the details of eventid:560 is not correct in Chinese OS (Windows XP, Windows server 2003/2008, Windows vista/7)

in windows xp, windows server 2003/2008, windows vista/7 chinese editin, when use event viewer check details of event 560, access mask 0.

following details shown in chinese os:

打开的对象:
对象服务器: security
对象类型: file
对象名称: c:\shared\new folder\qqq.txt
句柄 id: -
操作 id: {0,716204}
进程 id: 3168
图像文件名: c:\windows\system32\notepad.exe
主要用户名: administrator
主要域: adap
主要登录 id: (0x0,0x22530)
客户端用户名: -
客户端域: -
客户端登录 id: -
访问次数: -
特权: read_control
synchronize
readdata (或 listdirectory)
readea
readattributes

受限 sid 计数: -
访问掩码: 0 (this means "access mask", 0)

 

following same event data display in english os:

object open:
object server: security
object type: file
object name: c:\shared\new folder\qqq.txt
handle id: -
operation id: {0,716204}
process id: 3168
image file name: c:\windows\system32\notepad.exe
primary user name: administrator
primary domain: adap
primary logon id: (0x0,0x22530)
client user name: -
client domain: -
client logon id: -
accesses: read_control
synchronize
readdata (or listdirectory)
readea
readattributes

privileges: -
restricted sid count: 0
access mask: 0x120089

 

you see access mask not 0.

 

i found in chinese os, "accesses" entries, values not correct!!!

 

you can download eventlog data from:

https://skydrive.live.com/?cid=23120a76ae0dd011&sc=documents&uc=1&id=23120a76ae0dd011%21135#

then, open eventviewer, open saved log data "security", filter view id=560 events, see issue.

 

please check , give me hotfix.

thanks & regards,

why no reply?

is style of microsoft ?

Windows Server  >  Security