If you’re trying to use EventLog.WriteEntry to enter events for your Windows or Web Services with Windows Server 2003 or 2008 you’ll run into problems with access rights. Here is my technique to make this work. The concept is the same for 2003 and 2008, but the steps are different. I have seen many methods, but some do not work and others simply say add the user(s) to the Administrators group, which I believe, is irresponsible from a security perspective.

First, I like to use a dedicated ASP.NET user account and identity impersonation; if you use this add the user to the following rights as well as the Network Services account. If you use dedicated account for a Windows Service, then add that account to these instructions. If you use an Administrator account, then you won’t have problems for writing to the event log, but you open yourself up to host of security issues so that’s not recommended.

So here are the steps, open regedit and go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security key and add the above account(s) to the permissions for read access. Then add the above account(s) to full access to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application key. If you add the accounts to the eventlog so you only have to enter them once you would be wrong in that the Security key does not inherit from the eventolg.

Next, you need to modify the Channel Access rights. In 2003 go to the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application, it should contain an entry for CustomSD. Append either of the following to the entry: (A;;0x3;;;AU) will give all authenticated users read and write access to the Application events. If you want to restrict this you would enter the SID for a user instead of AU, so for the NetworkService you would add (A;;0x3;;;S-1-5-20), for a dedicated user you need to enter that users SID. Here is the C# code to get the SID:

// add using System.Security.Principal;

NTAccount acct = new NTAccount(“DOMAIN”, “USERNAME”);

SecurityIdentifier sid = (SecurityIdentifier)acct.Translate(typeof(SecurityIdentifier));

// the SID is the string sid.Value;

To get a machine account SID the easiest way is to go to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
And look there.

Windows 2008 is a little different, the CustomSD key does not exist by default and if you add it directly, it will not work in my experience. Go to a command prompt as an Administrator and run the command:

wevtutil gl Application > result.txt

Open result.txt with notepad and the access information to the channelAccess: string and copy the string starting from the O:BAG:SYD: to the clipboard and run the command

wevtutil sl Application /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S–5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)(A;;0x3;;;S-1-5-20)

Where the ca: string is what you copied. This will create the CustomSD key in the Application key and you are in business although you may have to reboot the computer for the changes to take.

You can test the results with the sample code from http://msdn.microsoft.com/en-us/library/xzwc042w.aspx

Update for windows 2012 – the above for 2008 works for 2012, but I needed one more step – using https://support.microsoft.com/en-us/kb/842795 as a guide I right-clicked on the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog and selected permissions. Then I clicked on “Add” and added my user name with full permissions for this key and sub-keys. Then everything worked.

Leave a Reply

EventLog.WriteEntry Issues