i am trying to make an event logger for my cmd line application. However I get this error when it tries to create the log for the first time.
The source was not found, but some or
all event logs could not be searched.
Inaccessible logs: Security.
So I found this is a because of windows 7 and some new security. So right now I have to give the .exe admin rights.
Is there a way around this so it would not need admin rights? I don't know if people would feel too good if they have to contently run my application with admin rights.
I am planning to put this later on a windows 2008 machine so I am guessing it will suffer from the same problem.
You could create the event source at the point of installation so they only need to make that choice once. Once the source is created in the registry you can add events to it without the need for admin rights.
As well as the CreateEventSource function there is also the EventLogInstaller class:
http://msdn.microsoft.com/en-us/library/system.diagnostics.eventloginstaller.aspx
WiX also offers this functionality in it's Utility extension:
How do you create an event log source using WiX
NETWORK SERVICE OR Impersonated User must have Read/Write access to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
Related
I want to create a new Windows log in Windows event viewer, everything seems to be fine but the log is not displaying. The source is being populated in Application log instead of the one I'm trying to create
Sample code
if (!EventLog.SourceExists(sSource))
EventLog.CreateEventSource(sSource, sLog);
The reason is the permissions on registry. The files are on disk, but to been able to create a new log, your reference is on registry.
To been able to create a new log you must go to registry and give permission write for "asp.net pool user" - even ones for a server is good enough to create it.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog
Open the registry editor, find this key, right click on it, and give the permissions.
From EventLog.CreateEventSource Method
Note
To create an event source in Windows Vista and later or Windows Server 2003, you must have administrative privileges.
The reason for this requirement is that all event logs, including
security, must be searched to determine whether the event source is
unique. Starting with Windows Vista, users do not have permission to
access the security log; therefore, a SecurityException is thrown.
My question is related to write permissions to the Windows Event Log.
I have looked around several posts concering this, and have found some ways to solve my problem, but none of these are acceptable for my current scenario.
I use C# in .NET 4.0. I use the EventLog class:
EventLog class
In short, I need to see if there is a way to impersonate or authenticate with an authenticated user and password to reach the right I need to write to the Event Log. The server will always be in the Windows Server family, but the version may vary.
My application is a Windows Service running with one of the following accounts:
Network Service
Local Service
Local System
User with restricted rights (Users or
Domain Users groups)
Here are some other criterias I have:
I cannot put the service user as Administrator, not even local administrator on the server
I cannot edit or alter the registry
I cannot alter the UAC or any group policies on the server
I have a user with Administrator rights, but it cannot be used to run the service
The Event Log will always be the local Event Log, not on a remote machine
The Log will probably always be the "Application" log
The Source may vary, and that seems to be the heart of the problem
My question is : Is this at all possible?
Can I impersonate a user in my code to achieve what I need?
I do that when connecting to web services, logging on to smtp servers and of courseclogging in to databases etc.
I stumbled into this class:
EventLogPermission Class
But I cannot seem to get a good concept on how to use the class.
I hope I have expressed my problem good. I don't concider this a duplicate of another post because of my criterias.
By default, any authenticated user is able to write to application event log. However only administrators can create new event Sources. If all event Sources are known at the service installation time, I recommend register those sources ahead of time, then you will be all set up. Registering is a simple call to EventLog.CreateEventSource.
If you need more flexibility on event sources, you can customize permissions. Those defaults could be customized by tweaking a registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD
A process described in this KB Article. A wevtutil tool, which is part of OS, available on Server 2008 and above, makes it a bit easier than going through regedit.
The answer showed to be "no".
I realize there are no good way of solving this the way I requested. There must be a manual job done.
So the solution I pick for this scenario is that customers who cannot run the service as an administrator or do a manual registry edit cannot use the functions around logging to event log. And I will make it possible to enable and disable the logging from the config.
Admin user and registry edit are known ways for me, but as stated something I was trying to avoid. But that is, as it seems, not possible according to my criterias this time.
I've been wrestling with this issue for a few days and can't find any posts that solve it for me. Maybe what I want isn't possible.
We have developed a WinForms application for internal use at our company.
Most employees do not have admin access in windows.
Our application requires admin access to the machine and needs to automatically start when the user logs on.
Here's what I've tried:
1) Putting a Shortcut in the Startup folder
I can get the app to automatically launch (using a relauncher), but it still requires an admin to be at the computer on every restart (to enter the password).
2) Registry Key
I created a Software\Microsoft\Windows\CurrentVersion\Run registry key to automatically start the application. Whether I run the relauncher or the app itself, UAC demands a password on every restart (or relogin).
3) Scheduled Task
I created a scheduled task to automatically start the app on logon using admin permissions on the machine (under use the following account). I also checked the 'Run with highest privileges' box. UAC still pops up on every restart.
4) Windows Service
I tried to run the app as a windows service, but it has a user interface (which is disabled by windows services).
5) Disable UAC for Specific Program
It looks like you can disable UAC for a specific program but that involves downloading the Application Compatibility Toolkit, creating some kind of database, etc. I'd very much prefer that our IT staff wouldn't have to do that at every machine. At this point, it's probably my only option.
It seems like an admin should be able to install an application so that it runs automatically without a prompt. Am I missing a way to do this?
You should make split your program into a non-admin UI, which runs on user startup, and an admin service, which performs the administrative tasks.
To run admin-requiring code from the UI, use WCF to ask the service to do it.
Beware that hostile parties may impersonate the UI and ask the service to do malicious things; you need to carefully figure out what the service should be able to do in response to IPC calls.
Your problem is not a UAC problem, it is a security problem.
And the answer depends on what your application that "requires admin rights" needs to do.
If your application needs to be able to start, and stop services, then the User needs the ability to start and stop services. In which case you need to give the users that privilege.
If the user's need the ability to alter or delete files, then they need that privilege too. In that case it is easier to grant Full Control permissions to Everyone.
If your application needs the ability to modify registry keys in the HKLM tree then you can, again, grant Full Control to Everyone in the registry.
If you need your users to have the ability to modify items, then they need permissions to modify those locations. Granting them those NTFS permissions is not a bad thing; it is exactly what those permissions exist for - to control access.
But why
But then we ask why? What is it you're doing that users need all the rights of an administrator, and all capabilities of an administrator, all the power of an administrator, but you don't want to make them a member of the Administrator's group?
The answer is almost invariably that your internal use application doesn't need to run as an administrator.
What Would XP Do?
The question becomes:
What would you do on Windows XP?
A standard user on Windows XP didn't even have the UAC convenience feature. If a user wanted to run an application an administrator: they had to logout and login as an administrator. How did, or how would, the application work on a system with UAC disabled?
Presumably very little of your application needs to run as admin - the rest would be better running as the unprivileged user. This is very common (think self-updating browsers, for example).
The proper way to do this is to install a service to do the privileged bit, and have the UI communicate with the service.
Our application requires admin access to the machine ...
Why?
You cannot bypass the UAC prompt, and this is by design.
See FAQ: Why can’t I bypass the UAC prompt? for a good discussion of why. Excerpt:
If it were possible to mark an application to run with silently-elevated privileges, what would become of all those apps out there with LUA bugs? Answer: they'd all be marked to silently elevate. How would future software for Windows be written? Answer: To silently elevate. Nobody would actually fix their apps, and end-user applications will continue to require and run with full administrative permissions unnecessarily.
My question is related to write permissions to the Windows Event Log.
I have looked around several posts concering this, and have found some ways to solve my problem, but none of these are acceptable for my current scenario.
I use C# in .NET 4.0. I use the EventLog class:
EventLog class
In short, I need to see if there is a way to impersonate or authenticate with an authenticated user and password to reach the right I need to write to the Event Log. The server will always be in the Windows Server family, but the version may vary.
My application is a Windows Service running with one of the following accounts:
Network Service
Local Service
Local System
User with restricted rights (Users or
Domain Users groups)
Here are some other criterias I have:
I cannot put the service user as Administrator, not even local administrator on the server
I cannot edit or alter the registry
I cannot alter the UAC or any group policies on the server
I have a user with Administrator rights, but it cannot be used to run the service
The Event Log will always be the local Event Log, not on a remote machine
The Log will probably always be the "Application" log
The Source may vary, and that seems to be the heart of the problem
My question is : Is this at all possible?
Can I impersonate a user in my code to achieve what I need?
I do that when connecting to web services, logging on to smtp servers and of courseclogging in to databases etc.
I stumbled into this class:
EventLogPermission Class
But I cannot seem to get a good concept on how to use the class.
I hope I have expressed my problem good. I don't concider this a duplicate of another post because of my criterias.
By default, any authenticated user is able to write to application event log. However only administrators can create new event Sources. If all event Sources are known at the service installation time, I recommend register those sources ahead of time, then you will be all set up. Registering is a simple call to EventLog.CreateEventSource.
If you need more flexibility on event sources, you can customize permissions. Those defaults could be customized by tweaking a registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD
A process described in this KB Article. A wevtutil tool, which is part of OS, available on Server 2008 and above, makes it a bit easier than going through regedit.
The answer showed to be "no".
I realize there are no good way of solving this the way I requested. There must be a manual job done.
So the solution I pick for this scenario is that customers who cannot run the service as an administrator or do a manual registry edit cannot use the functions around logging to event log. And I will make it possible to enable and disable the logging from the config.
Admin user and registry edit are known ways for me, but as stated something I was trying to avoid. But that is, as it seems, not possible according to my criterias this time.
I have a simple updater program that copies files from a company server to the user's machine.
For most people on the internal LAN this is no problem, but some staff access this from LANs where they are not automatically authenticated with the server in question.
Normally an attempt to access this server (e.g. via Explorer) would simply throw up a user credentials dialog asking the user to provide a login that can access the shared directory.
In my Winforms application I simply use operations like File.Copy to move the files.
How can my application cause Windows to prompt for authentication rather than just throwing an exception?
I'm willing to do a fair bit of work myself but what I was really hoping was that Windows provided a way for this to happen.
Otherwise I'm considering just attempting access and showing an error message instructing the user to authenticate themselves using explorer.
Are there any other nice ways to deal with this problem without reinventing the wheel for a 50 line program? :-)
you could use shell API to make that happen (same API Windows Explorer is based upon) - instead File.Copy you would pinvoke SHFileOperation.