ownership of the security descriptor. The user/group has full control at that point but the practical attack scenario would be to assign an unprivileged attacker ownership of the object and then to modify the DACL to suit their needs.

This was not intended to be an exhaustive list of all possible attacker implications for granted access rights. The extent to which an attacker can abuse granted access rights will depend on the following:

  1. The particular object to which an attacker has control over.
  2. The specific objectives of the attacker.
  3. The creativity of the attacker.

Security Descriptor Auditing Methodology

The way I prefer to represent security descriptor audits is to group access by the user/group principal that was allowed access. For example, I would specifically like to know what event log accesses were granted to the “NT AUTHORITY\Authenticated Users” group, an unprivileged group. This is the PowerShell code I wrote to represent this:

Let’s look at some of the granted access as seen in PowerShell:

Upon inspecting each of these objects, the “NT AUTHORITY\INTERACTIVE” group is granted read and write access to the highest number of event logs:

> $PGrouping['NT AUTHORITY\INTERACTIVE'].LogFileRead.Count                     415

Now, from an operational and research perspective, it would be up to you to identify which event logs are of particular value to an unprivileged attacker running as “NT AUTHORITY\INTERACTIVE” — i.e. any user granted an interactive logon token. For example, if a defender is capturing PowerShell scriptblock logs, an unprivileged user has read access to all PowerShell script content including content logged in a privileged context, which may include plaintext credentials.

Lastly, it is worth mentioning that because custom security descriptors for event logs are applied as registry values, you will also want to be sure to audit the relevant registry key’s security and ensure that unprivileged users are unable to write their own custom security descriptors to the registry.


Rationalizing Default Security Descriptors

While I have yet to assess the exposure posed by the ability for unprivileged users to read most event logs, based on our findings previously of default security descriptors, perhaps this could shed some light on at least why so many logs are granted the access they have. The following code was used to list out all event logs that have the default “Application” isolation security applied:

> $ApplicationEventLogsDefaultSDDL = 'O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0x2;;;S-1-15-3-1024-3153509613-960666767-3724611135-2725662640-12138253-543910227-1950414635-4190290187)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)'> Get-WinEvent -ListLog * | Where-Object { $_.SecurityDescriptor -eq $ApplicationEventLogsDefaultSDDL }

As expected, this outputs nearly all the event logs present in the Application event log. Knowing this information, as Microsoft or as a defender, it might be wise to apply custom, more restrictive security descriptors to event logs deemed sensitive, like the “Microsoft-Windows-PowerShell/Operational” log.


Security Descriptor SACL Research

Through the course of my investigation into event log security descriptors, there was no documentation available indicating that SACLs were supported for event logs. Fortunately, there were two relevant snippets of code present in the internal EvtCheckAccess function: GetSecurityDescriptorSacl and AccessCheckAndAuditAlarm

Now, knowing that code exists to handle SACLs, it is safe to assume that they are supported. At this point, I could experiment with applying custom security descriptors with SACLs to event logs but rather than do that, I was curious to know what the “Channel” argument referred to. I discovered that it refers to the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\Security\ObjectNames

So it looks like these are all of the object types that support SACL logging! I also determined that these DWORD values refer to message table indices in msobjs.dll that the event log pulls from when it logs relevant SACL accesses. I wrote a crude script to extract these values here. Dumped messsage strings for all supported securable objects are listed below in Appendix B. For example, the following message strings relevant to the “Channel” object type were extracted:

Channel read message
Channel write message
Channel query information
Channel set information
Undefined Access (no effect) Bit 4
Undefined Access (no effect) Bit 5
Undefined Access (no effect) Bit 6
Undefined Access (no effect) Bit 7
Undefined Access (no effect) Bit 8
Undefined Access (no effect) Bit 9
Undefined Access (no effect) Bit 10
Undefined Access (no effect) Bit 11
Undefined Access (no effect) Bit 12
Undefined Access (no effect) Bit 13
Undefined Access (no effect) Bit 14
Undefined Access (no effect) Bit 15

It also should make sense that there is no message for bits 1–3 as the object-specific access rights only go up to 7 (EVT_ALL_ACCESS) which is 111in binary, three bits in length. Based on the messages though, it’s not entirely clear which access rights would correspond to “Channel query information” versus “Channel set information”. Anyway, at least armed with this knowledge now, you can get a sense of what SACL access rights can be logged!


Conclusion

I hope this post helped highlight the methodology I use to audit not just event log security descriptors but any securable object type. This post should also serve to highlight the challenges involved in performing such audits when documentation is incomplete or non-existent.

As another example, I used this methodology to identify all world-writable subdirectories of %windir%.

I also used this methodology to understand, audit, and find misconfigurations in ETW providers and trace session which I covered in my Recon 2019 talk:

There are so many more securable object types out there! Happy hunting!

Lastly, this post was made possible by the SpecterOps and Palantir partnership. The time resources allocated through this partnership is what facilitated me sharing this information with you and I am grateful for that!



Appendix A: NT AUTHORITY\INTERACTIVE Readable and Writable Event Logs

As of the time of this writing, the following event logs have a default “Application” isolation security descriptor applied to them, resulting in members of the unprivileged “NT AUTHORITY\INTERACTIVE” group read and write access. It is left to the reader to determine the extent to which these event logs may or may not contain valuable/sensitive information.

Read access granted:

AMSI/Operational
Application
ForwardedEvents
HardwareEvents
Key Management Service
Microsoft-AppV-Client/Admin
Microsoft-AppV-Client/Operational
Microsoft-AppV-Client/Virtual Applications
Microsoft-Client-Licensing-Platform/Admin
Microsoft-User Experience Virtualization-Agent Driver/Operational
Microsoft-User Experience Virtualization-App Agent/Operational
Microsoft-User Experience Virtualization-IPC/Operational
Microsoft-User Experience Virtualization-SQM Uploader/Operational
Microsoft-Windows-AAD/Operational
Microsoft-Windows-AllJoyn/Operational
Microsoft-Windows-All-User-Install-Agent/Admin
Microsoft-Windows-AppHost/Admin
Microsoft-Windows-AppID/Operational
Microsoft-Windows-ApplicabilityEngine/Operational
Microsoft-Windows-Application Server-Applications/Admin
Microsoft-Windows-Application Server-Applications/Operational
Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant
Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter
Microsoft-Windows-Application-Experience/Program-Inventory
Microsoft-Windows-Application-Experience/Program-Telemetry
Microsoft-Windows-Application-Experience/Steps-Recorder
Microsoft-Windows-ApplicationResourceManagementSystem/Operational
Microsoft-Windows-AppLocker/EXE and DLL
Microsoft-Windows-AppLocker/MSI and Script
Microsoft-Windows-AppLocker/Packaged app-Deployment
Microsoft-Windows-AppLocker/Packaged app-Execution
Microsoft-Windows-AppModel-Runtime/Admin
Microsoft-Windows-AppReadiness/Admin
Microsoft-Windows-AppReadiness/Operational
Microsoft-Windows-AppXDeployment/Operational
Microsoft-Windows-AppXDeploymentServer/Operational
Microsoft-Windows-AppxPackaging/Operational
Microsoft-Windows-AssignedAccess/Admin
Microsoft-Windows-AssignedAccess/Operational
Microsoft-Windows-AssignedAccessBroker/Admin
Microsoft-Windows-AssignedAccessBroker/Operational
Microsoft-Windows-Audio/CaptureMonitor
Microsoft-Windows-Audio/GlitchDetection
Microsoft-Windows-Audio/Informational
Microsoft-Windows-Audio/Operational
Microsoft-Windows-Audio/PlaybackManager
Microsoft-Windows-Authentication User Interface/Operational
Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController
Microsoft-Windows-Authentication/ProtectedUser-Client
Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController
Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController
Microsoft-Windows-BackgroundTaskInfrastructure/Operational
Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational
Microsoft-Windows-Backup
Microsoft-Windows-Base-Filtering-Engine-Connections/Operational
Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational
Microsoft-Windows-Biometrics/Operational
Microsoft-Windows-BitLocker/BitLocker Management
Microsoft-Windows-BitLocker/BitLocker Operational
Microsoft-Windows-BitLocker-DrivePreparationTool/Admin
Microsoft-Windows-BitLocker-DrivePreparationTool/Operational
Microsoft-Windows-Bits-Client/Analytic
Microsoft-Windows-Bits-Client/Operational
Microsoft-Windows-Bluetooth-BthLEEnum/Operational
Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational
Microsoft-Windows-Bluetooth-Bthmini/Operational
Microsoft-Windows-Bluetooth-MTPEnum/Operational
Microsoft-Windows-Bluetooth-Policy/Operational
Microsoft-Windows-BranchCache/Operational
Microsoft-Windows-BranchCacheSMB/Operational
Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational
Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational
Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational
Microsoft-Windows-CertPoleEng/Operational
Microsoft-Windows-CloudStorageWizard/Operational
Microsoft-Windows-CloudStore/Debug
Microsoft-Windows-CloudStore/Operational
Microsoft-Windows-CodeIntegrity/Operational
Microsoft-Windows-Compat-Appraiser/Operational
Microsoft-Windows-Containers-BindFlt/Operational
Microsoft-Windows-Containers-Wcifs/Operational
Microsoft-Windows-Containers-Wcnfs/Operational
Microsoft-Windows-CoreApplication/Operational
Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational
Microsoft-Windows-CorruptedFileRecovery-Client/Operational
Microsoft-Windows-CorruptedFileRecovery-Server/Operational
Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc
Microsoft-Windows-Crypto-DPAPI/Debug
Microsoft-Windows-Crypto-DPAPI/Operational
Microsoft-Windows-DAL-Provider/Operational
Microsoft-Windows-DataIntegrityScan/Admin
Microsoft-Windows-DataIntegrityScan/CrashRecovery
Microsoft-Windows-DateTimeControlPanel/Operational
Microsoft-Windows-Deduplication/Diagnostic
Microsoft-Windows-Deduplication/Operational
Microsoft-Windows-Deduplication/Scrubbing
Microsoft-Windows-DeviceGuard/Operational
Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational
Microsoft-Windows-Devices-Background/Operational
Microsoft-Windows-DeviceSetupManager/Admin
Microsoft-Windows-DeviceSetupManager/Operational
Microsoft-Windows-DeviceSync/Operational
Microsoft-Windows-DeviceUpdateAgent/Operational
Microsoft-Windows-Dhcp-Client/Admin
Microsoft-Windows-Dhcp-Client/Operational
Microsoft-Windows-Dhcpv6-Client/Admin
Microsoft-Windows-Dhcpv6-Client/Operational
Microsoft-Windows-Diagnosis-DPS/Operational
Microsoft-Windows-Diagnosis-PCW/Operational
Microsoft-Windows-Diagnosis-PLA/Operational
Microsoft-Windows-Diagnosis-Scheduled/Operational
Microsoft-Windows-Diagnosis-Scripted/Admin
Microsoft-Windows-Diagnosis-Scripted/Operational
Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational
Microsoft-Windows-Diagnostics-Networking/Operational
Microsoft-Windows-DiskDiagnostic/Operational
Microsoft-Windows-DiskDiagnosticDataCollector/Operational
Microsoft-Windows-DiskDiagnosticResolver/Operational
Microsoft-Windows-DisplayColorCalibration/Operational
Microsoft-Windows-DNS-Client/Operational
Microsoft-Windows-DriverFrameworks-UserMode/Operational
Microsoft-Windows-DSC/Admin
Microsoft-Windows-DSC/Operational
Microsoft-Windows-DxgKrnl-Admin
Microsoft-Windows-DxgKrnl-Operational
Microsoft-Windows-EapHost/Operational
Microsoft-Windows-EapMethods-RasChap/Operational
Microsoft-Windows-EapMethods-RasTls/Operational
Microsoft-Windows-EapMethods-Sim/Operational
Microsoft-Windows-EapMethods-Ttls/Operational
Microsoft-Windows-EDP-Application-Learning/Admin
Microsoft-Windows-EDP-Audit-Regular/Admin
Microsoft-Windows-EDP-Audit-TCB/Admin
Microsoft-Windows-Energy-Estimation-Engine/EventLog
Microsoft-Windows-ESE/Operational
Microsoft-Windows-EventCollector/Operational
Microsoft-Windows-Fault-Tolerant-Heap/Operational
Microsoft-Windows-FeatureConfiguration/Operational
Microsoft-Windows-FileHistory-Core/WHC
Microsoft-Windows-FMS/Operational
Microsoft-Windows-Folder Redirection/Operational
Microsoft-Windows-Forwarding/Operational
Microsoft-Windows-GenericRoaming/Admin
Microsoft-Windows-glcnd/Admin
Microsoft-Windows-HelloForBusiness/Operational
Microsoft-Windows-HomeGroup Control Panel/Operational
Microsoft-Windows-HomeGroup Listener Service/Operational
Microsoft-Windows-HomeGroup Provider Service/Operational
Microsoft-Windows-HostGuardianClient-Service/Admin
Microsoft-Windows-HostGuardianClient-Service/Operational
Microsoft-Windows-HostGuardianService-CA/Admin
Microsoft-Windows-HostGuardianService-CA/Operational
Microsoft-Windows-HostGuardianService-Client/Admin
Microsoft-Windows-HostGuardianService-Client/Operational
Microsoft-Windows-HotspotAuth/Operational
Microsoft-Windows-HttpService/Log
Microsoft-Windows-HttpService/Trace
Microsoft-Windows-Hyper-V-Guest-Drivers/Admin
Microsoft-Windows-Hyper-V-Guest-Drivers/Operational
Microsoft-Windows-Hyper-V-VMSP-Admin
Microsoft-Windows-Hyper-V-VmSwitch-Operational
Microsoft-Windows-IdCtrls/Operational
Microsoft-Windows-IKE/Operational
Microsoft-Windows-International/Operational
Microsoft-Windows-International-RegionalOptionsControlPanel/Operational
Microsoft-Windows-Iphlpsvc/Operational
Microsoft-Windows-IPxlatCfg/Operational
Microsoft-Windows-KdsSvc/Operational
Microsoft-Windows-Kerberos/Operational
Microsoft-Windows-Kernel-ApphelpCache/Operational
Microsoft-Windows-Kernel-Boot/Operational
Microsoft-Windows-Kernel-EventTracing/Admin
Microsoft-Windows-Kernel-IO/Operational
Microsoft-Windows-Kernel-PnP/Configuration
Microsoft-Windows-Kernel-Power/Thermal-Operational
Microsoft-Windows-Kernel-ShimEngine/Operational
Microsoft-Windows-Kernel-StoreMgr/Operational
Microsoft-Windows-Kernel-WDI/Operational
Microsoft-Windows-Kernel-WHEA/Errors
Microsoft-Windows-Kernel-WHEA/Operational
Microsoft-Windows-Known Folders API Service
Microsoft-Windows-LanguagePackSetup/Operational
Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational
Microsoft-Windows-LSA/Operational
Microsoft-Windows-MediaFoundation-Performance/SARStreamResource
Microsoft-Windows-MemoryDiagnostics-Results/Debug
Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational
Microsoft-Windows-Mobile-Broadband-Experience-SmsRouter/Admin
Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin
Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot
Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService
Microsoft-Windows-Mprddm/Operational
Microsoft-Windows-MSPaint/Admin
Microsoft-Windows-MUI/Admin
Microsoft-Windows-MUI/Operational
Microsoft-Windows-Ncasvc/Operational
Microsoft-Windows-NcdAutoSetup/Operational
Microsoft-Windows-NCSI/Operational
Microsoft-Windows-NDIS/Operational
Microsoft-Windows-NdisImPlatform/Operational
Microsoft-Windows-NetworkLocationWizard/Operational
Microsoft-Windows-NetworkProfile/Operational
Microsoft-Windows-NetworkProvisioning/Operational
Microsoft-Windows-NlaSvc/Operational
Microsoft-Windows-Ntfs/Operational
Microsoft-Windows-Ntfs/WHC
Microsoft-Windows-NTLM/Operational
Microsoft-Windows-OfflineFiles/Operational
Microsoft-Windows-OneBackup/Debug
Microsoft-Windows-OneX/Operational
Microsoft-Windows-OOBE-Machine-DUI/Operational
Microsoft-Windows-OtpCredentialProvider/Operational
Microsoft-Windows-PackageStateRoaming/Operational
Microsoft-Windows-Partition/Diagnostic
Microsoft-Windows-PerceptionRuntime/Operational
Microsoft-Windows-PerceptionSensorDataService/Operational
Microsoft-Windows-PersistentMemory-Nvdimm/Operational
Microsoft-Windows-PersistentMemory-PmemDisk/Operational
Microsoft-Windows-PersistentMemory-ScmBus/Certification
Microsoft-Windows-PersistentMemory-ScmBus/Operational
Microsoft-WindowsPhone-Connectivity-WiFiConnSvc-Channel
Microsoft-Windows-Policy/Operational
Microsoft-Windows-PowerShell/Admin
Microsoft-Windows-PowerShell/Operational
Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational
Microsoft-Windows-PrintBRM/Admin
Microsoft-Windows-PrintService/Admin
Microsoft-Windows-PrintService/Operational
Microsoft-Windows-PriResources-Deployment/Operational
Microsoft-Windows-Program-Compatibility-Assistant/Analytic
Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade
Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin
Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot
Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService
Microsoft-Windows-Proximity-Common/Diagnostic
Microsoft-Windows-PushNotification-Platform/Admin
Microsoft-Windows-PushNotification-Platform/Operational
Microsoft-Windows-RasAgileVpn/Operational
Microsoft-Windows-ReadyBoost/Operational
Microsoft-Windows-ReadyBoostDriver/Operational
Microsoft-Windows-ReFS/Operational
Microsoft-Windows-Regsvr32/Operational
Microsoft-Windows-RemoteApp and Desktop Connections/Admin
Microsoft-Windows-RemoteApp and Desktop Connections/Operational
Microsoft-Windows-RemoteAssistance/Admin
Microsoft-Windows-RemoteAssistance/Operational
Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin
Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
Microsoft-Windows-RemoteDesktopServices-RemoteFX-Manager/Admin
Microsoft-Windows-RemoteDesktopServices-RemoteFX-Manager/Operational
Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin
Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsp/Admin
Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational
Microsoft-Windows-Remotefs-Rdbss/Operational
Microsoft-Windows-Resource-Exhaustion-Detector/Operational
Microsoft-Windows-Resource-Exhaustion-Resolver/Operational
Microsoft-Windows-RestartManager/Operational
Microsoft-Windows-RetailDemo/Admin
Microsoft-Windows-RetailDemo/Operational
Microsoft-Windows-RRAS/Operational
Microsoft-Windows-SearchUI/Operational
Microsoft-Windows-SecureAssessment/Operational
Microsoft-Windows-Security-Adminless/Operational
Microsoft-Windows-Security-Audit-Configuration-Client/Operational
Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational
Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational
Microsoft-Windows-Security-IdentityListener/Operational
Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational
Microsoft-Windows-Security-Mitigations/KernelMode
Microsoft-Windows-Security-Mitigations/UserMode
Microsoft-Windows-SecurityMitigationsBroker/Admin
Microsoft-Windows-SecurityMitigationsBroker/Operational
Microsoft-Windows-Security-Netlogon/Operational
Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational
Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter
Microsoft-Windows-Security-UserConsentVerifier/Audit
Microsoft-Windows-SENSE/Operational
Microsoft-Windows-SenseIR/Operational
Microsoft-Windows-ServiceReportingApi/Debug
Microsoft-Windows-SettingSync/Debug
Microsoft-Windows-SettingSync/Operational
Microsoft-Windows-SettingSync-Azure/Debug
Microsoft-Windows-SettingSync-Azure/Operational
Microsoft-Windows-SettingSync-OneDrive/Debug
Microsoft-Windows-SettingSync-OneDrive/Operational
Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational
Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter
Microsoft-Windows-Shell-Core/ActionCenter
Microsoft-Windows-Shell-Core/AppDefaults
Microsoft-Windows-Shell-Core/LogonTasksChannel
Microsoft-Windows-Shell-Core/Operational
Microsoft-Windows-SmartCard-Audit/Authentication
Microsoft-Windows-SmartCard-DeviceEnum/Operational
Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin
Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational
Microsoft-Windows-SmartScreen/Debug
Microsoft-Windows-SMBDirect/Admin
Microsoft-Windows-SMBWitnessClient/Admin
Microsoft-Windows-SMBWitnessClient/Informational
Microsoft-Windows-StateRepository/Operational
Microsoft-Windows-Storage-ATAPort/Admin
Microsoft-Windows-Storage-ATAPort/Operational
Microsoft-Windows-Storage-ClassPnP/Admin
Microsoft-Windows-Storage-ClassPnP/Operational
Microsoft-Windows-Storage-Disk/Admin
Microsoft-Windows-Storage-Disk/Operational
Microsoft-Windows-StorageManagement/Operational
Microsoft-Windows-StorageSpaces-Driver/Diagnostic
Microsoft-Windows-StorageSpaces-Driver/Operational
Microsoft-Windows-StorageSpaces-ManagementAgent/WHC
Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic
Microsoft-Windows-StorageSpaces-SpaceManager/Operational
Microsoft-Windows-Storage-Storport/Admin
Microsoft-Windows-Storage-Storport/Health
Microsoft-Windows-Storage-Storport/Operational
Microsoft-Windows-Storage-Tiering/Admin
Microsoft-Windows-Store/Operational
Microsoft-Windows-Storsvc/Diagnostic
Microsoft-Windows-SystemSettingsThreshold/Operational
Microsoft-Windows-TaskScheduler/Maintenance
Microsoft-Windows-TaskScheduler/Operational
Microsoft-Windows-TCPIP/Operational
Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin
Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational
Microsoft-Windows-TerminalServices-LocalSessionManager/Admin
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
Microsoft-Windows-TerminalServices-PnPDevices/Admin
Microsoft-Windows-TerminalServices-PnPDevices/Operational
Microsoft-Windows-TerminalServices-Printers/Admin
Microsoft-Windows-TerminalServices-Printers/Operational
Microsoft-Windows-TerminalServices-RDPClient/Operational
Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin
Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin
Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational
Microsoft-Windows-Time-Service/Operational
Microsoft-Windows-Time-Service-PTP-Provider/PTP-Operational
Microsoft-Windows-Troubleshooting-Recommended/Admin
Microsoft-Windows-Troubleshooting-Recommended/Operational
Microsoft-Windows-TWinUI/Operational
Microsoft-Windows-TZSync/Operational
Microsoft-Windows-TZUtil/Operational
Microsoft-Windows-UAC/Operational
Microsoft-Windows-UniversalTelemetryClient/Operational
Microsoft-Windows-User Control Panel/Operational
Microsoft-Windows-User Device Registration/Admin
Microsoft-Windows-User Profile Service/Operational
Microsoft-Windows-User-Loader/Operational
Microsoft-Windows-UserPnp/ActionCenter
Microsoft-Windows-UserPnp/DeviceInstall
Microsoft-Windows-VDRVROOT/Operational
Microsoft-Windows-VerifyHardwareSecurity/Admin
Microsoft-Windows-VerifyHardwareSecurity/Operational
Microsoft-Windows-VHDMP-Operational
Microsoft-Windows-Volume/Diagnostic
Microsoft-Windows-VolumeSnapshot-Driver/Operational
Microsoft-Windows-VPN/Operational
Microsoft-Windows-VPN-Client/Operational
Microsoft-Windows-Wcmsvc/Operational
Microsoft-Windows-WDAG-PolicyEvaluator-CSP/Operational
Microsoft-Windows-WDAG-PolicyEvaluator-GP/Operational
Microsoft-Windows-WDAG-Service/Operational
Microsoft-Windows-WebAuth/Operational
Microsoft-Windows-WebAuthN/Operational
Microsoft-Windows-WebIO-NDF/Diagnostic
Microsoft-Windows-WEPHOSTSVC/Operational
Microsoft-Windows-WER-PayloadHealth/Operational
Microsoft-Windows-WFP/Operational
Microsoft-Windows-Win32k/Operational
Microsoft-Windows-Windows Defender/Operational
Microsoft-Windows-Windows Defender/WHC
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
Microsoft-Windows-Windows Firewall With Advanced Security/FirewallDiagnostics
Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose
Microsoft-Windows-WindowsBackup/ActionCenter
Microsoft-Windows-WindowsColorSystem/Operational
Microsoft-Windows-WindowsSystemAssessmentTool/Operational
Microsoft-Windows-WindowsUIImmersive/Operational
Microsoft-Windows-WindowsUpdateClient/Operational
Microsoft-Windows-WinHTTP-NDF/Diagnostic
Microsoft-Windows-WinINet-Capture/Analytic
Microsoft-Windows-WinINet-Config/ProxyConfigChanged
Microsoft-Windows-Winlogon/Operational
Microsoft-Windows-WinNat/Oper
Microsoft-Windows-WinRM/Operational
Microsoft-Windows-Winsock-AFD/Operational
Microsoft-Windows-Winsock-NameResolution/Operational
Microsoft-Windows-Winsock-WS2HELP/Operational
Microsoft-Windows-Wired-AutoConfig/Operational
Microsoft-Windows-WLAN-AutoConfig/Operational
Microsoft-Windows-WMI-Activity/Operational
Microsoft-Windows-WMPNSS-Service/Operational
Microsoft-Windows-Wordpad/Admin
Microsoft-Windows-WorkFolders/Operational
Microsoft-Windows-WorkFolders/WHC
Microsoft-Windows-Workplace Join/Admin
Microsoft-Windows-WPD-ClassInstaller/Operational
Microsoft-Windows-WPD-CompositeClassDriver/Operational
Microsoft-Windows-WPD-MTPClassDriver/Operational
Microsoft-Windows-WWAN-SVC-Events/Operational
OpenSSH/Admin
OpenSSH/Operational
RemoteDesktopServices-RemoteFX-SessionLicensing-Admin
RemoteDesktopServices-RemoteFX-SessionLicensing-Operational
Setup
SMSApi
System
Windows PowerShell

Write access granted:

AMSI/Operational
Application
ForwardedEvents
HardwareEvents
Key Management Service
Microsoft-AppV-Client/Virtual Applications
Microsoft-Client-Licensing-Platform/Admin
Microsoft-User Experience Virtualization-App Agent/Operational
Microsoft-User Experience Virtualization-IPC/Operational
Microsoft-User Experience Virtualization-SQM Uploader/Operational
Microsoft-Windows-AAD/Operational
Microsoft-Windows-AllJoyn/Operational
Microsoft-Windows-All-User-Install-Agent/Admin
Microsoft-Windows-AppHost/Admin
Microsoft-Windows-ApplicabilityEngine/Operational
Microsoft-Windows-Application Server-Applications/Admin
Microsoft-Windows-Application Server-Applications/Operational
Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant
Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter
Microsoft-Windows-Application-Experience/Program-Inventory
Microsoft-Windows-Application-Experience/Program-Telemetry
Microsoft-Windows-Application-Experience/Steps-Recorder
Microsoft-Windows-ApplicationResourceManagementSystem/Operational
Microsoft-Windows-AppLocker/MSI and Script
Microsoft-Windows-AppLocker/Packaged app-Deployment
Microsoft-Windows-AppModel-Runtime/Admin
Microsoft-Windows-AppReadiness/Admin
Microsoft-Windows-AppReadiness/Operational
Microsoft-Windows-AppXDeployment/Operational
Microsoft-Windows-AppXDeploymentServer/Operational
Microsoft-Windows-AppxPackaging/Operational
Microsoft-Windows-AssignedAccess/Admin
Microsoft-Windows-AssignedAccess/Operational
Microsoft-Windows-AssignedAccessBroker/Admin
Microsoft-Windows-AssignedAccessBroker/Operational
Microsoft-Windows-Audio/PlaybackManager
Microsoft-Windows-Authentication User Interface/Operational
Microsoft-Windows-BackgroundTaskInfrastructure/Operational
Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational
Microsoft-Windows-Base-Filtering-Engine-Connections/Operational
Microsoft-Windows-BitLocker/BitLocker Management
Microsoft-Windows-BitLocker/BitLocker Operational
Microsoft-Windows-Bits-Client/Analytic
Microsoft-Windows-BranchCache/Operational
Microsoft-Windows-BranchCacheSMB/Operational
Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational
Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational
Microsoft-Windows-CertPoleEng/Operational
Microsoft-Windows-CloudStorageWizard/Operational
Microsoft-Windows-CloudStore/Debug
Microsoft-Windows-CloudStore/Operational
Microsoft-Windows-Compat-Appraiser/Operational
Microsoft-Windows-CoreApplication/Operational
Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational
Microsoft-Windows-CorruptedFileRecovery-Client/Operational
Microsoft-Windows-DAL-Provider/Operational
Microsoft-Windows-DataIntegrityScan/Admin
Microsoft-Windows-DataIntegrityScan/CrashRecovery
Microsoft-Windows-DateTimeControlPanel/Operational
Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational
Microsoft-Windows-Devices-Background/Operational
Microsoft-Windows-DeviceSync/Operational
Microsoft-Windows-Dhcp-Client/Admin
Microsoft-Windows-Dhcp-Client/Operational
Microsoft-Windows-Dhcpv6-Client/Admin
Microsoft-Windows-Dhcpv6-Client/Operational
Microsoft-Windows-Diagnosis-PCW/Operational
Microsoft-Windows-Diagnosis-PLA/Operational
Microsoft-Windows-Diagnosis-Scheduled/Operational
Microsoft-Windows-Diagnosis-Scripted/Admin
Microsoft-Windows-Diagnosis-Scripted/Operational
Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational
Microsoft-Windows-Diagnostics-Networking/Operational
Microsoft-Windows-DiskDiagnosticResolver/Operational
Microsoft-Windows-DisplayColorCalibration/Operational
Microsoft-Windows-DNS-Client/Operational
Microsoft-Windows-DSC/Admin
Microsoft-Windows-DSC/Operational
Microsoft-Windows-EapHost/Operational
Microsoft-Windows-EapMethods-RasChap/Operational
Microsoft-Windows-EapMethods-RasTls/Operational
Microsoft-Windows-EapMethods-Sim/Operational
Microsoft-Windows-EapMethods-Ttls/Operational
Microsoft-Windows-EDP-Application-Learning/Admin
Microsoft-Windows-EDP-Audit-Regular/Admin
Microsoft-Windows-EDP-Audit-TCB/Admin
Microsoft-Windows-Energy-Estimation-Engine/EventLog
Microsoft-Windows-ESE/Operational
Microsoft-Windows-FeatureConfiguration/Operational
Microsoft-Windows-FileHistory-Core/WHC
Microsoft-Windows-Folder Redirection/Operational
Microsoft-Windows-Forwarding/Operational
Microsoft-Windows-GenericRoaming/Admin
Microsoft-Windows-glcnd/Admin
Microsoft-Windows-HelloForBusiness/Operational
Microsoft-Windows-HomeGroup Control Panel/Operational
Microsoft-Windows-HomeGroup Listener Service/Operational
Microsoft-Windows-HomeGroup Provider Service/Operational
Microsoft-Windows-HostGuardianClient-Service/Admin
Microsoft-Windows-HostGuardianClient-Service/Operational
Microsoft-Windows-HostGuardianService-CA/Admin
Microsoft-Windows-HostGuardianService-CA/Operational
Microsoft-Windows-HostGuardianService-Client/Admin
Microsoft-Windows-HostGuardianService-Client/Operational
Microsoft-Windows-HotspotAuth/Operational
Microsoft-Windows-HttpService/Log
Microsoft-Windows-HttpService/Trace
Microsoft-Windows-IdCtrls/Operational
Microsoft-Windows-International/Operational
Microsoft-Windows-International-RegionalOptionsControlPanel/Operational
Microsoft-Windows-Iphlpsvc/Operational
Microsoft-Windows-IPxlatCfg/Operational
Microsoft-Windows-Kernel-ApphelpCache/Operational
Microsoft-Windows-Known Folders API Service
Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational
Microsoft-Windows-MediaFoundation-Performance/SARStreamResource
Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational
Microsoft-Windows-Mobile-Broadband-Experience-SmsRouter/Admin
Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin
Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot
Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService
Microsoft-Windows-Mprddm/Operational
Microsoft-Windows-MSPaint/Admin
Microsoft-Windows-Ncasvc/Operational
Microsoft-Windows-NcdAutoSetup/Operational
Microsoft-Windows-NCSI/Operational
Microsoft-Windows-NDIS/Operational
Microsoft-Windows-NetworkLocationWizard/Operational
Microsoft-Windows-NetworkProfile/Operational
Microsoft-Windows-NetworkProvisioning/Operational
Microsoft-Windows-NlaSvc/Operational
Microsoft-Windows-OfflineFiles/Operational
Microsoft-Windows-OneBackup/Debug
Microsoft-Windows-OneX/Operational
Microsoft-Windows-OOBE-Machine-DUI/Operational
Microsoft-Windows-OtpCredentialProvider/Operational
Microsoft-Windows-PackageStateRoaming/Operational
Microsoft-Windows-PerceptionRuntime/Operational
Microsoft-Windows-PerceptionSensorDataService/Operational
Microsoft-WindowsPhone-Connectivity-WiFiConnSvc-Channel
Microsoft-Windows-PowerShell/Admin
Microsoft-Windows-PowerShell/Operational
Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational
Microsoft-Windows-PrintBRM/Admin
Microsoft-Windows-PrintService/Admin
Microsoft-Windows-PrintService/Operational
Microsoft-Windows-PriResources-Deployment/Operational
Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin
Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot
Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService
Microsoft-Windows-Proximity-Common/Diagnostic
Microsoft-Windows-PushNotification-Platform/Admin
Microsoft-Windows-PushNotification-Platform/Operational
Microsoft-Windows-RasAgileVpn/Operational
Microsoft-Windows-ReadyBoost/Operational
Microsoft-Windows-Regsvr32/Operational
Microsoft-Windows-RemoteApp and Desktop Connections/Admin
Microsoft-Windows-RemoteApp and Desktop Connections/Operational
Microsoft-Windows-RemoteAssistance/Admin
Microsoft-Windows-RemoteAssistance/Operational
Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin
Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
Microsoft-Windows-RemoteDesktopServices-RemoteFX-Manager/Admin
Microsoft-Windows-RemoteDesktopServices-RemoteFX-Manager/Operational
Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational
Microsoft-Windows-Remotefs-Rdbss/Operational
Microsoft-Windows-Resource-Exhaustion-Resolver/Operational
Microsoft-Windows-RestartManager/Operational
Microsoft-Windows-RetailDemo/Admin
Microsoft-Windows-RetailDemo/Operational
Microsoft-Windows-RRAS/Operational
Microsoft-Windows-SearchUI/Operational
Microsoft-Windows-SecureAssessment/Operational
Microsoft-Windows-Security-Audit-Configuration-Client/Operational
Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational
Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational
Microsoft-Windows-Security-IdentityListener/Operational
Microsoft-Windows-Security-Mitigations/UserMode
Microsoft-Windows-SecurityMitigationsBroker/Admin
Microsoft-Windows-SecurityMitigationsBroker/Operational
Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational
Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter
Microsoft-Windows-SENSE/Operational
Microsoft-Windows-SenseIR/Operational
Microsoft-Windows-SettingSync/Debug
Microsoft-Windows-SettingSync/Operational
Microsoft-Windows-SettingSync-Azure/Debug
Microsoft-Windows-SettingSync-Azure/Operational
Microsoft-Windows-SettingSync-OneDrive/Debug
Microsoft-Windows-SettingSync-OneDrive/Operational
Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational
Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter
Microsoft-Windows-Shell-Core/ActionCenter
Microsoft-Windows-Shell-Core/AppDefaults
Microsoft-Windows-Shell-Core/LogonTasksChannel
Microsoft-Windows-Shell-Core/Operational
Microsoft-Windows-SmartCard-Audit/Authentication
Microsoft-Windows-SmartCard-DeviceEnum/Operational
Microsoft-Windows-SmartScreen/Debug
Microsoft-Windows-SMBWitnessClient/Admin
Microsoft-Windows-SMBWitnessClient/Informational
Microsoft-Windows-StateRepository/Operational
Microsoft-Windows-StorageManagement/Operational
Microsoft-Windows-StorageSpaces-ManagementAgent/WHC
Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic
Microsoft-Windows-StorageSpaces-SpaceManager/Operational
Microsoft-Windows-Storage-Tiering/Admin
Microsoft-Windows-Store/Operational
Microsoft-Windows-SystemSettingsThreshold/Operational
Microsoft-Windows-TaskScheduler/Maintenance
Microsoft-Windows-TaskScheduler/Operational
Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin
Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational
Microsoft-Windows-TerminalServices-LocalSessionManager/Admin
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
Microsoft-Windows-TerminalServices-PnPDevices/Admin
Microsoft-Windows-TerminalServices-PnPDevices/Operational
Microsoft-Windows-TerminalServices-Printers/Admin
Microsoft-Windows-TerminalServices-Printers/Operational
Microsoft-Windows-TerminalServices-RDPClient/Operational
Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin
Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin
Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational
Microsoft-Windows-Time-Service/Operational
Microsoft-Windows-Time-Service-PTP-Provider/PTP-Operational
Microsoft-Windows-Troubleshooting-Recommended/Admin
Microsoft-Windows-Troubleshooting-Recommended/Operational
Microsoft-Windows-TWinUI/Operational
Microsoft-Windows-TZSync/Operational
Microsoft-Windows-TZUtil/Operational
Microsoft-Windows-UAC/Operational
Microsoft-Windows-UniversalTelemetryClient/Operational
Microsoft-Windows-User Control Panel/Operational
Microsoft-Windows-User Device Registration/Admin
Microsoft-Windows-User Profile Service/Operational
Microsoft-Windows-User-Loader/Operational
Microsoft-Windows-UserPnp/ActionCenter
Microsoft-Windows-UserPnp/DeviceInstall
Microsoft-Windows-VerifyHardwareSecurity/Admin
Microsoft-Windows-VerifyHardwareSecurity/Operational
Microsoft-Windows-VPN-Client/Operational
Microsoft-Windows-Wcmsvc/Operational
Microsoft-Windows-WDAG-PolicyEvaluator-CSP/Operational
Microsoft-Windows-WDAG-PolicyEvaluator-GP/Operational
Microsoft-Windows-WDAG-Service/Operational
Microsoft-Windows-WebAuth/Operational
Microsoft-Windows-WebAuthN/Operational
Microsoft-Windows-WebIO-NDF/Diagnostic
Microsoft-Windows-WEPHOSTSVC/Operational
Microsoft-Windows-WER-PayloadHealth/Operational
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
Microsoft-Windows-Windows Firewall With Advanced Security/FirewallDiagnostics
Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose
Microsoft-Windows-WindowsColorSystem/Operational
Microsoft-Windows-WindowsSystemAssessmentTool/Operational
Microsoft-Windows-WindowsUIImmersive/Operational
Microsoft-Windows-WinHTTP-NDF/Diagnostic
Microsoft-Windows-WinINet-Capture/Analytic
Microsoft-Windows-WinINet-Config/ProxyConfigChanged
Microsoft-Windows-Winlogon/Operational
Microsoft-Windows-WinRM/Operational
Microsoft-Windows-Winsock-NameResolution/Operational
Microsoft-Windows-Wired-AutoConfig/Operational
Microsoft-Windows-WLAN-AutoConfig/Operational
Microsoft-Windows-WMI-Activity/Operational
Microsoft-Windows-WMPNSS-Service/Operational
Microsoft-Windows-Wordpad/Admin
Microsoft-Windows-WorkFolders/Operational
Microsoft-Windows-WorkFolders/WHC
Microsoft-Windows-Workplace Join/Admin
Microsoft-Windows-WWAN-SVC-Events/Operational
OpenSSH/Admin
OpenSSH/Operational
RemoteDesktopServices-RemoteFX-SessionLicensing-Admin
RemoteDesktopServices-RemoteFX-SessionLicensing-Operational
Setup
SMSApi
Windows PowerShell

Appendix B: Securable Object Supported SACL Audit Messages

I mentioned above that the strings contained within msobjs.dll can offer some valuable insight into what securable objects support SACL auditing. I extracted all supported messages and group them according to securable object in the list that follows. Hopefully, this may pique your interest in applying targeted SACLs in your environment as a means of supplementing your overall detection posture.

ALPC Port:

Communicate using port

Channel:

Channel read message
Channel write message
Channel query information
Channel set information

Desktop:

Read Objects
Create window
Create menu
Hook control
Journal (record)
Journal (playback)
Include this desktop in enumerations
Write objects
Switch to this desktop

Device:

Device Access Bit 0
Device Access Bit 1
Device Access Bit 2
Device Access Bit 3
Device Access Bit 4
Device Access Bit 5
Device Access Bit 6
Device Access Bit 7
Device Access Bit 8

Directory:

Query directory
Traverse
Create object in directory
Create sub-directory

Event:

Query event state
Modify event state

File, MailSlot, and NamedPipe:

ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
ReadEA
WriteEA
Execute/Traverse
DeleteChild
ReadAttributes
WriteAttributes

IoCompletion:

Query State
Modify State

Job:

Assign process
Set Attributes
Query Attributes
Terminate Job
Set Security Attributes

Key:

Query key value
Set key value
Create sub-key
Enumerate sub-keys
Notify about changes to keys
Create Link
Undefined Access (no effect) Bit 6
Undefined Access (no effect) Bit 7
Enable 64(or 32) bit application to open 64 bit key
Enable 64(or 32) bit application to open 32 bit key

KeyedEvent:

KeyedEvent Wait
KeyedEvent Wake

Mutant:

Query mutant state

Port and WaitablePort:

Communicate using port

Process:

Force process termination
Create new thread in process
Set process session ID
Perform virtual memory operation
Read from process memory
Write to process memory
Duplicate handle into or out of process
Create a subprocess of process
Set process quotas
Set process information
Query process information
Set process termination port

Profile:

Control profile

Section:

Query section state
Map section for write
Map section for read
Map section for execute
Extend size

Semaphore:

Query semaphore state
Modify semaphore state

SymbolicLink:

Use symbolic link

Thread:

Force thread termination
Suspend or resume thread
Send an alert to thread
Get thread context
Set thread context
Set thread information
Query thread information
Assign a token to the thread
Cause thread to directly impersonate another thread
Directly impersonate this thread

Timer:

Query timer state
Modify timer state

Token:

AssignAsPrimary
Duplicate
Impersonate
Query
QuerySource
AdjustPrivileges
AdjustGroups
AdjustDefaultDacl
AdjustSessionID

Type:

Create instance of object type

WindowsStation:

Enumerate desktops
Read attributes
Access Clipboard
Create desktop
Write attributes
Access global atoms
Exit windows
Unused Access Flag
Include this windowstation in enumerations
Read screen

WMI Namespace:

Enable WMI Account
Execute Method
Full Write
Partial Write
Provider Write
Remote Access
Subscribe
Publish

Posts By SpecterOps Team Members

Posts from SpecterOps team members on various topics relating information security

Thanks to Kelly Villanueva

Matt Graeber

Written by

Security Researcher, SpecterOps

Posts By SpecterOps Team Members

Posts from SpecterOps team members on various topics relating information security

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade