I have been scripting a procedure in powershell to pull security event logs from my windows 2012r2 server. Investigating a bug in my procedure to parse the event into xml I discovered a very strange problem in the 'Access Reasons' property of the 4656 event:
%%4423: %%1801 D:(A;ID;FA;;;S-1-5-21-527573203-644103923-227697207-2229)
%%4424: %%1801 D:(A;ID;FA;;;S-1-5-21-527573203-644103923-22769蹂ᢻ翼
Notice that at the end of the event parse of the DACL's final ACE it for some reason has converted the trailing 10 characters into chinese unicode characters. In eventvwr it even changes the font of the rest of the event. This occurs for random files on the server, and random trustee SID's
I will be identifying the files this afternoon without parsing into XML to try to detect any patterns, anyone have advise on this weird one? I am assuming its a bug with microsoft security event logging, but the thing is the same unicode character string replacing different ansi string values, and at different positions of the ACE. The connecting factor is that it is always the last ACE, but that's all I got so far.