3

Question: Is it possible to export an event log in a process not "run as administrator"?

I'm following the example code at https://msdn.microsoft.com/en-us/library/bb671203(v=vs.90).aspx

using (var els = new EventLogSession())
{
    els.ExportLogAndMessages("Security", PathType.LogName, "*", @"c:\temp\security.evtx");
}

This code runs successfully when I run the process using "run as administrator", but fails when not "run as administrator with the exception

System.UnauthorizedAccessException: "Attempted to perform an unauthorized operation."

Using similar code to access my application's event log

using (var els = new EventLogSession())
{
    els.ExportLogAndMessages("MyAppLog", PathType.LogName, "*", @"c:\temp\myapplog.evtx");
}

I get similar results except the exception is different:

System.Diagnostics.Eventing.Reader.EventLogException: "The directory name is invalid"

Am I doing something wrong, or is there a different approach that will allow me to get an event log exported to an .evtx file without requiring admin privileges?

Notes:

Community
  • 1
  • 1
Matt Smith
  • 17,026
  • 7
  • 53
  • 103

3 Answers3

2

Using the approach shown on pinvoke.net works without admin privileges for my custom application log (i.e. MyAppLog in the example above). This does not work for Security log example shown above (but I believe that is intended):

[DllImport("advapi32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
static extern IntPtr OpenEventLog(string UNCServerName, string sourceName);

[DllImport("advapi32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
static extern bool BackupEventLog(IntPtr hEventLog, string backupFile);

[DllImport("advapi32.dll", SetLastError = true)]
static extern bool CloseEventLog(IntPtr hEventLog);

void SaveLog(string eventLogName, string destinationDirectory)
{
    string exportedEventLogFileName = Path.Combine(destinationDirectory, eventLogName + ".evtx");

    IntPtr logHandle = OpenEventLog(Environment.MachineName, eventLogName);

    if (IntPtr.Zero != logHandle)
    {
       bool retValue = BackupEventLog(logHandle, exportedEventLogFileName);
       //If false, notify.
       CloseEventLog(logHandle);
    }
}
Matt Smith
  • 17,026
  • 7
  • 53
  • 103
  • Event logs have access permissions and you cannot bypass these by using P/Invoke as you have discovered. So no access to the security log unless you have the required permissions. This answer is just a more low level way to access an event log from .NET. If you really want to use P/Invoke yourself instead of a managed wrapper you should probably look into using a `SafeHandle` for the handle returned. The .NET library uses [`SafeEventLogReadHandle`](https://referencesource.microsoft.com/#System/compmod/microsoft/win32/safehandles/SafeEventLogReadHandle.cs). – Martin Liversage Dec 14 '16 at 17:13
  • Though, when you have the required permission (to access a custom log that does not require elevated permission) the higher level way to access them still throws an exception. – Matt Smith Dec 14 '16 at 17:21
  • If you get the _Directory name is invalid_ error then it is not a permission issue but a problem with how you specify the name of the log you want to access. – Martin Liversage Dec 14 '16 at 17:26
  • No--it is not. The error being thrown in that case is incorrect. Try it. If it was, I would expect to get that same error when I "run as admin" (which I do not). – Matt Smith Dec 14 '16 at 17:30
  • and I believe this post is describing in more detail why that error occurs: http://stackoverflow.com/a/5110631/495262 – Matt Smith Dec 14 '16 at 17:44
2

Question: Is it possible to export an event log in a process not "run as administrator"?

Yes you can but only if you have the rights to access the event log you want to export.

However, your question seems to be more something like

Why can't I export my application's event log using EventLogSession? An EventLogException is thrown with the message "The directory name is invalid".

Looking into the source code for EventLogSession you can see that the call to ExportLogAndMessages will call the native function EvtExportLog. If this function fails the error code is retrieved by calling GetLastError. This native Windows error code is then mapped to one of several exceptions.

The exception that you experience is thrown if any of the following errors happen:

  • ERROR_FILE_NOT_FOUND (2): The system cannot find the file specified.
  • ERROR_PATH_NOT_FOUND (3): The system cannot find the path specified.
  • ERROR_EVT_CHANNEL_NOT_FOUND (15007): The specified channel could not be found. Check channel configuration.
  • ERROR_EVT_MESSAGE_NOT_FOUND (15027): The message resource is present but the message is not found in the string/message table.
  • ERROR_EVT_MESSAGE_ID_NOT_FOUND (15028): The message id for the desired message could not be found.
  • ERROR_EVT_PUBLISHER_METADATA_NOT_FOUND (15002): The publisher metadata cannot be found in the resource.

If you specify a wrong event log name then ERROR_EVT_CHANNEL_NOT_FOUND is the error you encounter. My guess is that this is your problem.

However, you can call EvtExportLog yourself and inspect the native error code to better understand why the call fails:

[DllImport("kernel32.dll")]
static extern uint GetLastError();

[DllImport("wevtapi.dll", CharSet = CharSet.Unicode, SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
static extern bool EvtExportLog(IntPtr session, string channelPath, string query, string targetFilePath, int flags);

var success = EvtExportLog(IntPtr.Zero, "MyAppLog", "*", @"c:\temp\myapplog.evtx", 1);
if (!success)
{
    var error = GetLastError();
    Console.WriteLine(error);
}

The native error code should give you a clear indication of what the underlying problem is.

Martin Liversage
  • 104,481
  • 22
  • 209
  • 256
1

This is kind of old, but I came back to it several times while trying to solve the same problem. I don't know any way to use EventLogSession without providing Admin credentials.

However, the Windows command wevtutil will let you export to an evtx file without Admin privileges. For example, running wevtutil epl Application Downloads\export-Application.evtx in a command window will export the Application event log.

To run from a C# program, you can use this method:

/// <summary>
/// Run wevtutil with the given parameters.
/// </summary>
/// <param name="programPath">Path to wevtutil</param>
/// <param name="programParameters">wevutil parameters</param>
/// <returns></returns>
/// <remarks>https://stackoverflow.com/a/37138255/468523</remarks>
private static (string info, string err) RunWevtUtil(string programPath, string programParameters)
{
    var process = new Process
    {
        StartInfo =
        {
            FileName = programPath,
            Arguments = programParameters,
            UseShellExecute = false,
            RedirectStandardOutput = true,
            RedirectStandardError = true
        }
    };

    process.Start();
    var outputData = process.StandardOutput.ReadToEnd();
    var errorData = process.StandardError.ReadToEnd();
    process.WaitForExit();
    return (outputData, errorData);
}

For programPath, provide the complete path to wevtutil, typically @"C:\Windows\System32\wevtutil.exe". For programParameters you can use @"epl Application Downloads\export-Application.evtx". It returns a tuple of strings that give standard and error output.

You can use the Windows command line to test your parameters and then use those in the program.

blearyeye
  • 255
  • 4
  • 14