System.Security.SecurityException when writing to Event Log

asp.net windows iis-7 exception-handling event-log

324,212

Solution 1

The solution was to give the "Network Service" account read permission on the EventLog/Security key.

Solution 2

To give Network Service read permission on the EventLog/Security key (as suggested by Firenzi and royrules22) follow instructions from http://geekswithblogs.net/timh/archive/2005/10/05/56029.aspx

Open the Registry Editor:
1. Select Start then Run
2. Enter regedt32 or regedit
Navigate/expand to the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security
Right click on this entry and select Permissions
Add the Network Service user
Give it Read permission

UPDATE: The steps above are ok on developer machines, where you do not use deployment process to install application.
However if you deploy your application to other machine(s), consider to register event log sources during installation as suggested in SailAvid's and Nicole Calinoiu's answers.

I am using PowerShell function (calling in Octopus Deploy.ps1)

function Create-EventSources() {
    $eventSources = @("MySource1","MySource2" )
    foreach ($source in $eventSources) {
            if ([System.Diagnostics.EventLog]::SourceExists($source) -eq $false) {
                [System.Diagnostics.EventLog]::CreateEventSource($source, "Application")
            }
    }
}

Solution 3

The problem is that the EventLog.SourceExists tries to access the EventLog\Security key, access which is only permitted for an administrator.

A common example for a C# Program logging into EventLog is:

string sSource;
string sLog;
string sEvent;

sSource = "dotNET Sample App";
sLog = "Application";
sEvent = "Sample Event";

if (!EventLog.SourceExists(sSource))
    EventLog.CreateEventSource(sSource, sLog);

EventLog.WriteEntry(sSource, sEvent);
EventLog.WriteEntry(sSource, sEvent, EventLogEntryType.Warning, 234);

However, the following lines fail if the program hasn't administrator permissions and the key is not found under EventLog\Application as EventLog.SourceExists will then try to access EventLog\Security.

if (!EventLog.SourceExists(sSource))
    EventLog.CreateEventSource(sSource, sLog);

Therefore the recommended way is to create an install script, which creates the corresponding key, namely:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\dotNET Sample App

One can then remove those two lines.

You can also create a .reg file to create the registry key. Simply save the following text into a file create.reg:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\dotNET Sample App]

Solution 4

For me ony granting 'Read' permissions for 'NetworkService' to the whole 'EventLog' branch worked.

Solution 5

This exception was occurring for me from a .NET console app running as a scheduled task, and I was trying to do basically the same thing - create a new Event Source and write to the event log.

In the end, setting full permissions for the user under which the task was running on the following keys did the trick for me:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog

View more solutions

324,212

encee

Updated on January 26, 2021

Comments

encee over 3 years
I’m working on trying to port an ASP.NET app from Server 2003 (and IIS6) to Server 2008 (IIS7).

When I try and visit the page on the browser I get this:

Server Error in ‘/’ Application.

Security Exception

Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application’s trust level in the configuration file.

Exception Details: System.Security.SecurityException: The source was not found, but some or all event logs could not be searched. Inaccessible logs: Security

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and the location of the exception can be identified using the exception stack trace below.

Stack Trace:

[SecurityException: The source was not found, but some or all event logs could not be searched. Inaccessible logs: Security.]

System.Diagnostics.EventLog.FindSourceRegistration(String source, String machineName, Boolean readOnly) +562 System.Diagnostics.EventLog.SourceExists(String source, String machineName) +251

[snip]

These are the things I’ve done to try and solve it:
1. Give “Everyone” full access permission to the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security. This worked. But naturally I can’t do this in production. So I deleted the “Everyone” permission after running the app for a few minutes and the error re-appeared.
2. I created the source in the Application log and the Security log (and I verified it exists via regedit) during installation with elevated permissions but the error remained.
3. I gave the app a full trust level in the web.config file (and using appcmd.exe) but to no avail.
Does anyone have an insight as to what could be done here?

PS: This is a follow up to this question. I followed the given answers but to no avail (see #2 above).
- MordechayS about 9 years
  
  Related: stackoverflow.com/questions/286060/…
- MacGyver over 8 years
  
  Another possible answer: Right click exe and choose "Run As Administrator"
h--n about 13 years

I see similar solutions around. But I'm just wondering why it is like this. Because I can see that a lot of services are logged on as NetworkService and they must be able to read the event log /security. So why is it needed to add the permission for NetworkService ?
Allan almost 13 years

For those of us who don't normally crawl through the registry, this link may be helpful: social.msdn.microsoft.com/forums/en-US/…
Ben Barreth about 12 years

Nice link Allan. Point #3 by the accepted answer is important and has already bitten me once. i.e. Granting permission at the parent EventLog registry key does NOT propagate to "inaccessible logs" such as Security and Virtual Server, even though they are child keys in the registry. If you want full event log access you have to grant permission at BOTH the parent event log level and the child Security levels.
Grokodile about 11 years

In IIS7 you can assign the "NETWORK SERVICE" as the identity for an App Pool (you might find that ApplicationPoolIdentity is the default) or instead you can create a new user per Application Pool and set permissions on that "Custom account". see Specify an Identity for an Application Pool (IIS 7)
Zé Carlos about 11 years

The changes take only effect after you restart your aplication on IIS
Zé Carlos about 11 years

The changes take only effect after you restart your aplication on IIS
duck9 about 11 years

I gave IIS_IUSRS permission to read/write the eventlog key, and read the Security key. My product needed write access on the eventlog key because it creates its own event source.
demoncodemonkey almost 11 years

Also try setting the application to run as LocalSystem, so the registry key is created, then you can change back to NetworkService afterwards.
thedrs almost 10 years

duck9 i correct for IIS8, see here for more details : stackoverflow.com/questions/712203/…
Ruud Helderman over 9 years

You saved my day. BTW, read permission was sufficient on eventlog\Application and eventlog\Security; full control required on the eventlog root only.
serge over 9 years

that is not very relevant, because the for the sub-keys like "Security" or "Virtual Server" need to grant read access individually, as permissions have been set to not inherity from the parent key.
wruckie over 9 years

When troubleshooting in VS and got this error, this did fix it for me
CodeMonkey1313 about 9 years

This would error out because it's not VS that's invoking this call, it's the application which is likely running under a different security context.
Valo almost 9 years

This is exactly what I do for all my services. I believe that this is the right thing to do. In every service where I use the event log I have a .reg file like the one above. One little note the file must be saved as Unicode-32 (cp 1200.)
Maneesh Babu M almost 9 years

This answer describes the real reason behind the error. The check exists tries to enumerate the whole key. if it exists, checkExists works fine.
Anthony Horne over 8 years

Also look at serverfault.com/a/81246/219898 regarding App Pool Users and related permissions - for this solution. Thanks @Michael Freidgeim - was a big help.
Chris Fremgen about 8 years

For those who tried to Copy/Paste, make sure there is a space between the words "Network Service".
majestzim almost 8 years

Changing the app pool from "ApplicationPoolIdentity" to "LocalSystem" solved the issue of creating/reading event logs for me.
Princa almost 8 years

EventLog\Security this is the key to function, make sure you have permission on that.
Yousha Aleayoub over 4 years

This is not a right solution, especially for end-user.
needfulthing almost 4 years

I followed steps 1-5 using a local account. It now has read access for the whole Security folder and sub-folders in the registry, but now I get an access error in RegistryKey.OpenSubKey().