Is there a Windows Event character count limitation?

Question

I'm working on output analysis of the Windows Event ID 5136 ("A directory service object was modified") and more specifically events with "LDAP Display Name = nTSecurityDescriptor" (see following event 5136 capture).

In the "value" field, I have a list of all the security permissions changed on the object itself, which is great. However, I notice the following problems when trying to compare 2x correlated events and their respective "values" fields:

Number of characters is always 5120 (4096+1024)
Text located in the last line is always truncated, and doesn't finish with the proper character - should be a ")" at the end (see folllwing text output).

Information about the events:

Source host is a Windows Server 2012 R2 DC (up to date)
For this specific output analysis, logs were directly extracted from the source computer itself (so no WEF, NXlog Agent, SYSLOG, ELK, SIEM, ...)
Viewing the event with PowerShell, Event console (general tab) or Event console (Details/XML View) provide the same output

So I looked for some value size limitations inside Windows Events (not the event log file itself) but just found some info on "community embarcadero" and "developpez" websites.

Question: does someone know if there is any limitation for a Windows logs value field to 5120 Bytes and a way to increase it ? I need both to make a diff between and report the changes. Thanks

Issue has been reported and confirmed on Microsoft Technet. Issue is now pending review. Please check the following [link](https://social.technet.microsoft.com/Forums/en-US/56326142-e5bf-4607-aa52-87cd0a0a5227/windows-events-char-field-limitation-up-to-5120-bytes-?forum=winserverManagement) for follow-up. — Michel de Crevoisier, Sep 05 '17 at 08:27

score 3 · Answer 1 · answered Aug 29 '17 at 19:36

The message in the event is rendered by the EvtFormatMessage function. As far as I remember there was a limit of around 32k characters for this so this shouldn't be causing the truncation. This works via a format string that is identified by the event id and a set of values that are stored with the event. The value: % piece is such. The EVENTDATA_DESCRIPTOR structure that is used to write this value can also store larger data.

My bet is that the event provider has an internal limit (5120) for this. The reason behind this is probably due to the limitation noted in the EVENTDATA_DESCRIPTOR documentation:

Note that the total data size of the event (not just this data item)
is the lesser of
64 KB

Your event has 12 values and if they used equal limits for each then it comes down to around 5kb. Perhaps you could file a bug report with Microsoft.

This sounds like a reasonable explanation, I would think that the OS component which logs this probably truncates it before it logs the event. The value you have does seem unusually large, but then again it shouldn't be truncated and I would bring this to the attention of Microsoft as well, although I doubt that they will care a whole lot. — Lucky Luke, Aug 29 '17 at 21:57

score 0 · Accepted Answer · answered Jul 26 '18 at 10:54

Issue seems to be fixed thanks to a probable update from Microsoft.

Initial issue was detected on 05/09/17 and today on 26/07/18 this "truncated" behavior has disappeared in my environment. Logs are not anymore truncated and full SDDL is displayed inside the Windows Event Viewer (see VALUE field below). Concerned DC is running with updates from June 2018.

A directory service object was modified.

Subject:
    Security ID:        DEMO\XXX
    Account Name:       XXX
    Account Domain:     DEMO
    Logon ID:       0x4D4A4CB

Directory Service:
    Name:   demo.lan
    Type:   Active Directory Domain Services

Object:
    DN: OU=Test-OU,OU=COMPANY,DC=demo,DC=lan
    GUID:   OU=Test-OU,OU=COMPANY,DC=demo,DC=lan
    Class:  organizationalUnit

Attribute:
    LDAP Display Name:  nTSecurityDescriptor
    Syntax (OID):   2.5.5.15
    Value:  O:DAG:DAD:AI(D;;DCDTSD;;;WD)(OA;CI;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;S-1-5-21-989513866-1262747471-3324978036-1603)(OA;CI;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;S-1-5-21-989513866-1262747471-3324978036-1603)(OA;CIIO;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-21-989513866-1262747471-3324978036-1603)(OA;CIIO;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-989513866-1262747471-3324978036-1603)(OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(A;;LCRPRC;;;S-1-5-21-989513866-1262747471-3324978036-1698)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(OA;CIIOID;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-989513866-1262747471-3324978036-1254)(OA;CIIOID;CR;00299570-246d-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-989513866-1262747471-3324978036-1254)(OA;CIIOID;CCDCLC;c975c901-6cea-4b6f-8319-d67f45449506;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-21-989513866-1262747471-3324978036-1251)(OA;CIIOID;CCDCLC;c975c901-6cea-4b6f-8319-d67f45449506;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-989513866-1262747471-3324978036-1251)(OA;CIID;CC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;S-1-5-21-989513866-1262747471-3324978036-1254)(OA;CIID;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;S-1-5-21-989513866-1262747471-3324978036-1254)(OA;CIID;CC;bf967a9c-0de6-11d0-a285-00aa003049e2;;S-1-5-21-989513866-1262747471-3324978036-1254)(OA;CIID;CC;bf967aa5-0de6-11d0-a285-00aa003049e2;;S-1-5-21-989513866-1262747471-3324978036-1254)(OA;CIID;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;S-1-5-21-989513866-1262747471-3324978036-1254)(OA;CIID;CC;5cb41ed0-0e4c-11d0-a286-00aa003049e2;;S-1-5-21-989513866-1262747471-3324978036-1254)(OA;CIID;RP;4c164200-20c0-11d0-a768-00aa006e0529;;S-1-5-21-989513866-1262747471-3324978036-1248)(OA;CIID;RP;b1b3a417-ec55-4191-b327-b72e33e38af2;;S-1-5-21-989513866-1262747471-3324978036-1251)(OA;CIID;RP;9a7ad945-ca53-11d1-bbd0-0080c76670c0;;S-1-5-21-989513866-1262747471-3324978036-1251)(OA;CIID;RP;bf967a68-0de6-11d0-a285-00aa003049e2;;S-1-5-21-989513866-1262747471-3324978036-1251)(OA;CIID;RP;1f298a89-de98-47b8-b5cd-572ad53d267e;;S-1-5-21-989513866-1262747471-3324978036-1251)(OA;CIID;RP;bf967991-0de6-11d0-a285-00aa003049e2;;S-1-5-21-989513866-1262747471-3324978036-1251)(OA;CIID;RP;5fd424a1-1262-11d0-a060-00aa006c33ed;;S-1-5-21-989513866-1262747471-3324978036-1251)(OA;CIID;WP;bf967a06-0de6-11d0-a285-00aa003049e2;;S-1-5-21-989513866-1262747471-3324978036-1239)(OA;CIID;WP;bf967a06-0de6-11d0-a285-00aa003049e2;;S-1-5-21-989513866-1262747471-3324978036-1252)(OA;CIID;WP;bf967a0a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-989513866-1262747471-3324978036-1254)(OA;CIID;WP;3e74f60e-3e73-11d1-a9c0-0000f80367c1;;S-1-5-21-989513866-1262747471-3324978036-1239)(OA;CIID;WP;3e74f60e-3e73-11d1-a9c0-0000f80367c1;;S-1-5-21-989513866-1262747471-3324978036-1252)(OA;CIID;WP;b1b3a417-ec55-4191-b327-b72e33e38af2;;S-1-5-21-989513866-1262747471-3324978036-1239)(OA;CIID;WP;b1b3a417-ec55-4191-b327-b72e33e38af2;;S-1-5-21-989513866-1262747471-3324978036-1252)(OA;CIID;WP;bf96791a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-989513866-1262747471-3324978036-1239)(OA;CIID;WP;bf96791a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-989513866-1262747471-3324978036-1252)(OA;CIID;WP;9a9a021e-4a5b-11d1-a9c3-0000f80367c1;;S-1-5-21-989513866-1262747471-3324978036-1251)(OA;CIID;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;S-1-5-21-989513866-1262747471-3324978036-1254)(OA;CIID;WP;934de926-b09e-11d2-aa06-00c04f8eedd8;;S-1-5-21-989513866-1262747471-3324978036-1251)(OA;CIID;WP;5e353847-f36c-48be-a7f7-49685402503c;;S-1-5-21-989513866-1262747471-3324978036-1251)(OA;CIID;WP;8d3bca50-1d7e-11d0-a081-00aa006c33ed;;S-1-5-21-989513866-1262747471-3324978036-1251)(OA;CIID;WP;bf967953-0de6-11d0-a285-00aa003049e2;;S-1-5-21-989513866-1262747471-3324978036-1239)(OA;CIID;WP;bf967953-0de6-11d0-a285-00aa003049e2;;S-1-5-21-989513866-1262747471-3324978036-1252)(OA;CIID;WP;e48d0154-bcf8-11d1-8702-00c04fb96050;;S-1-5-21-989513866-1262747471-3324978036-1252)(OA;CIID;WP;275b2f54-982d-4dcd-b0ad-e53501445efb;;S-1-5-21-989513866-1262747471-3324978036-1251)(OA;CIID;WP;bf967954-0de6-11d0-a285-00aa003049e2;;S-1-5-21-989513866-1262747471-3324978036-1239)(OA;CIID;WP;bf967954-0de6-11d0-a285-00aa003049e2;;S-1-5-21-989513866-1262747471-3324978036-1252)(OA;CIID;WP;bf967961-0de6-11d0-a285-00aa003049e2;;S-1-5-21-989513866-1262747471-3324978036-1239)(OA;CIID;WP;bf967961-0de6-11d0-a285-00aa003049e2;;S-1-5-21-989513866-1262747471-3324978036-1252)(OA;CIID;WP;bf967a68-0de6-11d0-a285-00aa003049e2;;S-1-5-21-989513866-1262747471-3324978036-1254)(OA;CIID;WP;5fd42471-1262-11d0-a060-00aa006c33ed;;S-1-5-21-989513866-1262747471-3324978036-1254)(OA;CIID;WP;5430e777-c3ea-4024-902e-dde192204669;;S-1-5-21-989513866-1262747471-3324978036-1251)(OA;CIID;WP;6f606079-3a82-4c1b-8efb-dcc8c91d26fe;;S-1-5-21-989513866-1262747471-3324978036-1251)(OA;CIID;WP;bf967a7a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-989513866-1262747471-3324978036-1254)(OA;CIID;WP;bf967a7f-0de6-11d0-a285-00aa003049e2;;S-1-5-21-989513866-1262747471-3324978036-1251)(OA;CIID;WP;614aea82-abc6-4dd0-a148-d67a59c72816;;S-1-5-21-989513866-1262747471-3324978036-1251)(OA;CIID;WP;66437984-c3c5-498f-b269-987819ef484b;;S-1-5-21-989513866-1262747471-3324978036-1251)(OA;CIID;WP;77b5b886-944a-11d1-aebd-0000f80367c1;;S-1-5-21-989513866-1262747471-3324978036-1252)(OA;CIID;WP;a8df7489-c5ea-11d1-bbcb-0080c76670c0;;S-1-5-21-989513866-1262747471-3324978036-1239)(OA;CIID;WP;a8df7489-c5ea-11d1-bbcb-0080c76670c0;;S-1-5-21-989513866-1262747471-3324978036-1252)(OA;CIID;WP;1f298a89-de98-47b8-b5cd-572ad53d267e;;S-1-5-21-989513866-1262747471-3324978036-1239)(OA;CIID;WP;1f298a89-de98-47b8-b5cd-572ad53d267e;;S-1-5-21-989513866-1262747471-3324978036-1252)(OA;CIID;WP;f0f8ff9a-1191-11d0-a060-00aa006c33ed;;S-1-5-21-989513866-1262747471-3324978036-1239)(OA;CIID;WP;f0f8ff9a-1191-11d0-a060-00aa006c33ed;;S-1-5-21-989513866-1262747471-3324978036-1251)(OA;CIID;WP;f0f8ff9a-1191-11d0-a060-00aa006c33ed;;S-1-5-21-989513866-1262747471-3324978036-1252)(OA;CIID;WP;2cc06e9d-6f7e-426a-8825-0215de176e11;;S-1-5-21-989513866-1262747471-3324978036-1251)(OA;CIID;WP;5fd424a1-1262-11d0-a060-00aa006c33ed;;S-1-5-21-989513866-1262747471-3324978036-1239)(OA;CIID;WP;5fd424a1-1262-11d0-a060-00aa006c33ed;;S-1-5-21-989513866-1262747471-3324978036-1252)(OA;CIID;WP;3263e3b8-fd6b-4c60-87f2-34bdaa9d69eb;;S-1-5-21-989513866-1262747471-3324978036-1251)(OA;CIID;WP;28630ebc-41d5-11d1-a9c1-0000f80367c1;;S-1-5-21-989513866-1262747471-3324978036-1239)(OA;CIID;WP;28630ebc-41d5-11d1-a9c1-0000f80367c1;;S-1-5-21-989513866-1262747471-3324978036-1252)(OA;CIID;WP;bf9679c0-0de6-11d0-a285-00aa003049e2;;S-1-5-21-989513866-1262747471-3324978036-1254)(OA;CIID;WP;3e0abfd0-126a-11d0-a060-00aa006c33ed;;S-1-5-21-989513866-1262747471-3324978036-1254)(OA;CIID;WP;7cb4c7d3-8787-42b0-b438-3c5d479ad31e;;S-1-5-21-989513866-1262747471-3324978036-1251)(OA;CIIOID;DTWD;;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-21-989513866-1262747471-3324978036-1254)(OA;CIIOID;DTWD;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-989513866-1262747471-3324978036-1254)(OA;CIID;CCDCLCSWRPWPDTLOCRSDRCWDWO;018849b0-a981-11d2-a9ff-00c04f8eedd8;;S-1-5-21-989513866-1262747471-3324978036-1239)(OA;CIID;CCDCLCSWRPWPDTLOCRSDRCWDWO;018849b0-a981-11d2-a9ff-00c04f8eedd8;;S-1-5-21-989513866-1262747471-3324978036-1252)(OA;CIIOID;SD;;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-21-989513866-1262747471-3324978036-1254)(OA;CIIOID;SD;;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-989513866-1262747471-3324978036-1254)(OA;CIIOID;SD;;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-21-989513866-1262747471-3324978036-1254)(OA;CIID;SD;;bf967aa5-0de6-11d0-a285-00aa003049e2;S-1-5-21-989513866-1262747471-3324978036-1254)(OA;CIIOID;SD;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-989513866-1262747471-3324978036-1254)(OA;CIIOID;SD;;5cb41ed0-0e4c-11d0-a286-00aa003049e2;S-1-5-21-989513866-1262747471-3324978036-1254)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;CIIOID;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RP;b1b3a417-ec55-4191-b327-b72e33e38af2;;NS)(OA;CIID;RP;1f298a89-de98-47b8-b5cd-572ad53d267e;;AU)(OA;CIID;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;CIID;LCRPLORC;;;S-1-5-21-989513866-1262747471-3324978036-1239)(A;CIID;LCRPLORC;;;S-1-5-21-989513866-1262747471-3324978036-1252)(A;CIID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-989513866-1262747471-3324978036-519)(A;CIID;LC;;;RU)(A;CIID;CCLCSWRPWPLOCRSDRCWDWO;;;BA)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSAFA;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;WD)(OU;CIIDSAFA;CR;9923a32a-3607-11d2-b9be-0000f87a36b2;;WD)(OU;CIIDSAFA;CR;45ec5156-db7e-47bb-b53f-dbeb2d03c40f;;WD)(OU;CIIDSAFA;CR;ba33815a-4f93-4c76-87f3-57574bff8109;;WD)(OU;CIIDSAFA;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;WD)(OU;CIIDSAFA;CR;bae50096-4752-11d1-9052-00c04fc2d4cf;;WD)(OU;CIIDSAFA;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;WD)(OU;CIIDSAFA;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;WD)(OU;CIIDSAFA;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;WD)(OU;CIIDSAFA;CR;440820ad-65b4-11d1-a3da-0000f875ae0d;;WD)(OU;CIIDSAFA;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;WD)(OU;CIIDSAFA;CR;7726b9d5-a4b4-4288-a6b2-dce952e80a7f;;WD)(OU;CIIDSAFA;CR;f98340fb-7c5b-4cdb-a00b-2ebdfa115a96;;WD)(OU;CIIDSAFA;CCDC;80212842-4bdc-11d1-a9c4-0000f80367c1;;WD)(OU;CIIDSAFA;CCDC;ce206244-5827-4a86-ba1c-1c0c386c1b64;;WD)(OU;CIIDSAFA;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;WD)(OU;CIIDSAFA;CCDC;7b8b558a-93a5-4af7-adca-c017e67f1057;;WD)(OU;CIIDSAFA;CCDC;bf967a99-0de6-11d0-a285-00aa003049e2;;WD)(OU;CIIDSAFA;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;WD)(OU;CIIDSAFA;CCDC;bf967aa3-0de6-11d0-a285-00aa003049e2;;WD)(OU;CIIDSAFA;CCDC;bf967aa5-0de6-11d0-a285-00aa003049e2;;WD)(OU;CIIDSAFA;CCDC;bf967aad-0de6-11d0-a285-00aa003049e2;;WD)(OU;CIIDSAFA;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;WD)(OU;CIIDSAFA;CCDC;bf967abb-0de6-11d0-a285-00aa003049e2;;WD)(AU;CIIDSAFA;WPDTSDWDWO;;;WD)

Operation:
    Type:   Value Added
    Correlation ID: {aeeab9c1-2e71-4947-9418-c3b04bf52d1d}
    Application Correlation ID: -

Is there a Windows Event character count limitation?

2 Answers2