EventLog write permissions

Mats Magnem picture Mats Magnem · Jan 9, 2013 · Viewed 49.9k times · Source

My question is related to write permissions to the Windows Event Log. I have looked around several posts concering this, and have found some ways to solve my problem, but none of these are acceptable for my current scenario.

I use C# in .NET 4.0. I use the EventLog class: EventLog class

In short, I need to see if there is a way to impersonate or authenticate with an authenticated user and password to reach the right I need to write to the Event Log. The server will always be in the Windows Server family, but the version may vary.

My application is a Windows Service running with one of the following accounts:

  • Network Service
  • Local Service
  • Local System
  • User with restricted rights (Users or Domain Users groups)

Here are some other criterias I have:

  • I cannot put the service user as Administrator, not even local administrator on the server
  • I cannot edit or alter the registry
  • I cannot alter the UAC or any group policies on the server
  • I have a user with Administrator rights, but it cannot be used to run the service
  • The Event Log will always be the local Event Log, not on a remote machine
  • The Log will probably always be the "Application" log
  • The Source may vary, and that seems to be the heart of the problem

My question is : Is this at all possible?

Can I impersonate a user in my code to achieve what I need? I do that when connecting to web services, logging on to smtp servers and of courseclogging in to databases etc.

I stumbled into this class: EventLogPermission Class

But I cannot seem to get a good concept on how to use the class.

I hope I have expressed my problem good. I don't concider this a duplicate of another post because of my criterias.

Answer

seva titov picture seva titov · Jan 10, 2013

By default, any authenticated user is able to write to application event log. However only administrators can create new event Sources. If all event Sources are known at the service installation time, I recommend register those sources ahead of time, then you will be all set up. Registering is a simple call to EventLog.CreateEventSource.

If you need more flexibility on event sources, you can customize permissions. Those defaults could be customized by tweaking a registry key:

  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD

A process described in this KB Article. A wevtutil tool, which is part of OS, available on Server 2008 and above, makes it a bit easier than going through regedit.