Create an Event Log on a Least Privilege User Account

5 Aug 2005 1:51 AM

mr.mike.ward

I'm trying to do the following on an x64 Pro system running in a Least
Privilege User Account.

(C#)
EventLog eventLog = new EventLog("MyLog", ".", "MyLog");
----------

I get a security exception with the following text.

System.Security.SecurityException: Requested registry access is not
allowed. at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean
writable)

It there anything I can declare in my code to get around this or is
this just a limitation of a LUA?

5 Aug 2005 7:25 AM

Dominick Baier [DevelopMentor]

Hello mr.mike.w***@gmail.com,

by default - a LUA is not allowed to create event logs and sources - run
this from a console app which has admin privs - writing to this Log afterwards
is not a problem. There are also some registry ACLs to tweak to make this
work even under LUA - but i wouldn't recommend that (if you absolutely need
them, ping me)

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Show quoteHide quote

> I'm trying to do the following on an x64 Pro system running in a Least
> Privilege User Account.
>
> (C#)
> EventLog eventLog = new EventLog("MyLog", ".", "MyLog");
> ----------
> I get a security exception with the following text.
>
> System.Security.SecurityException: Requested registry access is not
> allowed. at Microsoft.Win32.RegistryKey.OpenSubKey(String name,
> Boolean writable)
>
> It there anything I can declare in my code to get around this or is
> this just a limitation of a LUA?
>

5 Aug 2005 11:12 AM

Nicole Calinoiu

Hmm... Since admin privileges would also be required to adjust the ACLs, why
not just create the event log while running with the elevated privileges
rather than adjusting the ACLs? Obviously, other considerations might enter
in for recurrent log creation, but there's no reason to believe (or at least
not yet <g>) that this is the requirement in OP's situation.

Show quoteHide quote

"Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com>
wrote in message news:700746632588307916458732@news.microsoft.com...
> Hello mr.mike.w***@gmail.com,
>
> by default - a LUA is not allowed to create event logs and sources - run
> this from a console app which has admin privs - writing to this Log
> afterwards is not a problem. There are also some registry ACLs to tweak to
> make this work even under LUA - but i wouldn't recommend that (if you
> absolutely need them, ping me)
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> I'm trying to do the following on an x64 Pro system running in a Least
>> Privilege User Account.
>>
>> (C#)
>> EventLog eventLog = new EventLog("MyLog", ".", "MyLog");
>> ----------
>> I get a security exception with the following text.
>>
>> System.Security.SecurityException: Requested registry access is not
>> allowed. at Microsoft.Win32.RegistryKey.OpenSubKey(String name,
>> Boolean writable)
>>
>> It there anything I can declare in my code to get around this or is
>> this just a limitation of a LUA?
>>
>
>
>

6 Aug 2005 7:55 AM

Dominick Baier [DevelopMentor]

Hello Nicole Calinoiu" calinoiu REMOVETHIS AT gmail DOT com,

yes :) thats exactly what i wanted to say. have a installer that runs at
deployment time (with admin privs), create source and log. and party on :)

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Show quoteHide quote

> Hmm... Since admin privileges would also be required to adjust the
> ACLs, why not just create the event log while running with the
> elevated privileges rather than adjusting the ACLs? Obviously, other
> considerations might enter in for recurrent log creation, but there's
> no reason to believe (or at least not yet <g>) that this is the
> requirement in OP's situation.
>
> "Dominick Baier [DevelopMentor]"
> <dbaier@pleasepleasenospamdevelop.com> wrote in message
> news:700746632588307916458732@news.microsoft.com...
>
>> Hello mr.mike.w***@gmail.com,
>>
>> by default - a LUA is not allowed to create event logs and sources -
>> run this from a console app which has admin privs - writing to this
>> Log afterwards is not a problem. There are also some registry ACLs to
>> tweak to make this work even under LUA - but i wouldn't recommend
>> that (if you absolutely need them, ping me)
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> I'm trying to do the following on an x64 Pro system running in a
>>> Least Privilege User Account.
>>>
>>> (C#)
>>> EventLog eventLog = new EventLog("MyLog", ".", "MyLog");
>>> ----------
>>> I get a security exception with the following text.
>>> System.Security.SecurityException: Requested registry access is not
>>> allowed. at Microsoft.Win32.RegistryKey.OpenSubKey(String name,
>>> Boolean writable)
>>>
>>> It there anything I can declare in my code to get around this or is
>>> this just a limitation of a LUA?
>>>

5 Aug 2005 11:15 AM

Nicole Calinoiu

In addition to what Dominick has already said, you may want to consider
creating the event log via your application's installer since that is a
context in which you can reasonably require use of an admin account.

<mr.mike.w***@gmail.com> wrote in message
Show quoteHide quote

news:1123206702.786183.65230@g14g2000cwa.googlegroups.com...
> I'm trying to do the following on an x64 Pro system running in a Least
> Privilege User Account.
>
> (C#)
> EventLog eventLog = new EventLog("MyLog", ".", "MyLog");
> ----------
>
> I get a security exception with the following text.
>
> System.Security.SecurityException: Requested registry access is not
> allowed. at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean
> writable)
>
> It there anything I can declare in my code to get around this or is
> this just a limitation of a LUA?
>

5 Aug 2005 12:44 PM

mr.mike.ward

I thought this might be the case. Thanks guys.