EventLog.Clear() fails raising Access is Denied

Rohit_Saksena

Member
Joined
Mar 3, 2005
Messages
14
Programming Experience
3-5
Hi,
My project requirement says that I have to write certain entries to EventLog and if the EventLog is full I have to clear it off.
Now while I am trying to call objEventLog.Clear() I am receiving following exception:
System.ComponentModel.Win32Exception: Access is denied at System.Diagnostics.EventLog.Clear()

The application is to be deployed on Windows 2003 and it is there that this problem is popping up as the same code is working fine on Windows XP.

Can anybody help.

Awaiting responses.

Thanks & Regards
Rohit Saksena
 

Rohit_Saksena

Member
Joined
Mar 3, 2005
Messages
14
Programming Experience
3-5
Solved the problem myself...
Actually it was an ACL (Access Control List) issue.

In Windows 2003, Microsoft has tightened up the ACLs on the event logs to restrict what accounts can read, write and clear the logs. The security of each log is configured locally through th values in the following registry key:
HKLM\System\CurrentControlSet\Services\Eventlog
For eg. the Application log Security Descriptor is configured through the following registry value:
HKLM\System\CurrentControlSet\Services\Eventlog\Application\CustomSD

The Security Descriptor for each log is specified by using Security Descriptor Definition Language (SDDL) syntax. The following is an example:
O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)
Here,
BA refers to Built-in Admin
SO refers to Server Operators
IU refers to Interactive Users
SU refers to Service accounts
S-1-5-3 refers to Batch accounts

The specific event log access mask bits are:
0x0001: Permission to read log files.
0x0002: Permission to write log files.
0x0003: Permission to clear log files.

So in an application if an event log operation fails it is definitely because of an ACL issue.

In my case, the value of CustomSD of my custom log was (A;;0x3;;;SU) for Network Service user and I changed it to (A;;0x7;;;SU).

Wow.........it started working................

Rohit Saksena
 
Top Bottom