I want to create a new Windows log in Windows event viewer, everything seems to be fine but the log is not displaying. The source is being populated in Application log instead of the one I'm trying to create
Sample code
if (!EventLog.SourceExists(sSource))
EventLog.CreateEventSource(sSource, sLog);
The reason is the permissions on registry. The files are on disk, but to been able to create a new log, your reference is on registry.
To been able to create a new log you must go to registry and give permission write for "asp.net pool user" - even ones for a server is good enough to create it.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog
Open the registry editor, find this key, right click on it, and give the permissions.
From EventLog.CreateEventSource Method
Note
To create an event source in Windows Vista and later or Windows Server 2003, you must have administrative privileges.
The reason for this requirement is that all event logs, including
security, must be searched to determine whether the event source is
unique. Starting with Windows Vista, users do not have permission to
access the security log; therefore, a SecurityException is thrown.
Related
My question is related to write permissions to the Windows Event Log.
I have looked around several posts concering this, and have found some ways to solve my problem, but none of these are acceptable for my current scenario.
I use C# in .NET 4.0. I use the EventLog class:
EventLog class
In short, I need to see if there is a way to impersonate or authenticate with an authenticated user and password to reach the right I need to write to the Event Log. The server will always be in the Windows Server family, but the version may vary.
My application is a Windows Service running with one of the following accounts:
Network Service
Local Service
Local System
User with restricted rights (Users or
Domain Users groups)
Here are some other criterias I have:
I cannot put the service user as Administrator, not even local administrator on the server
I cannot edit or alter the registry
I cannot alter the UAC or any group policies on the server
I have a user with Administrator rights, but it cannot be used to run the service
The Event Log will always be the local Event Log, not on a remote machine
The Log will probably always be the "Application" log
The Source may vary, and that seems to be the heart of the problem
My question is : Is this at all possible?
Can I impersonate a user in my code to achieve what I need?
I do that when connecting to web services, logging on to smtp servers and of courseclogging in to databases etc.
I stumbled into this class:
EventLogPermission Class
But I cannot seem to get a good concept on how to use the class.
I hope I have expressed my problem good. I don't concider this a duplicate of another post because of my criterias.
By default, any authenticated user is able to write to application event log. However only administrators can create new event Sources. If all event Sources are known at the service installation time, I recommend register those sources ahead of time, then you will be all set up. Registering is a simple call to EventLog.CreateEventSource.
If you need more flexibility on event sources, you can customize permissions. Those defaults could be customized by tweaking a registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD
A process described in this KB Article. A wevtutil tool, which is part of OS, available on Server 2008 and above, makes it a bit easier than going through regedit.
The answer showed to be "no".
I realize there are no good way of solving this the way I requested. There must be a manual job done.
So the solution I pick for this scenario is that customers who cannot run the service as an administrator or do a manual registry edit cannot use the functions around logging to event log. And I will make it possible to enable and disable the logging from the config.
Admin user and registry edit are known ways for me, but as stated something I was trying to avoid. But that is, as it seems, not possible according to my criterias this time.
My question is related to write permissions to the Windows Event Log.
I have looked around several posts concering this, and have found some ways to solve my problem, but none of these are acceptable for my current scenario.
I use C# in .NET 4.0. I use the EventLog class:
EventLog class
In short, I need to see if there is a way to impersonate or authenticate with an authenticated user and password to reach the right I need to write to the Event Log. The server will always be in the Windows Server family, but the version may vary.
My application is a Windows Service running with one of the following accounts:
Network Service
Local Service
Local System
User with restricted rights (Users or
Domain Users groups)
Here are some other criterias I have:
I cannot put the service user as Administrator, not even local administrator on the server
I cannot edit or alter the registry
I cannot alter the UAC or any group policies on the server
I have a user with Administrator rights, but it cannot be used to run the service
The Event Log will always be the local Event Log, not on a remote machine
The Log will probably always be the "Application" log
The Source may vary, and that seems to be the heart of the problem
My question is : Is this at all possible?
Can I impersonate a user in my code to achieve what I need?
I do that when connecting to web services, logging on to smtp servers and of courseclogging in to databases etc.
I stumbled into this class:
EventLogPermission Class
But I cannot seem to get a good concept on how to use the class.
I hope I have expressed my problem good. I don't concider this a duplicate of another post because of my criterias.
By default, any authenticated user is able to write to application event log. However only administrators can create new event Sources. If all event Sources are known at the service installation time, I recommend register those sources ahead of time, then you will be all set up. Registering is a simple call to EventLog.CreateEventSource.
If you need more flexibility on event sources, you can customize permissions. Those defaults could be customized by tweaking a registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD
A process described in this KB Article. A wevtutil tool, which is part of OS, available on Server 2008 and above, makes it a bit easier than going through regedit.
The answer showed to be "no".
I realize there are no good way of solving this the way I requested. There must be a manual job done.
So the solution I pick for this scenario is that customers who cannot run the service as an administrator or do a manual registry edit cannot use the functions around logging to event log. And I will make it possible to enable and disable the logging from the config.
Admin user and registry edit are known ways for me, but as stated something I was trying to avoid. But that is, as it seems, not possible according to my criterias this time.
Below is an exception I encountered while running the immediately following code:
The source was not found, but some or all event logs could not be searched. Inaccessible logs: Security.
The code is
if (!EventLog.SourceExists(this.EventLogSource))
The content of the exception makes sense to me, it's why that doesn't. This line is running in Visual Studio 2010, .NET 4, as a console app ( for the time being ). I have run this in a different environment, but I wouldn't expect the fact that I'm remote desk'ed to break this method. I've tried changing HKML\CCS\Services\eventlog permissions - to no avail, as well as the C:\Windows\System32\Winevt\Logs\Security.evtx permissions. Again, to no avail.
My questions are as follows:
Why isn't there an override to ignore secure logs,
How can I work around this ( programatically )
IS this because I'm remote desked.
Any advice would be great.
Microsoft requires that you be an administrator in order to execute this method for the very reason that you found.
Here is their explanation (from the MSDN documentation):
To search for an event source in Windows Vista and later or Windows Server 2003, you must have administrative privileges.
The reason for this requirement is that all event logs, including security, must be searched to determine whether the event source is unique. Starting with Windows Vista, users do not have permission to access the security log; therefore, a SecurityException is thrown.
How you work around it will depend entirely on exactly what you need to do. The best recommendation if you are not able to log in as an administrator is to attempt to perform your action in a try/catch block and if a SecurityException is thrown, perform some alternate action.
Accessing some EventLogs requires elevation. Run the app as an administrator instead.
I recommend to use Logging Application Block of Enterprise Library in order to implement the correct logging.
Start reading from here
I wonder is it possible to run my application before login on windows.? Its actually a WinForm application(Preferably other than Windows service).
I mean my application must be running even before log in and it should sit on System Tray from which I can "show" or open Interface for user.
To have:
Something happen between system startup and user login
An icon in the notification area for users to interact with
You must break your application up into two separate components. One of these will be a WinForms/WPF application which provides the notification area icon and allows the user to interact with it. The other will be a Windows Service, or possibly a scheduled task.
Once you've done this, the windows service can focus on doing whatever needs to be done prior to logon and the notification area application can assume responsibility for showing the results, or whatever else to the end user.
To answer the question you posed in comments regarding reading data from the Event Log, yes this is possible. There are other questions on here which will give you that particular answer:
read the windows event log by particular Source
Read event log in C#
This MS article might help but it is a bit old:
http://support.microsoft.com/kb/142905
Hopefully it'll put you on the right tracks though.
I think, it doesn't make sense, to acquire user input before a user has logged into the system. So, if the application needs input from a user, why start it before the use has logged in? If the application just starts some background work, than you should use a windows service, as this is the prefered way in windows.
Type in run gpedit.msc, for Group Policy,
There you can set start up script.
Application will launch before Windows Login,
Step to produce :-
Start --> Run --> gpedit.msc --> Local Computer Policy --> Windows Settings --> Script (Startup/ShutDown),
Add you .exe
It will launch Before login.
Do not try more in Group Policy, it may happen harmful for System
By Programmatic logic,
Try with registry key
this value is updating in registry,
by our program we can update directly registry then we can call application
You can schedule any application to be run when computer is powered on using Windows Task Scheduler. There is a corresponding option there.
But why would you need this? You should use a service for this.
i am trying to make an event logger for my cmd line application. However I get this error when it tries to create the log for the first time.
The source was not found, but some or
all event logs could not be searched.
Inaccessible logs: Security.
So I found this is a because of windows 7 and some new security. So right now I have to give the .exe admin rights.
Is there a way around this so it would not need admin rights? I don't know if people would feel too good if they have to contently run my application with admin rights.
I am planning to put this later on a windows 2008 machine so I am guessing it will suffer from the same problem.
You could create the event source at the point of installation so they only need to make that choice once. Once the source is created in the registry you can add events to it without the need for admin rights.
As well as the CreateEventSource function there is also the EventLogInstaller class:
http://msdn.microsoft.com/en-us/library/system.diagnostics.eventloginstaller.aspx
WiX also offers this functionality in it's Utility extension:
How do you create an event log source using WiX
NETWORK SERVICE OR Impersonated User must have Read/Write access to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security