Event log write permissions

Scenario: Writing to the event log on a Windows Server 2008 through my c# code. However I’m getting access denied errors when attempting to write events…

It’s an asp.net application written in C#. The application pool user is not the Network Service.


Create an event source. This event source is what my application will write errors to. It means I can filter errors in the event log that are caused by my application alone.

Change the permissions allowing the domain user (who is not the Network Service) to write to the event log.

Create an Event Source

There lots of tools that can create an event source, the following is come vbscript that creates one…


Function MakeEvent()
    Dim objEvent

    Set objEvent = ScriptContext.CreateEvent()

    objEvent.EventSource = "MyApplication"
    objEvent.EventNumber = 4444
    objEvent.EventType = EVENT_TYPE_WARNING
    objEvent.LoggingDomain = "DOMAIN1"
    objEvent.SourceDomain = "DOMAIN1"

    Set MakeEvent = objEvent
End Function

Here the C# equivalent

using System;
using System.Diagnostics;

class MainClass
public static void Main ()
if (!EventLog.SourceExists(“MyApplication”))
EventLog.CreateEventSource(“MyApplication”, “Application”);


Access to Write to Event log

Open Cmd prompt as admin.

Type: C:\>wevtutil gl application > C:\temp\out.txt

This outputs the security credentials for the application event log to the given text file.

Open the generated C:\temp\out.txt file in Notepad

It looks a little bit like this:

name: application
enabled: true
type: Admin
isolation: Application
channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)
logFileName: %SystemRoot%\System32\Winevt\Logs\application.evtx
retention: false
autoBackup: false
maxSize: 20971520

The line you’re interested in is the “channelAccess”. (The wonderful Windows SDDL – Security Descriptor Definition Language).

You need to add (append) the following to the end of the line: (A;;0x3;;;AU)

–          This gives write/read access (the “0x3” bit ) to Authenticated Users (AU).

You then need to apply the updated setting…

C:\>wevtutil sl Application /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)(A;;0x3;;;AU)


You can check the change by:
C:\>wevtutil gl application > C:\temp\updatedout.txt

And you’ll see the change in the channelAccess line.

The more eagle eyed amongst you (and you’d need to be eagle eyed to spot this) will notice that the registry location:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application now has an additional key CustomSD with the updated channelAccess key. This key only appears if the default configuration is changed, i.e. as I have done by granting Authenticated Users write access.

Important Info: Only applies cos the application user is not the NetworkService, but a domain user. The NetworkService user is already part of the approved list, so you won’t need to apply these steps.

Further Reading:
If you would like to prevent authenticated users from writing to the event log, and would prefer to lock down security further, you can follow the process above, but rather than giving access to all authenticated users, you can grant access to specific users by adding their SID (security ID) to the channel access list instead. VBScript to find SID for a user.




About jpadda

Technical Consultant currently working as part of the .Net team for EMC Consulting.
This entry was posted in Windows Administration. Bookmark the permalink.

8 Responses to Event log write permissions

  1. Pingback: (Domain) User auf Eventlog schreibend berechtigen - PITS-online

  2. Wladimir Mutel says:

    in 0x3, you have non-ascii letter ‘x’. So it needs to be corrected after copying and pasting into the command line .

    • Sam says:

      That’s just stupid wordpress that “thinks it knows better” and it converts characters so they look better. Including but not limited to ‘ ” x – and more.

  3. Jedaba says:

    yup, missing three zero between x and 3, should be: (A;;0×0003;;;AU)
    Great helpfull info, thanks for this post

  4. Jedaba says:

    more info about entry meanings on msdn: http://support.microsoft.com/kb/2028427

  5. Pingback: How to trigger a Scheduled Task on a remote computer using VB | Desmond Oshiwambo

  6. Pingback: Run a Rule On-Demand | Practice to Perfect

  7. baskiDevOPS says:

    Cool. Worked like a charm. I had manually provided the permission to the registry entry. But that did not help. However using wevtutil has done the job !

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s