Whetting your appetite for Windows Vista

Here's a cut & paste from one of my Vista machines.  This is one of our new events.  I'm including the human-formatted view which you'll see in Event Viewer, and the XML view that apps will see (you can see this in the Viewer, too, if you're into that).

Look closely- I'll bet you'll be pleasantly surprised.


Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          12/20/2005 5:11:19 PM
Event ID:      4657
Task:          Registry (Object Access)
Level:         Information
Keywords:      Audit Success
User:          SYSTEM
Computer:      HIDDEN
Registry value modified:
  Subject User Sid: S-1-5-21-HIDDEN
  Subject User Name: ericf
  Subject Domain: HIDDEN
  Subject Logon ID: 638700
  Object Name: \REGISTRY\USER\S-1-5-21-HIDDEN\testkey
  Object Value Name: testvalue
  Handle ID: 536
  Operation Type: Existing registry value modified
  Old Value Type: REG_SZ
  Old Value: old
  New Value Type: REG_SZ
  New Value: new

  Process ID: 6108
  Process Name: D:\Windows\regedit.exe
Event Xml:
<Event xmlns="
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c91d}" />
    <EventID Qualifiers="">4657</EventID>
    <TimeCreated SystemTime="2005-12-21T01:11:19.215Z" />
    <Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" RelatedActivityID="" />
    <Execution ProcessID="4" ThreadID="68" />
    <Security UserID="S-1-5-18" />
    <Data name="SubjectUserSid">S-1-5-21-HIDDEN</Data>
    <Data name="SubjectUserName">ericf</Data>
    <Data name="SubjectDomainName">HIDDEN</Data>
    <Data name="SubjectLogonId">638700</Data>
    <Data name="ObjectName">\REGISTRY\USER\S-1-5-21-HIDDEN\testkey</Data>
    <Data name="ObjectValueName">testvalue</Data>
    <Data name="HandleId">218</Data>
    <Data name="OperationType">%%1905</Data>
    <Data name="OldValueType">%%1873</Data>
    <Data name="OldValue">old</Data>
    <Data name="NewValueType">%%1873</Data>
    <Data name="NewValue">new</Data>
    <Data name="ProcessId">17dc</Data>
    <Data name="ProcessName">D:\Windows\regedit.exe</Data>

Comments (0)

Skip to main content