From f09c8776dc4ad60bb3d04a4b29720d6dbcf87fda Mon Sep 17 00:00:00 2001 From: Hiroshi Hatake Date: Mon, 19 Aug 2024 12:58:04 +0900 Subject: [PATCH] utils: Add a describing link for not mapping case of capability SIDs Signed-off-by: Hiroshi Hatake --- ext/winevt/winevt_utils.cpp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ext/winevt/winevt_utils.cpp b/ext/winevt/winevt_utils.cpp index ed60000..0e033d6 100644 --- a/ext/winevt/winevt_utils.cpp +++ b/ext/winevt/winevt_utils.cpp @@ -888,7 +888,8 @@ render_system_event(EVT_HANDLE hEvent, BOOL preserve_qualifiers, BOOL preserveSI } /* S-1-15-3- is used for capability SIDs. So, we need to skip * SID translation. - * See also: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers + * ref: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers + * See also: https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/sids-not-resolve-into-friendly-names */ if (strnicmp(pwsSid, "S-1-15-3-", 9) != 0) { if (ExpandSIDWString(pRenderedValues[EvtSystemUserID].SidVal,