Decoding UAC Flags Values in events 4720, 4738, 4741, and 4742
In Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, there are four events that contain a user account control (UAC) flags value:
- 4720 - user account creation
- 4738 - user account change
- 4741 - computer account creation
- 4742 - computer account change
This value is a bitmask value, and it's represented in textual format as a hexadecimal value, e.g. 0x1234.
The "decoder key" for this value is in Knowledge Base article 305144. If you're a developer type, the actual declaration is in IADS.H in the Windows SDK.
Ned points out that the article is missing an entry:
0x04000000 - PARTIAL_SECRETS_ACCOUNT (i.e. "Read-Only Domain Controller")
I also want to point out that Windows will set the undeclared value 0x4. I don't know what this value does, if anything.
To decode this value, you can go through the property value definitions in the KB article from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag. Here's an example:
Flags value from event: 0x15
- PASSWD_NOTREQD 0x0020
- LOCKOUT 0x0010
- HOMEDIR_REQUIRED 0x0008
- (undeclared) 0x0004
- ACCOUNTDISABLE 0x0002
- SCRIPT 0x0001
0x0020 > 0x15, so PASSWD_NOTREQD does not apply to this event
0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5
0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1
0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event
0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done.
So this UAC flags value decodes to: LOCKOUT and SCRIPT.