Share via


Whetting your appetite for Windows Vista

Here's a cut & paste from one of my Vista machines. This is one of our new events. I'm including the human-formatted view which you'll see in Event Viewer, and the XML view that apps will see (you can see this in the Viewer, too, if you're into that).

Look closely- I'll bet you'll be pleasantly surprised.

Eric

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 12/20/2005 5:11:19 PM
Event ID: 4657
Task: Registry (Object Access)
Level: Information
Keywords: Audit Success
User: SYSTEM
Computer: HIDDEN
Description:
Registry value modified:
Subject User Sid: S-1-5-21-HIDDEN
Subject User Name: ericf
Subject Domain: HIDDEN
Subject Logon ID: 638700
Object Name: \REGISTRY\USER\S-1-5-21-HIDDEN\testkey
Object Value Name: testvalue
Handle ID: 536
Operation Type: Existing registry value modified
Old Value Type: REG_SZ
Old Value: old
New Value Type: REG_SZ
New Value: new
Process ID: 6108
Process Name: D:\Windows\regedit.exe

Event Xml:
<Event xmlns="https://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c91d}" />
<EventID Qualifiers="">4657</EventID>
<Level>0</Level>
<Task>12801</Task>
<Opcode>0</Opcode>
<Keywords>9232379236109516800</Keywords>
<TimeCreated SystemTime="2005-12-21T01:11:19.215Z" />
<EventRecordID>40354</EventRecordID>
<Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" RelatedActivityID="" />
<Execution ProcessID="4" ThreadID="68" />
<Channel>Security</Channel>
<Computer>HIDDEN</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data name="SubjectUserSid">S-1-5-21-HIDDEN</Data>
<Data name="SubjectUserName">ericf</Data>
<Data name="SubjectDomainName">HIDDEN</Data>
<Data name="SubjectLogonId">638700</Data>
<Data name="ObjectName">\REGISTRY\USER\S-1-5-21-HIDDEN\testkey</Data>
<Data name="ObjectValueName">testvalue</Data>
<Data name="HandleId">218</Data>
<Data name="OperationType">%%1905</Data>
<Data name="OldValueType">%%1873</Data>
<Data name="OldValue">old</Data>
<Data name="NewValueType">%%1873</Data>
<Data name="NewValue">new</Data>
<Data name="ProcessId">17dc</Data>
<Data name="ProcessName">D:\Windows\regedit.exe</Data>
</EventData>
</Event>