|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Cannot open log for source {0}. You may not have write access. (Access right wanish after a while)I've tried to solve the problem for almost a week. Once when I reboot server or change SD settings in group policies or in registry it works few hours but next day the same error is back again (i've not yet get an idea how long this grant lasts). This seems to be very common problem with ASP.NET but I've this nyance of lost access right. Our server is Win 2003 with AD and it's domain controller of it's own domain. Each user is member of Domain Users group, and they log on with basic authentication scheme, so they are authenticated. It seems to be so that after reboot the service works fine for while. Our service is Web Service coded with C#. The error message we get is: Exception: System.InvalidOperationException Message: Cannot open log for source {0}. You may not have write access. Source: System at System.Diagnostics.EventLog.OpenForWrite() at System.Diagnostics.EventLog.WriteEvent(Int32 eventID, Int16 category, EventLogEntryType type, String[] strings, Byte[] rawData) at System.Diagnostics.EventLog.WriteEntry(String message, EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData) at System.Diagnostics.EventLog.WriteEntry(String message, EventLogEntryType type, Int32 eventID, Int16 category) at System.Diagnostics.EventLog.WriteEntry(String message, EventLogEntryType type, Int32 eventID) at System.Diagnostics.EventLog.WriteEntry(String message, EventLogEntryType type) at MyServer_Facade.MyServer.MyProc(MyPar req) Nested Exception Exception: System.ComponentModel.Win32Exception Message: Access is denied "jblo" <jarmo.blomsterN0***@ccc.fi> wrote in message Are the event log ACLs being changed from their initial states? If so, it news:91t5e.142$Bw3.135@read3.inet.fi... > Hi, > > I've tried to solve the problem for almost a week. Once when I reboot > server > or change SD settings in group policies or in registry it works few hours > but next day the same error is back again (i've not yet get an idea how > long > this grant lasts). sounds like you need to identify the process that's responsible for the change. If not, could it be that the user context is changing? What does WindowsIdentity.GetCurrent return when the exception is thrown? Is this the expected user context, and is it the same as when event log entries are successfully written? Show quoteHide quote > > This seems to be very common problem with ASP.NET but I've this nyance of > lost access right. > Our server is Win 2003 with AD and it's domain controller of it's own > domain. > Each user is member of Domain Users group, and they log on with basic > authentication scheme, so they are authenticated. > It seems to be so that after reboot the service works fine for while. > Our service is Web Service coded with C#. > > The error message we get is: > > Exception: System.InvalidOperationException > Message: Cannot open log for source {0}. You may not have write access. > Source: System > at System.Diagnostics.EventLog.OpenForWrite() > at System.Diagnostics.EventLog.WriteEvent(Int32 eventID, Int16 category, > EventLogEntryType type, String[] strings, Byte[] rawData) > at System.Diagnostics.EventLog.WriteEntry(String message, > EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData) > at System.Diagnostics.EventLog.WriteEntry(String message, > EventLogEntryType type, Int32 eventID, Int16 category) > at System.Diagnostics.EventLog.WriteEntry(String message, > EventLogEntryType type, Int32 eventID) > at System.Diagnostics.EventLog.WriteEntry(String message, > EventLogEntryType type) > at MyServer_Facade.MyServer.MyProc(MyPar req) > > Nested Exception > > Exception: System.ComponentModel.Win32Exception > Message: Access is denied > > > Are the event log ACLs being changed from their initial states? If so, it I can't get the idea. After reboot the access grant is valid, few hours> sounds like you need to identify the process that's responsible for the > change. later the validity is lost. The ACLs are not changed manually after reboot. > If not, could it be that the user context is changing? What does I can't get the idea behind this either. User is reauthenticated every time> WindowsIdentity.GetCurrent return when the exception is thrown? Is this the > expected user context, and is it the same as when event log entries are > successfully written? when the call is issued. I removed the SOAPScope and the WinPCap connected to that program from the system. I thougth that it may cause problems, but it does not. In Domain Controller Security Policy we have the following setting for application log: O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A ;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;AU)(A;;0x3;;;DU)(A;;0x3;;;SU)(A;;0x3;;;S-1 -5-3) The same setting is in Domain Security Policy and in registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security String: CustomSD Is there some other place that overrides these after a while? //Jarmo "jblo" <jarmo.blomsterN0***@ccc.fi> wrote in message Your initial post stated that when you "change SD settings in group policies news:Bhr6e.86$B97.12@read3.inet.fi... >> Are the event log ACLs being changed from their initial states? If so, >> it >> sounds like you need to identify the process that's responsible for the >> change. > I can't get the idea. After reboot the access grant is valid, few hours > later the validity is lost. The ACLs are not changed manually after > reboot. or in registry it works few hours". This suggests that there is some modified state from which you are reverting the settings. If so, what is that modified state? >> If not, could it be that the user context is changing? What does Yes, but the user context for the call to the event log isn't necessarily >> WindowsIdentity.GetCurrent return when the exception is thrown? Is this > the >> expected user context, and is it the same as when event log entries are >> successfully written? > I can't get the idea behind this either. User is reauthenticated every > time > when the call is issued. the user you think it is. Please verify this by checking the value of WindowsIdentity.GetCurrent from your code at the following times: 1. Under normal use, when an entry is successfully written to the log. 2. When the "Cannot open log for source..." exception is thrown. > I removed the SOAPScope and the WinPCap connected to that program from the Sounds like you're probably shooting in the dark here. Until you identify > system. > I thougth that it may cause problems, but it does not. the proximate problem (ACL changing vs user changing), identifying the underlying cause is probably going to be quite difficult. > Are you trying to write to the security event log? If not, then this > In Domain Controller Security Policy we have the following setting for > application log: > O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A > ;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;AU)(A;;0x3;;;DU)(A;;0x3;;;SU)(A;;0x3;;;S-1 > -5-3) > > The same setting is in Domain Security Policy > > and in registry: > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security > String: CustomSD particular registry setting should be irrelevant. If so, then you should consider switching to a custom event log so that you don't risk filling the security log with entries from your web application. > Is there some other place that overrides these after a while? Not by design on an machine with a more-or-less typical configuration.Show quoteHide quote > > //Jarmo > > > "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message OK, I need to be more precise, I'm sorry.news:%23F9gYioPFHA.2788@TK2MSFTNGP09.phx.gbl... > Your initial post stated that when you "change SD settings in group policies > or in registry it works few hours". This suggests that there is some > modified state from which you are reverting the settings. If so, what is > that modified state? Now I can get it working only by rebooting the server, it will work for a day after reboot and the problem arises again. The server is not yet in production so this is possible, but the problem shoud be solved before the production use starts. > Yes, but the user context for the call to the event log isn't necessarily How can I check that, I can't write the context to eventlog in case I have> the user you think it is. no access right. I'm pretty sure no-one touch the server during the nigth. Anyhow there is some bacground activity going on like backups, but perhaps that is not the problem. > Sounds like you're probably shooting in the dark here. Until you identify You are right, perhaps I'm getting confused with this problem> the proximate problem (ACL changing vs user changing), identifying the > underlying cause is probably going to be quite difficult. I've cheked the registry and file activity with sysinternals tools and there is no errors in FS ACL or registry. Do you mean File system ACL? What kind of User changes you have in your mind. What can possibly change without human interface. Remember that after the reboot the user and FS ACL seems to be ok. > Are you trying to write to the security event log? If not, then this Oh no, that is dreaded mistake, I removed it right away.> particular registry setting should be irrelevant. If so, then you should > consider switching to a custom event log so that you don't risk filling the > security log with entries from your web application. I just try to write to the Application-log and there is CustomSD like this: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A ;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;AU)(A;;0x3;;;DU)(A;;0x3;;;SU)(A;;0x3;;;S-1 -5-3) //Jarmo "jblo" <jarmo.blomsterN0***@ccc.fi> wrote in message <snip>news:X1w6e.222$B97.111@read3.inet.fi... >> Yes, but the user context for the call to the event log isn't necessarily Write it to the page. Write it to trace. Write it to stand-alone file >> the user you think it is. > How can I check that, I can't write the context to eventlog in case I have > no access right. intended for this purpose only. Write it to a database. Send it to yourself in an e-mail. There are lots of options... > I'm pretty sure no-one touch the server during the nigth. Anyhow there is It could be anything from a bug in IIS to a virus on your system. As I > some bacground activity going on like backups, but perhaps that is not the > problem. mentioned before, it would probably be best to stop guessing at the root cause until after you've identified the immediate problem. > You are right, perhaps I'm getting confused with this problem You should probably be looking for changes, not errors. When the problem > I've cheked the registry and file activity with sysinternals tools and > there > is no errors in FS ACL or registry. starts occurring, are the ACLs on the event log registry entries any different than they were when your code could write to the event log? > Do you mean File system ACL? All sorts of things can change after a system has been running for some > What kind of User changes you have in your mind. > What can possibly change without human interface. > Remember that after the reboot the user and FS ACL seems to be ok. time. Most things that can be changed via the UI can also be changed by almost any code running on a machine. Show quoteHide quote >> Are you trying to write to the security event log? If not, then this >> particular registry setting should be irrelevant. If so, then you should >> consider switching to a custom event log so that you don't risk filling > the >> security log with entries from your web application. > Oh no, that is dreaded mistake, I removed it right away. > I just try to write to the Application-log and there is CustomSD like > this: > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application > O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A > ;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;AU)(A;;0x3;;;DU)(A;;0x3;;;SU)(A;;0x3;;;S-1 > -5-3) > > //Jarmo > > "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message What is your opinion, how should I check this?news:eWisxTDPFHA.2728@TK2MSFTNGP15.phx.gbl... > Are the event log ACLs being changed from their initial states? If so, it > sounds like you need to identify the process that's responsible for the > change. > If not, could it be that the user context is changing? What does The user context seems to be the right one.> WindowsIdentity.GetCurrent return when the exception is thrown? Is this the > expected user context, and is it the same as when event log entries are > successfully written? I logged the WindowsIdentity.GetCurrent fields to log file and here are the results: When the problem is active (i.e. before reboot) 0 2005-04-12 10:19:21,859 [5596] eControlServer_Facade.eControlServer.putEventLogInfo(:0) putEventLogInfo - WindowsIdentity.GetCurrent().Name=[ECONTROL\pantse] 15 2005-04-12 10:19:21,875 [5596] eControlServer_Facade.eControlServer.putEventLogInfo(:0) putEventLogInfo - WindowsIdentity.GetCurrent().IsAnonymous=[False] 15 2005-04-12 10:19:21,875 [5596] eControlServer_Facade.eControlServer.putEventLogInfo(:0) putEventLogInfo - WindowsIdentity.GetCurrent().IsAuthenticated=[True] 15 2005-04-12 10:19:21,875 [5596] eControlServer_Facade.eControlServer.putEventLogInfo(:0) putEventLogInfo - WindowsIdentity.GetCurrent().IsGuest=[False] 15 2005-04-12 10:19:21,875 [5596] eControlServer_Facade.eControlServer.putEventLogInfo(:0) putEventLogInfo - WindowsIdentity.GetCurrent().IsSystem=[False] 15 2005-04-12 10:19:21,875 [5596] eControlServer_Facade.eControlServer.putEventLogInfo(:0) putEventLogInfo - WindowsIdentity.GetCurrent().Token=[840] After reboot: 187 2005-04-12 10:45:48,734 [5756] eControlServer_Facade.eControlServer.putEventLogInfo(:0) putEventLogInfo - WindowsIdentity.GetCurrent().Name=[ECONTROL\pantse] 187 2005-04-12 10:45:48,734 [5756] eControlServer_Facade.eControlServer.putEventLogInfo(:0) putEventLogInfo - WindowsIdentity.GetCurrent().IsAnonymous=[False] 187 2005-04-12 10:45:48,734 [5756] eControlServer_Facade.eControlServer.putEventLogInfo(:0) putEventLogInfo - WindowsIdentity.GetCurrent().IsAuthenticated=[True] 187 2005-04-12 10:45:48,734 [5756] eControlServer_Facade.eControlServer.putEventLogInfo(:0) putEventLogInfo - WindowsIdentity.GetCurrent().IsGuest=[False] 187 2005-04-12 10:45:48,734 [5756] eControlServer_Facade.eControlServer.putEventLogInfo(:0) putEventLogInfo - WindowsIdentity.GetCurrent().IsSystem=[False] 187 2005-04-12 10:45:48,734 [5756] eControlServer_Facade.eControlServer.putEventLogInfo(:0) putEventLogInfo - WindowsIdentity.GetCurrent().Token=[1208] I can't see any difference (except the token). Is there something else in the context that should be watched? //Jarmo Is ECONTROL\pantse a domain account or a local account on the web server?
Also, have you compared the pre- and post- problem ACLs yet? Show quoteHide quote "jblo" <jarmo.blomsterN0***@ccc.fi> wrote in message news:3eL6e.84$O21.26@read3.inet.fi... > > "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message > news:eWisxTDPFHA.2728@TK2MSFTNGP15.phx.gbl... >> Are the event log ACLs being changed from their initial states? If so, >> it >> sounds like you need to identify the process that's responsible for the >> change. > What is your opinion, how should I check this? > >> If not, could it be that the user context is changing? What does >> WindowsIdentity.GetCurrent return when the exception is thrown? Is this > the >> expected user context, and is it the same as when event log entries are >> successfully written? > > The user context seems to be the right one. > I logged the WindowsIdentity.GetCurrent fields to log file and here are > the > results: > When the problem is active (i.e. before reboot) > 0 2005-04-12 10:19:21,859 [5596] > eControlServer_Facade.eControlServer.putEventLogInfo(:0) putEventLogInfo > - WindowsIdentity.GetCurrent().Name=[ECONTROL\pantse] > 15 2005-04-12 10:19:21,875 [5596] > eControlServer_Facade.eControlServer.putEventLogInfo(:0) putEventLogInfo > - WindowsIdentity.GetCurrent().IsAnonymous=[False] > 15 2005-04-12 10:19:21,875 [5596] > eControlServer_Facade.eControlServer.putEventLogInfo(:0) putEventLogInfo > - WindowsIdentity.GetCurrent().IsAuthenticated=[True] > 15 2005-04-12 10:19:21,875 [5596] > eControlServer_Facade.eControlServer.putEventLogInfo(:0) putEventLogInfo > - WindowsIdentity.GetCurrent().IsGuest=[False] > 15 2005-04-12 10:19:21,875 [5596] > eControlServer_Facade.eControlServer.putEventLogInfo(:0) putEventLogInfo > - WindowsIdentity.GetCurrent().IsSystem=[False] > 15 2005-04-12 10:19:21,875 [5596] > eControlServer_Facade.eControlServer.putEventLogInfo(:0) putEventLogInfo > - WindowsIdentity.GetCurrent().Token=[840] > > After reboot: > 187 2005-04-12 10:45:48,734 [5756] > eControlServer_Facade.eControlServer.putEventLogInfo(:0) putEventLogInfo > - WindowsIdentity.GetCurrent().Name=[ECONTROL\pantse] > 187 2005-04-12 10:45:48,734 [5756] > eControlServer_Facade.eControlServer.putEventLogInfo(:0) putEventLogInfo > - WindowsIdentity.GetCurrent().IsAnonymous=[False] > 187 2005-04-12 10:45:48,734 [5756] > eControlServer_Facade.eControlServer.putEventLogInfo(:0) putEventLogInfo > - WindowsIdentity.GetCurrent().IsAuthenticated=[True] > 187 2005-04-12 10:45:48,734 [5756] > eControlServer_Facade.eControlServer.putEventLogInfo(:0) putEventLogInfo > - WindowsIdentity.GetCurrent().IsGuest=[False] > 187 2005-04-12 10:45:48,734 [5756] > eControlServer_Facade.eControlServer.putEventLogInfo(:0) putEventLogInfo > - WindowsIdentity.GetCurrent().IsSystem=[False] > 187 2005-04-12 10:45:48,734 [5756] > eControlServer_Facade.eControlServer.putEventLogInfo(:0) putEventLogInfo > - WindowsIdentity.GetCurrent().Token=[1208] > > I can't see any difference (except the token). > Is there something else in the context that should be watched? > > //Jarmo > > "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message It is member of Domain Users group, so it is Domain Account.news:eLbEHF5PFHA.2384@tk2msftngp13.phx.gbl... > Is ECONTROL\pantse a domain account or a local account on the web server? > Also, have you compared the pre- and post- problem ACLs yet? Not yet because I can't understand what ACLs you mean.I feel that, it is impossible to check the huge amount of ACL entries in the system. Can I consentrate on some ACLs? The file access seems to be OK in both cases. Maybe I should check more carefully the results of sysinternals filemon. I'll do that and post new message of the results. Nicole, I appreciate your patience very much. //Jarmo "jblo" <jarmo.blomsterN0***@ccc.fi> wrote in message <snip>news:Lq37e.63$5g2.31@read3.inet.fi... >> Also, have you compared the pre- and post- problem ACLs yet? The ACLs controlling access to the event log in question. The main one is> Not yet because I can't understand what ACLs you mean. the registry key at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\<EventLogName>. To be thorough, you should probably also check the ACL on the underlying event log file. > I feel that, it is impossible to check the huge amount of ACL entries in Running regmon would also be potentially useful since the call will never > the > system. > Can I consentrate on some ACLs? > The file access seems to be OK in both cases. > Maybe I should check more carefully the results of sysinternals filemon. reach the log file if access to the registry key is denied. While you're monitoring anyway, you may also want to check for any indications of locking problems with the underlying file for your event log. Show quoteHide quote > I'll do that and post new message of the results. > > Nicole, I appreciate your patience very much. > > //Jarmo > > "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message I think that I found something by regmon (see the event# 2066):news:uxWGMdBQFHA.2604@TK2MSFTNGP10.phx.gbl... > Running regmon would also be potentially useful since the call will never > reach the log file if access to the registry key is denied. Here is the error: 2049 4.55102824 w3wp.exe:5624 OpenKey HKCU NOTFOUND 2050 4.55106413 w3wp.exe:5624 OpenKey HKU\.Default SUCCESS 2051 4.55109947 w3wp.exe:5624 OpenKey HKU\.Default\Control Panel\International SUCCESS 2052 4.55112005 w3wp.exe:5624 CloseKey HKU\.Default SUCCESS 2053 4.55114751 w3wp.exe:5624 QueryValue HKU\.Default\Control Panel\International\Locale SUCCESS "0000040B" 2054 4.55116712 w3wp.exe:5624 CloseKey HKU\.Default\Control Panel\International SUCCESS 2055 4.55125807 w3wp.exe:5624 CloseKey HKCR SUCCESS 2056 4.55128447 w3wp.exe:5624 CloseKey HKCU SUCCESS 2057 4.55130566 w3wp.exe:5624 CloseKey HKCU SUCCESS 2058 4.55133725 w3wp.exe:5624 CloseKey HKCR SUCCESS 2059 4.55143869 w3wp.exe:5624 QueryKey HKCU SUCCESS Name: \REGISTRY\USER\S-1-5-20_CLASSES 2060 4.55146933 w3wp.exe:5624 OpenKey HKCU\CLSID\{228D9A82-C302-11CF-9AA4-00AA004A5691} NOTFOUND 2061 4.55150509 w3wp.exe:5624 OpenKey HKCR\CLSID\{228D9A82-C302-11CF-9AA4-00AA004A5691} SUCCESS 2062 4.55154258 w3wp.exe:5624 QueryKey HKCR\CLSID\{228D9A82-C302-11CF-9AA4-00AA004A5691} SUCCESS Name: \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{228D9A82-C302-11cf-9AA4-00AA004A56 91} 2063 4.55158277 w3wp.exe:5624 OpenKey HKCU\CLSID\{228D9A82-C302-11cf-9AA4-00AA004A5691}\TreatAs NOTFOUND 2064 4.55160479 w3wp.exe:5624 OpenKey HKCR\CLSID\{228D9A82-C302-11CF-9AA4-00AA004A5691}\TreatAs NOTFOUND 2065 4.55163183 w3wp.exe:5624 QueryKey HKCU SUCCESS Name: \REGISTRY\USER\S-1-5-20_CLASSES 2066 4.55175423 w3wp.exe:5624 OpenKey HKCU ACCDENIED ECONTROL\pantse 2067 4.55180113 w3wp.exe:5624 OpenKey HKCR SUCCESS 2068 4.55181798 w3wp.exe:5624 CloseKey HKCR\CLSID\{228D9A82-C302-11CF-9AA4-00AA004A5691} SUCCESS 2069 4.55183520 w3wp.exe:5624 QueryKey HKCR SUCCESS Name: \REGISTRY\MACHINE\SOFTWARE\Classes 2070 4.55186386 w3wp.exe:5624 OpenKey HKCU\CLSID\{228D9A82-C302-11CF-9AA4-00AA004A5691} NOTFOUND 2071 4.55188541 w3wp.exe:5624 OpenKey HKCR\CLSID\{228D9A82-C302-11CF-9AA4-00AA004A5691} SUCCESS How do I now find the process that revokes the access right temporarily, because after reboot the right is granted back? After reboot, there is no such ACCDENIED entries in the regmon log. //Jarmo It's actually quite normal for non-admin accounts other than the interactive
user to be denied access to HKCU, and there's no reason that this denial should affect writing to the event log. I suspect that you might find the same denial occurring even when the event log writes are successful. Do you see any failures at all (access denied or otherwise) for anything on the HKLM\SYSTEM\CurrentControlSet\Services\Eventlog path? Show quoteHide quote "jblo" <jarmo.blomsterN0***@ccc.fi> wrote in message news:bWm7e.18$jt3.9@read3.inet.fi... > > "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message > news:uxWGMdBQFHA.2604@TK2MSFTNGP10.phx.gbl... >> Running regmon would also be potentially useful since the call will never >> reach the log file if access to the registry key is denied. > I think that I found something by regmon (see the event# 2066): > Here is the error: > 2049 4.55102824 w3wp.exe:5624 OpenKey HKCU NOTFOUND > 2050 4.55106413 w3wp.exe:5624 OpenKey HKU\.Default SUCCESS > 2051 4.55109947 w3wp.exe:5624 OpenKey HKU\.Default\Control > Panel\International SUCCESS > 2052 4.55112005 w3wp.exe:5624 CloseKey HKU\.Default SUCCESS > 2053 4.55114751 w3wp.exe:5624 QueryValue HKU\.Default\Control > Panel\International\Locale SUCCESS "0000040B" > 2054 4.55116712 w3wp.exe:5624 CloseKey HKU\.Default\Control > Panel\International SUCCESS > 2055 4.55125807 w3wp.exe:5624 CloseKey HKCR SUCCESS > 2056 4.55128447 w3wp.exe:5624 CloseKey HKCU SUCCESS > 2057 4.55130566 w3wp.exe:5624 CloseKey HKCU SUCCESS > 2058 4.55133725 w3wp.exe:5624 CloseKey HKCR SUCCESS > 2059 4.55143869 w3wp.exe:5624 QueryKey HKCU SUCCESS Name: > \REGISTRY\USER\S-1-5-20_CLASSES > 2060 4.55146933 w3wp.exe:5624 OpenKey > HKCU\CLSID\{228D9A82-C302-11CF-9AA4-00AA004A5691} NOTFOUND > 2061 4.55150509 w3wp.exe:5624 OpenKey > HKCR\CLSID\{228D9A82-C302-11CF-9AA4-00AA004A5691} SUCCESS > 2062 4.55154258 w3wp.exe:5624 QueryKey > HKCR\CLSID\{228D9A82-C302-11CF-9AA4-00AA004A5691} SUCCESS Name: > \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{228D9A82-C302-11cf-9AA4-00AA004A56 > 91} > 2063 4.55158277 w3wp.exe:5624 OpenKey > HKCU\CLSID\{228D9A82-C302-11cf-9AA4-00AA004A5691}\TreatAs NOTFOUND > 2064 4.55160479 w3wp.exe:5624 OpenKey > HKCR\CLSID\{228D9A82-C302-11CF-9AA4-00AA004A5691}\TreatAs NOTFOUND > 2065 4.55163183 w3wp.exe:5624 QueryKey HKCU SUCCESS Name: > \REGISTRY\USER\S-1-5-20_CLASSES > 2066 4.55175423 w3wp.exe:5624 OpenKey HKCU ACCDENIED ECONTROL\pantse > 2067 4.55180113 w3wp.exe:5624 OpenKey HKCR SUCCESS > 2068 4.55181798 w3wp.exe:5624 CloseKey > HKCR\CLSID\{228D9A82-C302-11CF-9AA4-00AA004A5691} SUCCESS > 2069 4.55183520 w3wp.exe:5624 QueryKey HKCR SUCCESS Name: > \REGISTRY\MACHINE\SOFTWARE\Classes > 2070 4.55186386 w3wp.exe:5624 OpenKey > HKCU\CLSID\{228D9A82-C302-11CF-9AA4-00AA004A5691} NOTFOUND > 2071 4.55188541 w3wp.exe:5624 OpenKey > HKCR\CLSID\{228D9A82-C302-11CF-9AA4-00AA004A5691} SUCCESS > > How do I now find the process that revokes the access right temporarily, > because after reboot the right is granted back? > > After reboot, there is no such ACCDENIED entries in the regmon log. > > //Jarmo > > "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message There is no ACCDENIED at all in OK case.news:OOTlDgOQFHA.1500@TK2MSFTNGP09.phx.gbl... > It's actually quite normal for non-admin accounts other than the interactive > user to be denied access to HKCU, and there's no reason that this denial > should affect writing to the event log. I suspect that you might find the > same denial occurring even when the event log writes are successful. In error case there is quite lot of ACCDENIED like: 9613 6.67599106 w3wp.exe:920 OpenKey HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\ECONTROL\MSSQLServer\CurrentVersion ACCDENIED ECONTROL\wsbts and 9866 6.69436411 w3wp.exe:920 CreateKey HKLM\SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib\LastConnect ACCDENIED ECONTROL\wsbts And once the 2066 4.55175423 w3wp.exe:5624 OpenKey HKCU ACCDENIED ECONTROL\pantse > Do you In the error case there is entries like:> see any failures at all (access denied or otherwise) for anything on the > HKLM\SYSTEM\CurrentControlSet\Services\Eventlog path? 2300 4.56403786 w3wp.exe:5624 OpenKey HKLM\SYSTEM\CurrentControlSet\Services\EventLog REPARSE 2301 4.56406584 w3wp.exe:5624 OpenKey HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS 2302 4.56409347 w3wp.exe:5624 QueryKey HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Subkeys = 6 2303 4.56411436 w3wp.exe:5624 EnumerateKey HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: Application 2304 4.56413188 w3wp.exe:5624 EnumerateKey HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: Directory Service 2305 4.56414850 w3wp.exe:5624 EnumerateKey HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: DNS Server 2306 4.56416525 w3wp.exe:5624 EnumerateKey HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: File Replication Service 2307 4.56418143 w3wp.exe:5624 EnumerateKey HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: Security 2308 4.56419762 w3wp.exe:5624 EnumerateKey HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: System 2309 4.56422423 w3wp.exe:5624 OpenKey HKLM\SYSTEM\ControlSet001\Services\EventLog\Application SUCCESS 2310 4.56425171 w3wp.exe:5624 OpenKey HKLM\SYSTEM\ControlSet001\Services\EventLog\Application\eControlServer SUCCESS 2311 4.56427026 w3wp.exe:5624 CloseKey HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS 2312 4.56428460 w3wp.exe:5624 CloseKey HKLM\SYSTEM\ControlSet001\Services\EventLog\Application\eControlServer SUCCESS In the OK-case there is entries like: 2148 3.96112042 w3wp.exe:4296 OpenKey HKLM\SYSTEM\CurrentControlSet\Services\EventLog REPARSE 2149 3.96114665 w3wp.exe:4296 OpenKey HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS 2150 3.96117347 w3wp.exe:4296 QueryKey HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Subkeys = 6 2151 3.96119397 w3wp.exe:4296 EnumerateKey HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: Application 2152 3.96121122 w3wp.exe:4296 EnumerateKey HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: Directory Service 2153 3.96122767 w3wp.exe:4296 EnumerateKey HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: DNS Server 2154 3.96124411 w3wp.exe:4296 EnumerateKey HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: File Replication Service 2155 3.96125993 w3wp.exe:4296 EnumerateKey HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: Security 2156 3.96127606 w3wp.exe:4296 EnumerateKey HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: System 2157 3.96130268 w3wp.exe:4296 OpenKey HKLM\SYSTEM\ControlSet001\Services\EventLog\Application SUCCESS 2158 3.96133093 w3wp.exe:4296 OpenKey HKLM\SYSTEM\ControlSet001\Services\EventLog\Application\eControlServer SUCCESS 2159 3.96134932 w3wp.exe:4296 CloseKey HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS 2160 3.96136367 w3wp.exe:4296 CloseKey HKLM\SYSTEM\ControlSet001\Services\EventLog\Application\eControlServer SUCCESS 2161 3.96138943 w3wp.exe:4296 CloseKey HKLM\SYSTEM\ControlSet001\Services\EventLog\Application SUCCESS 2162 3.96142832 w3wp.exe:4296 OpenKey HKLM\SYSTEM\CurrentControlSet\Services\EventLog REPARSE 2163 3.96144886 w3wp.exe:4296 OpenKey HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS I think that tells att least that HKLM\SYSTEM\CurrentControlSet\Services\EventLog can be opened in both cases. //Jarmo Is the ECONTROL\wsbts (as opposed to ECONTROL\pantse) account being used in
any way by your application? If so, how? Show quoteHide quote "jblo" <jarmo.blomsterN0***@ccc.fi> wrote in message news:Twt7e.175$jt3.28@read3.inet.fi... > > "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message > news:OOTlDgOQFHA.1500@TK2MSFTNGP09.phx.gbl... >> It's actually quite normal for non-admin accounts other than the > interactive >> user to be denied access to HKCU, and there's no reason that this denial >> should affect writing to the event log. I suspect that you might find >> the >> same denial occurring even when the event log writes are successful. > There is no ACCDENIED at all in OK case. > > In error case there is quite lot of ACCDENIED like: > 9613 6.67599106 w3wp.exe:920 OpenKey HKLM\SOFTWARE\Microsoft\Microsoft SQL > Server\ECONTROL\MSSQLServer\CurrentVersion ACCDENIED ECONTROL\wsbts > and > 9866 6.69436411 w3wp.exe:920 CreateKey > HKLM\SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib\LastConnect > ACCDENIED ECONTROL\wsbts > > > And once the > 2066 4.55175423 w3wp.exe:5624 OpenKey HKCU ACCDENIED ECONTROL\pantse > >> Do you >> see any failures at all (access denied or otherwise) for anything on the >> HKLM\SYSTEM\CurrentControlSet\Services\Eventlog path? > In the error case there is entries like: > 2300 4.56403786 w3wp.exe:5624 OpenKey > HKLM\SYSTEM\CurrentControlSet\Services\EventLog REPARSE > 2301 4.56406584 w3wp.exe:5624 OpenKey > HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS > 2302 4.56409347 w3wp.exe:5624 QueryKey > HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Subkeys = 6 > 2303 4.56411436 w3wp.exe:5624 EnumerateKey > HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: Application > 2304 4.56413188 w3wp.exe:5624 EnumerateKey > HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: Directory > Service > 2305 4.56414850 w3wp.exe:5624 EnumerateKey > HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: DNS Server > 2306 4.56416525 w3wp.exe:5624 EnumerateKey > HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: File Replication > Service > 2307 4.56418143 w3wp.exe:5624 EnumerateKey > HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: Security > 2308 4.56419762 w3wp.exe:5624 EnumerateKey > HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: System > 2309 4.56422423 w3wp.exe:5624 OpenKey > HKLM\SYSTEM\ControlSet001\Services\EventLog\Application SUCCESS > 2310 4.56425171 w3wp.exe:5624 OpenKey > HKLM\SYSTEM\ControlSet001\Services\EventLog\Application\eControlServer > SUCCESS > 2311 4.56427026 w3wp.exe:5624 CloseKey > HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS > 2312 4.56428460 w3wp.exe:5624 CloseKey > HKLM\SYSTEM\ControlSet001\Services\EventLog\Application\eControlServer > SUCCESS > > In the OK-case there is entries like: > 2148 3.96112042 w3wp.exe:4296 OpenKey > HKLM\SYSTEM\CurrentControlSet\Services\EventLog REPARSE > 2149 3.96114665 w3wp.exe:4296 OpenKey > HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS > 2150 3.96117347 w3wp.exe:4296 QueryKey > HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Subkeys = 6 > 2151 3.96119397 w3wp.exe:4296 EnumerateKey > HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: Application > 2152 3.96121122 w3wp.exe:4296 EnumerateKey > HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: Directory > Service > 2153 3.96122767 w3wp.exe:4296 EnumerateKey > HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: DNS Server > 2154 3.96124411 w3wp.exe:4296 EnumerateKey > HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: File Replication > Service > 2155 3.96125993 w3wp.exe:4296 EnumerateKey > HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: Security > 2156 3.96127606 w3wp.exe:4296 EnumerateKey > HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: System > 2157 3.96130268 w3wp.exe:4296 OpenKey > HKLM\SYSTEM\ControlSet001\Services\EventLog\Application SUCCESS > 2158 3.96133093 w3wp.exe:4296 OpenKey > HKLM\SYSTEM\ControlSet001\Services\EventLog\Application\eControlServer > SUCCESS > 2159 3.96134932 w3wp.exe:4296 CloseKey > HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS > 2160 3.96136367 w3wp.exe:4296 CloseKey > HKLM\SYSTEM\ControlSet001\Services\EventLog\Application\eControlServer > SUCCESS > 2161 3.96138943 w3wp.exe:4296 CloseKey > HKLM\SYSTEM\ControlSet001\Services\EventLog\Application SUCCESS > 2162 3.96142832 w3wp.exe:4296 OpenKey > HKLM\SYSTEM\CurrentControlSet\Services\EventLog REPARSE > 2163 3.96144886 w3wp.exe:4296 OpenKey > HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS > > I think that tells att least that > HKLM\SYSTEM\CurrentControlSet\Services\EventLog can be opened in both > cases. > > //Jarmo > > "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message ECONTROL\wsbts is account that is used for identity for application poolnews:us8PISPQFHA.2932@TK2MSFTNGP09.phx.gbl... > Is the ECONTROL\wsbts (as opposed to ECONTROL\pantse) account being used in > any way by your application? If so, how? that contains exposed web services of BizTalk2004 applications. They do not write to event log. In my web services the BTS web services are called after trying to write to the EventLog. //Jarmo If the account isn't used by you application, then the access denied errors
for actions taken by the account are unlikely to be causing problems in your account. Do you see any problems accessing anything on the HKLM\SYSTEM\CurrentControlSet\Services\Eventlog path? Show quoteHide quote "jblo" <jarmo.blomsterN0***@ccc.fi> wrote in message news:zCI8e.47$N_.42@read3.inet.fi... > > "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message > news:us8PISPQFHA.2932@TK2MSFTNGP09.phx.gbl... >> Is the ECONTROL\wsbts (as opposed to ECONTROL\pantse) account being used > in >> any way by your application? If so, how? > ECONTROL\wsbts is account that is used for identity for application pool > that contains exposed web services of BizTalk2004 applications. > They do not write to event log. In my web services the BTS web services > are > called after trying to write to the EventLog. > //Jarmo > > > "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message I can't see any problems only SUCCESS like:news:u5SsM9YRFHA.3824@TK2MSFTNGP10.phx.gbl... > If the account isn't used by you application, then the access denied errors > for actions taken by the account are unlikely to be causing problems in your > account. Do you see any problems accessing anything on the > HKLM\SYSTEM\CurrentControlSet\Services\Eventlog path? 2300 4.56403786 w3wp.exe:5624 OpenKey HKLM\SYSTEM\CurrentControlSet\Services\EventLog REPARSE 2301 4.56406584 w3wp.exe:5624 OpenKey HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS 2302 4.56409347 w3wp.exe:5624 QueryKey HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Subkeys = 6 2303 4.56411436 w3wp.exe:5624 EnumerateKey HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: Application 2304 4.56413188 w3wp.exe:5624 EnumerateKey HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: Directory Service 2305 4.56414850 w3wp.exe:5624 EnumerateKey HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: DNS Server 2306 4.56416525 w3wp.exe:5624 EnumerateKey HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: File Replication Service 2307 4.56418143 w3wp.exe:5624 EnumerateKey HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: Security 2308 4.56419762 w3wp.exe:5624 EnumerateKey HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: System 2309 4.56422423 w3wp.exe:5624 OpenKey HKLM\SYSTEM\ControlSet001\Services\EventLog\Application SUCCESS 2310 4.56425171 w3wp.exe:5624 OpenKey HKLM\SYSTEM\ControlSet001\Services\EventLog\Application\eControlServer SUCCESS 2311 4.56427026 w3wp.exe:5624 CloseKey HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS 2312 4.56428460 w3wp.exe:5624 CloseKey HKLM\SYSTEM\ControlSet001\Services\EventLog\Application\eControlServer SUCCESS 2313 4.56431011 w3wp.exe:5624 CloseKey HKLM\SYSTEM\ControlSet001\Services\EventLog\Application SUCCESS Is eControlServer the source name your application is using for logging?
Show quoteHide quote "jblo" <jarmo.blomsterN0***@ccc.fi> wrote in message news:g%p9e.147$aq3.75@read3.inet.fi... > > "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message > news:u5SsM9YRFHA.3824@TK2MSFTNGP10.phx.gbl... >> If the account isn't used by you application, then the access denied > errors >> for actions taken by the account are unlikely to be causing problems in > your >> account. Do you see any problems accessing anything on the >> HKLM\SYSTEM\CurrentControlSet\Services\Eventlog path? > I can't see any problems only SUCCESS like: > 2300 4.56403786 w3wp.exe:5624 OpenKey > HKLM\SYSTEM\CurrentControlSet\Services\EventLog REPARSE > 2301 4.56406584 w3wp.exe:5624 OpenKey > HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS > 2302 4.56409347 w3wp.exe:5624 QueryKey > HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Subkeys = 6 > 2303 4.56411436 w3wp.exe:5624 EnumerateKey > HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: Application > 2304 4.56413188 w3wp.exe:5624 EnumerateKey > HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: Directory > Service > 2305 4.56414850 w3wp.exe:5624 EnumerateKey > HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: DNS Server > 2306 4.56416525 w3wp.exe:5624 EnumerateKey > HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: File Replication > Service > 2307 4.56418143 w3wp.exe:5624 EnumerateKey > HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: Security > 2308 4.56419762 w3wp.exe:5624 EnumerateKey > HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: System > 2309 4.56422423 w3wp.exe:5624 OpenKey > HKLM\SYSTEM\ControlSet001\Services\EventLog\Application SUCCESS > 2310 4.56425171 w3wp.exe:5624 OpenKey > HKLM\SYSTEM\ControlSet001\Services\EventLog\Application\eControlServer > SUCCESS > 2311 4.56427026 w3wp.exe:5624 CloseKey > HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS > 2312 4.56428460 w3wp.exe:5624 CloseKey > HKLM\SYSTEM\ControlSet001\Services\EventLog\Application\eControlServer > SUCCESS > 2313 4.56431011 w3wp.exe:5624 CloseKey > HKLM\SYSTEM\ControlSet001\Services\EventLog\Application SUCCESS > >
Show quote
Hide quote
"Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message
news:OWQVSRZRFHA.1236@TK2MSFTNGP14.phx.gbl... > Is eControlServer the source name your application is using for logging? Yes If you use regmon to display the process properties for the one of the
entries that touch HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\eControlServer, which user is shown as the process identity? Show quoteHide quote "jblo" <jarmo.blomsterN0***@ccc.fi> wrote in message news:Umr9e.187$aq3.29@read3.inet.fi... > > "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message > news:OWQVSRZRFHA.1236@TK2MSFTNGP14.phx.gbl... >> Is eControlServer the source name your application is using for logging? > Yes > > Just thought of an entirely different possibility... Are you by any chance
using any custom sections in your configuration file(s)? If so, might the problem described at http://support.microsoft.com/default.aspx?scid=kb;en-us;307513 be relevant? If not, do you see any indication of high CPU utilization once the problem starts occurring? Show quoteHide quote "jblo" <jarmo.blomsterN0***@ccc.fi> wrote in message news:Umr9e.187$aq3.29@read3.inet.fi... > > "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message > news:OWQVSRZRFHA.1236@TK2MSFTNGP14.phx.gbl... >> Is eControlServer the source name your application is using for logging? > Yes > > "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message I'm using log4net 1.2.0-beta8 and it needs custom configuration setting.news:%23350BCbRFHA.3824@TK2MSFTNGP10.phx.gbl... > Just thought of an entirely different possibility... Are you by any chance > using any custom sections in your configuration file(s)? If so, might the > problem described at > http://support.microsoft.com/default.aspx?scid=kb;en-us;307513 be relevant? > If not, do you see any indication of high CPU utilization once the problem > starts occurring? I'll check the CPU utilization tomorow if the problem persists. Anyhow it seems to me that the problem does persist until I touch the CustomSD in registry or reboot the machine, I can't see any CPU utilisation connection in my case, but I can of course check that. Today I released the CustomSD so that AN and BG users can write to the log, before I touched it the problem is on, rigth after the change the problem vanish. Yesteday i made the same changes with the exception that I changed it back so that AN and BG does not have any rigths to to the EventLog. After these change and change back it worked. Today in the morning I tried and the problem is back there. So it seems to me that when I touch the CustomSD the Logging works for a day and does not work in the next day. //Jarmo "jblo" <jarmo.blomsterN0***@ccc.fi> wrote in message <snip>news:yCt9e.263$aq3.146@read3.inet.fi... > I'm using log4net 1.2.0-beta8 and it needs custom configuration setting. Is the code that's initiating the event log write operation your own, or is it from log4net? In your original message, the exception details showed the call originating in the "MyServer_Facade.MyServer.MyProc(MyPar req)" method. Might you be able to post the relevant code from that procedure? Show quoteHide quote > I'll check the CPU utilization tomorow if the problem persists. Since any change (even one that restricts permissions) seems to result in a > Anyhow it seems to me that the problem does persist until I touch the > CustomSD in registry or reboot the machine, I can't see any CPU > utilisation connection in my case, but I can of course check that. > > Today I released the CustomSD so that AN and BG users can write to the > log, > before I touched it the problem is on, rigth after the change the problem > vanish. > Yesteday i made the same changes with the exception that I changed it back > so that AN and BG does not have any rigths to > to the EventLog. After these change and change back it worked. Today in > the > morning I tried and the problem is back there. > > So it seems to me that when I touch the CustomSD the Logging works for a > day > and does not work in the next day. "reset", I suspect that the effect might have more to do with patterns of resource use than with the actual permission grant. It's hard to be certain, but I think you might be chasing a red herring with all this toggling of the CustomSD value. > Since any change (even one that restricts permissions) seems to result in I'm very confused now. I wondering if am I the only one facing with thisa > "reset", I suspect that the effect might have more to do with patterns of > resource use than with the actual permission grant. problem, to my understanding we do not have anything "special" in our installation. The code that writes to log is here: private void putEventLogInfo(string message) { try { using (EventLog ev = new EventLog()) { ev.Source = "eControlServer"; ev.WriteEntry(message, EventLogEntryType.Information); ev.Close(); } } catch (Exception ex) { log.Error( "Can't write the activity information to log.", ex); } } > It's hard to be I thougth that I was chasing a solution to a problem, but it was a RED> certain, but I think you might be chasing a red herring with all this > toggling of the CustomSD value. HERRING. Anyhow the problem still exists, I wonder what I should be chasing next :-) "jblo" <jarmo.blomsterN0***@ccc.fi> wrote in message There are at least two aspects of your setup that lie outside standard news:VZlbe.70$hm3.14@read3.inet.fi... >> Since any change (even one that restricts permissions) seems to result in > a >> "reset", I suspect that the effect might have more to do with patterns of >> resource use than with the actual permission grant. > > I'm very confused now. I wondering if am I the only one facing with this > problem, to my understanding we > do not have anything "special" in our installation. usage: 1. Your web application is running on a domain controller. 2. You're using a beta version of a third-party component. Neither one is necessarily responsible for the problem, but you may also have other non-standard configurations that you aren't recognizing. Show quoteHide quote > The code that writes to log is here: Do you see the same problem if you perform this logging action via log4net? > private void putEventLogInfo(string message) { > > try { > > using (EventLog ev = new EventLog()) { > > ev.Source = "eControlServer"; > > ev.WriteEntry(message, EventLogEntryType.Information); > > ev.Close(); > > } > > } catch (Exception ex) { > > log.Error( "Can't write the activity information to log.", ex); > > } > > } (After all, what's the point of using a logging framework if you're not actually going to use it when your application needs to write to a log? <g>) > If you feel that you've exhausted all documented causes for similar >> It's hard to be >> certain, but I think you might be chasing a red herring with all this >> toggling of the CustomSD value. > I thougth that I was chasing a solution to a problem, but it was a RED > HERRING. > Anyhow the problem still exists, I wonder what I should be chasing next > :-) problems, perhaps it's time for a call to Microsoft Support Services? You might have better luck with some live troubleshooting help, particularly given the1 day lag times between problem manifestations... "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message 1. I chekecd the cpu utilization and it is just few percentage (<10%) so Inews:%23350BCbRFHA.3824@TK2MSFTNGP10.phx.gbl... > Just thought of an entirely different possibility... Are you by any chance > using any custom sections in your configuration file(s)? If so, might the > problem described at > http://support.microsoft.com/default.aspx?scid=kb;en-us;307513 be relevant? > If not, do you see any indication of high CPU utilization once the problem > starts occurring? think that it is not that case. 2. Regmon can't show the user for w3wp.exe (it shows message '<unable to open token>'). In the morning the problem exists again, but I havent yesterday changed the Domain Controller Policy or Domain Policy. When I change them it starts working again. (I gtanted access (read/write) to AN and BG). We have to wait until tomorrow to see if it works. //Jarmo "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message See previous mail.news:eLbEHF5PFHA.2384@tk2msftngp13.phx.gbl... > Is ECONTROL\pantse a domain account or a local account on the web server? > Also, have you compared the pre- and post- problem ACLs yet? I chencked the file activity with sysinternals filemon, and there is noonly: BUFFER OVERFLOW, END OF FILE, FAILURE, FILE NOT FOUND, NO MORE FILES, OK, PATH NOT FOUND, and SUCCESS notifications, but no ACCESS DENIED notifications in the log. Next I try to check if I can audit the ACL changes to Security log, I'll try to find out the way to do this.If you know the way, please let me know. //Jarmo Hi,
Perhaps this problem can't be solved. The system should be raised soon in production so I loose the restrictions a bit and allow AN and BG users to read/write Application EventLog. Now the EventLogging is possible, I'll see what hapens tomorrow. If this works, I think we can keep these rights open because we have authentication proxy server that gives us strong authentication mechanisms. If there is missuse detected, we can ban that user out of our system in authentication proxy level.I think we can live with that. W'll see what happens. //Jarmo 
Other interesting topics
local admin security question
AzMan threading problems How to run aspnet with system account web application can not access event log Difference between VS2003 / VS20005 causes CRYPTO BAD DATA excepti Cannot Run Application on Windows Server 2003 Rijndael decryption succeeds SOMETIMES Cannot run program from network drive Help How to add publisher condition ?? Question regarding in Forms authentication |
|||||||||||||||||||||||
