All About File System Access in Windows

If you look into windows security audit logs, certain event types have fields with "%%xxxx" instead of a human readable fields.  Example is as below

{

 "EventTime": "2017-07-25 01:08:22"

 "Hostname": "meroadmin.changeme.com"

 "Keywords": -9214364837600034816

 "EventType": "AUDIT_SUCCESS"

 "SeverityValue": 2

 "Severity": "INFO"

 "EventID": 4663

 "SourceName": "Microsoft-Windows-Security-Auditing"

 "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"

 "Version": 1

 "Task": 12800

 "OpcodeValue": 0

 "RecordNumber": 717215

 "ProcessID": 496

 "ThreadID": 504

 "Channel": "Security"

 "Message": "An attempt was made to access an object."

 "Category": "File System"

 "Opcode": "Info"

 "SubjectUserSid": "S-1-5-21-1541309266-3090300489-3544281362-500"

 "SubjectUserName": "Administrator"

 "SubjectDomainName": "CHANGEME"

 "SubjectLogonId": "0x1e5a2a"

 "ObjectServer": "Security"

 "ObjectType": "File"

 "ObjectName": "C:\\Program Files (x86)\\nxlog\\conf"

 "HandleId": "0x1608"

 "AccessList": "%%4416\r\n\t\t\t\t"

 "AccessMask": "0x1"

 "ProcessName": "C:\\Windows\\explorer.exe"

 "ResourceAttributes": "S:AI"

 "EventReceivedTime": "2017-07-25 01:08:24"

 "SourceModuleName": "in"

 "SourceModuleType": "im_msvistalog"

}

You can see such codes in many other events like 4688. Explanation for these events are as below

AccessList                Description

%%4416                    ReadData (or ListDirectory)

%%4417                    WriteData (or AddFile)

%%4418                    AppendData (or AddSubdirectory or CreatePipeInstance)

%%4419                    ReadEA

%%4420                    WriteEA

%%4421                    Execute/Traverse

%%4422                    DeleteChild

%%4423                    ReadAttributes

%%4424                    WriteAttributes

%%1537                    DELETE

%%1538                    READ_CONTROL

%%1539                    WRITE_DAC

%%1540                    WRITE_OWNER

%%1541                    SYNCHRONIZE

%%1542                    ACCESS_SYS_SEC

%%4432                    Query Key Value

%%4433                    Set Key Value

%%4434                    Create Sub Key

%%4435                    Enumerate sub-keys

%%4436                    Notify about changes to keys

%%4437                    Create Link

Access Mask

0x1                            ReadData (or ListDirectory)

0x2                            WriteData (or AddFile)

0x4                            AppendData (or AddSubdirectory or CreatePipeInstance)

0x8                            ReadEA

0x10                         WriteEA

0x20                         Execute/Traverse

0x40                         DeleteChild

0x80                         ReadAttributes

0x100                       WriteAttributes

0x10000                    DELETE

0x20000                    READ_CONTROL

0x40000                    WRITE_DAC

0x80000                    WRITE_OWNER

0x100000                  SYNCHRONIZE

0x1000000                ACCESS_SYS_SEC

DELETE	The right to delete the object.
READ_CONTROL	The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL).
SYNCHRONIZE	The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
WRITE_DAC	The right to modify the discretionary access control list (DACL) in the object's security descriptor.
WRITE_OWNER	The right to change the owner in the object's security descriptor.