EventLog write permissions
Solution 1
The answer showed to be "no".
I realize there are no good way of solving this the way I requested. There must be a manual job done.
So the solution I pick for this scenario is that customers who cannot run the service as an administrator or do a manual registry edit cannot use the functions around logging to event log. And I will make it possible to enable and disable the logging from the config.
Admin user and registry edit are known ways for me, but as stated something I was trying to avoid. But that is, as it seems, not possible according to my criterias this time.
Solution 2
By default, any authenticated user is able to write to application event log. However only administrators can create new event Sources. If all event Sources are known at the service installation time, I recommend register those sources ahead of time, then you will be all set up. Registering is a simple call to EventLog.CreateEventSource.
If you need more flexibility on event sources, you can customize permissions. Those defaults could be customized by tweaking a registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD
A process described in this KB Article. A wevtutil
tool, which is part of OS, available on Server 2008 and above, makes it a bit easier than going through regedit.
Mats Magnem
I'm a C# guy, but also working with web, jQuery, jsRender and css. I work mainly in Microsoft Azure and closely with Office 365 and Microsoft Graph. I work as a Technical Solutions Architect in Skooler. Before Skooler, I have worked with stuff like WPF, WCF, VB.NET, VB6, PHP, Delphi and Pascal. But that feels like a long time ago.
Updated on January 14, 2020Comments
-
Mats Magnem over 4 years
My question is related to write permissions to the Windows Event Log. I have looked around several posts concering this, and have found some ways to solve my problem, but none of these are acceptable for my current scenario.
I use C# in .NET 4.0. I use the EventLog class: EventLog class
In short, I need to see if there is a way to impersonate or authenticate with an authenticated user and password to reach the right I need to write to the Event Log. The server will always be in the Windows Server family, but the version may vary.
My application is a Windows Service running with one of the following accounts:
- Network Service
- Local Service
- Local System
- User with restricted rights (Users or Domain Users groups)
Here are some other criterias I have:
- I cannot put the service user as Administrator, not even local administrator on the server
- I cannot edit or alter the registry
- I cannot alter the UAC or any group policies on the server
- I have a user with Administrator rights, but it cannot be used to run the service
- The Event Log will always be the local Event Log, not on a remote machine
- The Log will probably always be the "Application" log
- The Source may vary, and that seems to be the heart of the problem
My question is : Is this at all possible?
Can I impersonate a user in my code to achieve what I need? I do that when connecting to web services, logging on to smtp servers and of courseclogging in to databases etc.
I stumbled into this class: EventLogPermission Class
But I cannot seem to get a good concept on how to use the class.
I hope I have expressed my problem good. I don't concider this a duplicate of another post because of my criterias.
-
pseudocoder over 11 yearsThe key here is the administrator level permission at install time, which is simply required if you want to operate under default/safe security settings.
-
Mats Magnem over 11 yearsI am aware of that, and those are stuff I normally do. But both breaks my criterias (as stated in the question). I am unable to edit or alter the registry. And I cannot register the sources ahead of time, as my source may vary.
-
seva titov over 11 years@MatsMagnem, I am pretty sure you can edit the registry at service installation time. When you install windows service, you need administrative permissions anyways, so you can tweak the permissions while you are at it. Once it is done, and your service is running, you don't need to modify registry.
-
Mats Magnem over 11 yearsI can, of couse. and I will if I have to. But this is a product sold to be installed at the cutsomer's own environment. Most government and corporate customers will often not give me a user with administrative right due to policies and politics. The installation itself does not need administrator privileges, neither does over-all running of the solution. So it's not my choice. If I have to, I will. But if I can avoid it by impersonating a user (which is ok because they can set username and password after insall), that would be swell :-)
-
seva titov over 11 years@MatsMagnem,
The installation itself does not need administrator privileges
-- This is not true, to install windows service you need to be administrator on machine. -
Mats Magnem over 11 yearsOk, that's true. Wohever, my question remains. And that's if there is a possibility to accomplish what I like without having to run the service as an sdministrator user or access the Windows Registry. Many bigger customers are not happy when I need to have to alter the registry. It must be a valid criteria for a question.
-
seva titov over 11 years@MatsMagnem, you maybe not realizing it, but when installing windows service you already are making a change in registry. Having changed one more reg key is not something that you are not doing during your installation. Solution I proposed works for a service running under account of low privileged user, and you don't need to modify any reg key while service is running (only during installation time). I downvoted your question because your criteria are contradictory. Add clear explanation what you are looking for (and why you need it) so I can remove my downvote.
-
Mats Magnem over 11 yearsYou explain a manual edit in the registry. I find it hard to put a manual registry edit in the install documentation. The installation of the service is done by code and does not require a manual action. The application that create the service has a manifest that require admin rights. I realize there is no way of impersonating. So the way to go is to try and do the registry edit in a safe way in that app.
-
Mats Magnem over 11 yearsSo it's not the matter of A registry change. It's the fact that it's manual. And the install person may not have the qualifications to do a proper change in the registry in a safe way. I may not be the installer in all cases. So I look for a non-manual way. But there might not be one. So the answer to my question should be "no" and not a down-vote.
-
seva titov over 11 years-1: To modify a registry from your code use Windows Registry API, inside your installation process. It does not have to be manual.
-
Mats Magnem over 11 yearsThe other suggestions described manual edits and did not answer my specific question. They were alternative methods, and not what I asked for.
-
Peter over 8 yearsAs mentioned you can write an installer component such that when it installs your service it also automatically adds an event source (and removes it on uninstall). You acknowledged that the installation has to be done as a user with admin rights so there clearly is a solution hence the downvote on the "answer".
-
Admin about 8 years@Peter interesting approach, you should've posted it as an answer.