I have an application that creates new event sources in an event log on a 2016 Windows Server v1607. It is not known which names the sources will have. To archive this the account needs read access to all the event sources to assure the source name does not already exist (why double source names in different logs are not allowed is another interesting question). By default a local account is blocked from reading the Security event log, so the creation of a new source ends up with an error that there is no read access to the Security log.
The most promising approach seemed to be the answer to this question: https://stackoverflow.com/a/3138269/2091030
I followed the steps 1-5 changing the registry permissions of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security by adding read permissions for the local account. I checked all the sub-keys in the Security folder and they all show proper read access for the account. Nevertheless I get another error now when using a simple C# program to add an event with a new source:
using System;
using System.Diagnostics;
namespace EventlogTest {
public class Test {
public static void Main() {
var log = new EventLog("SomeLog", ".", "SomeNewSource");
log.WriteEntry("Test 123", EventLogEntryType.Information);
}
}
}
System.Security.SecurityException: Der angeforderte Registrierungszugriff ist unzulässig.
bei System.ThrowHelper.ThrowSecurityException(ExceptionResource resource)
bei Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)
bei System.Diagnostics.EventLog.CreateEventSource(EventSourceCreationData sourceData)
bei System.Diagnostics.EventLogInternal.VerifyAndCreateSource(String sourceName, String currentMachineName)
bei System.Diagnostics.EventLogInternal.WriteEntry(String message, EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData)
bei System.Diagnostics.EventLog.WriteEntry(String message, EventLogEntryType type)
bei EventlogTest.Test.Main()
Did I miss something?
