Access mask constant 0x01000000 (SYSTEM_SECURITY_ACCESS) is in SACL ACE
list for auditing or alarming access to SACL itself.
---
 epan/dissectors/packet-windows-common.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/epan/dissectors/packet-windows-common.c 
b/epan/dissectors/packet-windows-common.c
index 5709c6e7c31b..056579b027a4 100644
--- a/epan/dissectors/packet-windows-common.c
+++ b/epan/dissectors/packet-windows-common.c
@@ -2203,6 +2203,7 @@ static int hf_access_generic_read;
 static int hf_access_generic_write;
 static int hf_access_generic_execute;
 static int hf_access_generic_all;
+static int hf_access_system_security;
 static int hf_access_standard_delete;
 static int hf_access_standard_read_control;
 static int hf_access_standard_synchronise;
@@ -2285,6 +2286,7 @@ dissect_nt_access_mask(tvbuff_t *tvb, int offset, 
packet_info *pinfo,
                &hf_access_generic_execute,
                &hf_access_generic_all,
                &hf_access_maximum_allowed,
+               &hf_access_system_security,
                NULL
        };
 
@@ -3361,6 +3363,11 @@ proto_do_register_windows_common(int proto_smb)
                    FT_BOOLEAN, 32, TFS(&tfs_set_notset),
                    MAXIMUM_ALLOWED_ACCESS, NULL, HFILL }},
 
+               { &hf_access_system_security,
+                 { "System security", "nt.access_mask.system_security",
+                   FT_BOOLEAN, 32, TFS(&tfs_set_notset),
+                   SYSTEM_SECURITY_ACCESS, NULL, HFILL }},
+
                { &hf_access_standard_read_control,
                  { "Read control", "nt.access_mask.read_control",
                    FT_BOOLEAN, 32, TFS(&tfs_set_notset),
-- 
2.20.1

_______________________________________________
Wireshark-dev mailing list -- wireshark-dev@wireshark.org
To unsubscribe send an email to wireshark-dev-le...@wireshark.org

Reply via email to