Clearing off Evelt Logs programmatically on Windows 2003

Rohit_Saksena

Member
Joined
Mar 3, 2005
Messages
14
Programming Experience
3-5
Hi All,

Can anybody tell / enquire as to what rights/privileges does user 'NETWORK SERVICE' require (on Windows 2003 server) for clearing off the Event Logs programmatically.

Actually my requirement is to clear off the event logs programmatically which is happening on Windows XP but the same code simply fails on Windows 2003 Server. The code is basically a part of an XML Web Service. On Windows XP/2000 the user responsible for administering Web Services is ASPNET which has been changed on Windows 2003, the responsible user there is NETWORK SERVICE.

My assumption is : probably NETWORK SERVICE is missing certain privileges which ASPNET use to have and it might be the reason as to why clearing off the Event Logs is not happening on Windows 2003 Server.

Awaiting your responses

Rohit

 

Rohit_Saksena

Member
Joined
Mar 3, 2005
Messages
14
Programming Experience
3-5
Solved the problem myself...
Actually it was an ACL (Access Control List) issue.

In Windows 2003, Microsoft has tightened up the ACLs on the event logs to restrict what accounts can read, write and clear the logs. The security of each log is configured locally through th values in the following registry key:
HKLM\System\CurrentControlSet\Services\Eventlog
For eg. the Application log Security Descriptor is configured through the following registry value:
HKLM\System\CurrentControlSet\Services\Eventlog\Application\CustomSD

The Security Descriptor for each log is specified by using Security Descriptor Definition Language (SDDL) syntax. The following is an example:
O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)
Here,
BA refers to Built-in Admin
SO refers to Server Operators
IU refers to Interactive Users
SU refers to Service accounts
S-1-5-3 refers to Batch accounts

The specific event log access mask bits are:
0x0001: Permission to read log files.
0x0002: Permission to write log files.
0x0003: Permission to clear log files.

So in an application if an event log operation fails it is definitely because of an ACL issue.

In my case, the value of CustomSD of my custom log was (A;;0x3;;;SU) for Network Service user and I changed it to (A;;0x7;;;SU).

Wow.........it started working................


Rohit Saksena
 
Last edited by a moderator:
Top Bottom