My question is related to write permissions to the Windows Event Log.
I have looked around several posts concering this, and have found some ways to solve my problem, but none of these are acceptable for my current scenario.
I use C# in .NET 4.0. I use the EventLog class:
EventLog class
In short, I need to see if there is a way to impersonate or authenticate with an authenticated user and password to reach the right I need to write to the Event Log. The server will always be in the Windows Server family, but the version may vary.
My application is a Windows Service running with one of the following accounts:
Network Service
Local Service
Local System
User with restricted rights (Users or
Domain Users groups)
Here are some other criterias I have:
I cannot put the service user as Administrator, not even local administrator on the server
I cannot edit or alter the registry
I cannot alter the UAC or any group policies on the server
I have a user with Administrator rights, but it cannot be used to run the service
The Event Log will always be the local Event Log, not on a remote machine
The Log will probably always be the "Application" log
The Source may vary, and that seems to be the heart of the problem
My question is : Is this at all possible?
Can I impersonate a user in my code to achieve what I need?
I do that when connecting to web services, logging on to smtp servers and of courseclogging in to databases etc.
I stumbled into this class:
EventLogPermission Class
But I cannot seem to get a good concept on how to use the class.
I hope I have expressed my problem good. I don't concider this a duplicate of another post because of my criterias.
By default, any authenticated user is able to write to application event log. However only administrators can create new event Sources. If all event Sources are known at the service installation time, I recommend register those sources ahead of time, then you will be all set up. Registering is a simple call to EventLog.CreateEventSource.
If you need more flexibility on event sources, you can customize permissions. Those defaults could be customized by tweaking a registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD
A process described in this KB Article. A wevtutil tool, which is part of OS, available on Server 2008 and above, makes it a bit easier than going through regedit.
The answer showed to be "no".
I realize there are no good way of solving this the way I requested. There must be a manual job done.
So the solution I pick for this scenario is that customers who cannot run the service as an administrator or do a manual registry edit cannot use the functions around logging to event log. And I will make it possible to enable and disable the logging from the config.
Admin user and registry edit are known ways for me, but as stated something I was trying to avoid. But that is, as it seems, not possible according to my criterias this time.
Related
My question is related to write permissions to the Windows Event Log.
I have looked around several posts concering this, and have found some ways to solve my problem, but none of these are acceptable for my current scenario.
I use C# in .NET 4.0. I use the EventLog class:
EventLog class
In short, I need to see if there is a way to impersonate or authenticate with an authenticated user and password to reach the right I need to write to the Event Log. The server will always be in the Windows Server family, but the version may vary.
My application is a Windows Service running with one of the following accounts:
Network Service
Local Service
Local System
User with restricted rights (Users or
Domain Users groups)
Here are some other criterias I have:
I cannot put the service user as Administrator, not even local administrator on the server
I cannot edit or alter the registry
I cannot alter the UAC or any group policies on the server
I have a user with Administrator rights, but it cannot be used to run the service
The Event Log will always be the local Event Log, not on a remote machine
The Log will probably always be the "Application" log
The Source may vary, and that seems to be the heart of the problem
My question is : Is this at all possible?
Can I impersonate a user in my code to achieve what I need?
I do that when connecting to web services, logging on to smtp servers and of courseclogging in to databases etc.
I stumbled into this class:
EventLogPermission Class
But I cannot seem to get a good concept on how to use the class.
I hope I have expressed my problem good. I don't concider this a duplicate of another post because of my criterias.
By default, any authenticated user is able to write to application event log. However only administrators can create new event Sources. If all event Sources are known at the service installation time, I recommend register those sources ahead of time, then you will be all set up. Registering is a simple call to EventLog.CreateEventSource.
If you need more flexibility on event sources, you can customize permissions. Those defaults could be customized by tweaking a registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD
A process described in this KB Article. A wevtutil tool, which is part of OS, available on Server 2008 and above, makes it a bit easier than going through regedit.
The answer showed to be "no".
I realize there are no good way of solving this the way I requested. There must be a manual job done.
So the solution I pick for this scenario is that customers who cannot run the service as an administrator or do a manual registry edit cannot use the functions around logging to event log. And I will make it possible to enable and disable the logging from the config.
Admin user and registry edit are known ways for me, but as stated something I was trying to avoid. But that is, as it seems, not possible according to my criterias this time.
i wanted to know which process in Windows is user specific, i mean it get created for each user login. i tried explorer.exe but when u switch user and log into new account then it shows old login name in my code. basically i need to just log which user logging when in app.
If all you need to know is which user(s) are using your app, can you just check Environment.UserName when you start your app?
I missed the tag indicating you created a Windows Service. That's a very different type of animal than a regular application, and the advice you receive for one is not necessarily transferable to the other.
Specifically, I notice that you've tagged this question windows-7. If you're trying to run this service under Windows 7, you need to understand a few things about how the model for Windows Services was substantially altered starting with Windows Vista. Specifically, they now run in an isolated session and are prohibited from interacting directly with the user.
Also see my answer here for a better explanation.
The fundamental point is that, from the perspective of a Windows Service, there is no such concept as the currently logged-on user. A Windows Service runs in its own isolated session and is not affiliated with any particular user. That's why the code you found to determine the user associated with a particular process is not working as you expect for a Windows Service. A standard user doesn't own the process running the service. (And replacing your service with an application is also not a viable option, given how I understand your requirements. As I explain here, user-mode applications are started when a particular user logs on and will be closed whenever that user logs off.)
Another problem is that more than one user can be logged in simultaneously to a single workstation. Windows is a thoroughly multi-user operating system, so the best that you can hope for is to enumerate all of the currently logged in users. The NetWkstaUserEnum function will get you that list, but note that it includes all types of logons, including interactive users, services, and batch logons. To call this function from C#, you will need to P/Invoke—you can find information about that over on pinvoke.net.
I would like to find out if someone (and maybe someone on StackOverflow works for LogMeIn, and can fill me in on the details) knows how to create a similar experience much like what you get with LogMeIn when you install their remote components on a computer, when logged into their site?
Typically, when you download and keep their remote components on a thumbdrive, you have to log into their software with your username and password, but when you're on their site, and click on "Add Computer" from their menu of options, the setup process bypasses the login process.
I'm writing up the specifications on a different tool, but similar in deployment model, and having that feature would make the setup process for the end user all the more simplistic in the long run.
Any assistance would be greatly appreciated.
Edit:
I did some digging and ran across this example of how to read from a table. So now I'm thinking maybe my way of doing this is to create a custom "download" page that when it gets clicked on, the msi is read into memory, I edit a custom property to insert a guid or other property that expires in 10 minutes or so, and use the guid to link the user account to the installation instance... Hmm... may work :)
Something to try during my next geek week before I go about building the msi installer for said project.
Windows Installer has the concept of transforms. LogMeIn is probably just using a base msi and programtically generating a transform and applying it as part of a watermarking process.
Morphing Installers ( with transforms ):
http://www.tramontana.co.hu/wix/lesson9.php
The concepts here are straightforward and the majority of your work is going to be integrating it into your websites build/release process.
Personally I get nervous about baking that much information into an MSI but the LogMeIn people obviously had a business case for making it as easy easy easy as possible for their users.
Once you have the admin password to a (non-firewalled) windows box, you can copy files, remotely update the registry, start services, etc.
This is one example of a remote VNC install procedure.
One remote desktop vendor (don't remember which) that I looked at allowed remote installation by ordering a computer to log in and install on any computer located on the same subnet.
i am trying to make an event logger for my cmd line application. However I get this error when it tries to create the log for the first time.
The source was not found, but some or
all event logs could not be searched.
Inaccessible logs: Security.
So I found this is a because of windows 7 and some new security. So right now I have to give the .exe admin rights.
Is there a way around this so it would not need admin rights? I don't know if people would feel too good if they have to contently run my application with admin rights.
I am planning to put this later on a windows 2008 machine so I am guessing it will suffer from the same problem.
You could create the event source at the point of installation so they only need to make that choice once. Once the source is created in the registry you can add events to it without the need for admin rights.
As well as the CreateEventSource function there is also the EventLogInstaller class:
http://msdn.microsoft.com/en-us/library/system.diagnostics.eventloginstaller.aspx
WiX also offers this functionality in it's Utility extension:
How do you create an event log source using WiX
NETWORK SERVICE OR Impersonated User must have Read/Write access to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
I was asked to find a way to monitor changes (modification, renaming, deletion, moving) of files in specific folders on the company's shared file server (simple windows shared directory). I wrote a simple app in C# that uses FileSystemWatcher to monitor these changes and notify a particular email address of them.
What I'd like to know now is how to find out the name/IP of the user/computer who made these changes. Any ideas?
As an alternative to writing my own software, are there any good (possibly free) software that supports this functionality?
Use auditing - it's on the security tab when you get the properties of file/folder. You specify which users you want audited for what kind of access. You also have to turn on auditing using the security policy mmc snap-in. The audits will end up in the security log.
Detailed instructions from MS: http://support.microsoft.com/kb/310399
If you want, your C# app could then pick the events out of the security event log.