Clearing off Evelt Logs programmatically on Windows 2003

R

Rohit_Saksena

Member
Joined
Mar 3, 2005
Messages
14
Programming Experience
3-5
Hi All,

Can anybody tell / enquire as to what rights/privileges does user 'NETWORK SERVICE' require (on Windows 2003 server) for clearing off the Event Logs programmatically.

Actually my requirement is to clear off the event logs programmatically which is happening on Windows XP but the same code simply fails on Windows 2003 Server. The code is basically a part of an XML Web Service. On Windows XP/2000 the user responsible for administering Web Services is ASPNET which has been changed on Windows 2003, the responsible user there is NETWORK SERVICE.

My assumption is : probably NETWORK SERVICE is missing certain privileges which ASPNET use to have and it might be the reason as to why clearing off the Event Logs is not happening on Windows 2003 Server.

Awaiting your responses

Rohit

 
Sort by date Sort by votes
Solved the problem myself...
Actually it was an ACL (Access Control List) issue.

In Windows 2003, Microsoft has tightened up the ACLs on the event logs to restrict what accounts can read, write and clear the logs. The security of each log is configured locally through th values in the following registry key:
HKLM\System\CurrentControlSet\Services\Eventlog
For eg. the Application log Security Descriptor is configured through the following registry value:
HKLM\System\CurrentControlSet\Services\Eventlog\Application\CustomSD

The Security Descriptor for each log is specified by using Security Descriptor Definition Language (SDDL) syntax. The following is an example:
O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)
Here,
BA refers to Built-in Admin
SO refers to Server Operators
IU refers to Interactive Users
SU refers to Service accounts
S-1-5-3 refers to Batch accounts

The specific event log access mask bits are:
0x0001: Permission to read log files.
0x0002: Permission to write log files.
0x0003: Permission to clear log files.

So in an application if an event log operation fails it is definitely because of an ACL issue.

In my case, the value of CustomSD of my custom log was (A;;0x3;;;SU) for Network Service user and I changed it to (A;;0x7;;;SU).

Wow.........it started working................


Rohit Saksena
 
Last edited by a moderator:
Upvote 0 Downvote

Similar threads

C
  • Question
Web Page manupilation
Replies
0
Views
1K
cobus
C
S
  • Question
Client/Server App won't launch on Windows 10 (Event 1026).
Replies
2
Views
3K
SimplyMe
S
K
  • Question
Sending confirmation email to user
Replies
0
Views
19K
keymaker
K
K
  • Question
Authentication is required for relay - error
Replies
5
Views
3K
keymaker
K
JohnH
  • Question
controlled folder access
Replies
1
Views
11K
JohnH
JohnH

Share this page

Latest posts

Back
Top