logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Decoding requested_acces field in event_type:cross_process

Decoding requested_acces field in event_type:cross_process

Version

5.2.X and earlier

Topic

In a cross_process event type there is a key named "requested_acces", what is this value and how can it be decoded?

Steps

The value for for the key requested_acces is an access mask value as defined by Microsoft and is Windows specific.  This value is included in cross_process event type to capture the access requested from one process to another.  To understand what this value means:

  1. Convert the requested_acces value to hex
    1. Open the calc.exe application in Windows, click View>Programmer
    2. Select "Dec" for decimal and enter the value (example:  2097151)
    3. Select "Hex" to convert the value (example result: 1FFFFF)
  2. The value is a combination of multiple access rights into a single value.  Use the following external page to Microsoft documentation as reference:

          https://msdn.microsoft.com/en-us/library/windows/desktop/ms684880(v=vs.85).aspx

          In this case, it is specifying all STANDARD/SPECIFIC rights:

          #define STANDARD_RIGHTS_ALL (0x001F0000L)

          #define SPECIFIC_RIGHTS_ALL (0x0000FFFFL)

          combined:  0x001FFFFFL (which equates to 1FFFFF)

Labels (1)
Labels:
Was this article helpful? Yes No
No ratings
Article Information
Author:
nking
Creation Date:
‎12-28-2016
Views:
903
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.