Version
5.2.X and earlier
Topic
In a cross_process event type there is a key named "requested_acces", what is this value and how can it be decoded?
Steps
The value for for the key requested_acces is an access mask value as defined by Microsoft and is Windows specific. This value is included in cross_process event type to capture the access requested from one process to another. To understand what this value means:
- Convert the requested_acces value to hex
- Open the calc.exe application in Windows, click View>Programmer
- Select "Dec" for decimal and enter the value (example: 2097151)
- Select "Hex" to convert the value (example result: 1FFFFF)
- The value is a combination of multiple access rights into a single value. Use the following external page to Microsoft documentation as reference:
https://msdn.microsoft.com/en-us/library/windows/desktop/ms684880(v=vs.85).aspx
In this case, it is specifying all STANDARD/SPECIFIC rights:
#define STANDARD_RIGHTS_ALL (0x001F0000L)
#define SPECIFIC_RIGHTS_ALL (0x0000FFFFL)
combined: 0x001FFFFFL (which equates to 1FFFFF)