Article Index

Permissions on the Windows 2003 Server Event Log

One of the big “features“ of Windows 2003 Server is that the default install is much more secure than Windows servers of the past.  The offshoot is that some tasks that used to be easy are now a little more difficult.  I'm not complaining; I believe it is a price worth paying.  We just need to help each other out in documenting the workarounds.

Which brings me to the topic of this post: reading the event log.  In Windows 2003 Server, you can no longer read the event log of a server unless you are an administrator of that server.  This is a problem when you are trying to support an application (which logs its error messages to the Event Log), but cannot be an administrator of the server.

Fortunately, it is possible to change the permissions on an Event Log.  Unfortunately, it is not as straightforward as you might think.  I would have guessed it would involve changing the permissions on the Event Log registry keys - the children of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog.  So, if you guessed like me, you're wrong... but close.

The solution is in the registry, but does not involve permissions on the keys.  Windows 2003 introduced the CustomSD key - or Custom Security Descriptor.  It is a string written using the Security Descriptor Definition Language.  The solution is to add an additional ACE (Access Control Expression?) string to the default CustomSD value.  An ACE string grants a set of permissions to a specific user or users, identified by a SID (security ID?).  A much better explanation can be found by reading this article about the impact of security changes in Windows 2003 (scroll to the section Tighter ACLs on Event Logs).

When I first started digging into all of this stuff, I thought it would be great to write a little UI utility to build SDDL and ACE strings, with built-in support for the common SIDs.  Then reality hit and I realized that was a complete tangent from the task at hand - getting non-administrator access to the Event Log.

I decided I would grant Read access to the Application Event Log to all Authenticated Users, which can be expressed with the following ACE: (A;;0x1;;;AU)

I just needed to add that ACE to the existing CustomSD value on the Application Event Log.  The CustomSD value can be found on each event log key.  The location of the Application event log key is shown here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application

The original value of CustomSD was:

 O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)

My new value was:

 O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x1;;;AU)

After editing the registry value, I was able to successfully read the event log on the server without being an administrator. If you want to grant different rights to different users, reading the links provided above should help you build the correct SDDL / ACE strings.

FYI: If you are using .NET and you use the EventLogInstaller to create a custom event log at deployment time, it would be a good idea to add additional code to your Installer class to append this ACE to the CustomSD of the newly created log.

Comments

Great article, thanks for sorting this out.

Regards,

LambiekNL
LambiekNL - February 08, 2007 05:20am
Joshua, many thanks for writing this. I've spent most of today trying to get application logs visible to a third party. It works a treat.

Kind Regards

Gary
Gary Parnell - September 07, 2007 10:15am
I was reading Microsoft's KB article and was having a hard time udnerstanding all that needed to be done.
http://support.microsoft.com/kb/323076

Thanks for putting thier KB into English.

-Joe
Joe DeMate - February 21, 2008 03:44pm
Like others, I had spent a lot of time reading the MS KBs without really understanding what I needed to do. When I found your entry this morning I was able to get it to work.
Thank you for your help!

Rob Rowe
Rob Rowe - February 29, 2008 07:30am