Microsoft Knowledge Base Email Alertz
All KB/RSS Links  |  Hot Kb!  |  New Kb!  |  Scott Cate  |  FAQ / KB  |  Web Hosting  |  Unsubscribe  

KBAlertz.com: How to setup event log security programmatically using the .Net Framework

Receive Microsoft Knowledge Base articles by E-Mail?

Every night we scan the Microsoft Knowledge Base. If technologies you're interested in are updated, we'll send you an e-mail. You only get one e-mail a day, and only when new articles are added.
Click here to create a
FREE account
Already have an account?
[Click here to Login]

Search KbAlertz

Advanced Search

Webmasters
Put kbAlertz on your website.
[ Click Here for more! ]





ASP.NET 2.0 Web Hosting with SQL 2005: Click Here!
Discount ASP.NET Hosting

Bug Tracking Software
For bug tracking software or defect tracking software or issue tracking software, visit Axosoft.

Community Site


We Send hundreds of thousands of emails using ASP.NET Email


Expert Web Design & Graphic Design
Design44.com




Mentioned In







Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks



How to setup event log security programmatically using the .Net Framework

View products that this article applies to.
Article ID:953587
Last Review:May 23, 2008
Revision:1.0
Source: Microsoft Support

Back to the top

RAPID PUBLISHING

RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.

Back to the top

Action

Windows allows for customization of access rights to event logs.  If your environment requires this, you can use the .Net Framework to setup a custom security descriptor for event logs.

Back to the top

Resolution



The security of each event log is configured locally through the following registry value:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\LogName\CustomSD

The CustomSD registry value is of type REG_SZ and contains a security descriptor in Security Descriptor Definition Language (SDDL) form.  For more information on the expected format of the CustomSD value or SDDL, please see the links in the More Information section below.

You can use the .Net Framework to setup the security for the event log programmatically.  The following sample code shows how to accomplish this using the C#.  Note, an application must be running with administrator privileges to have write access to the CustomSD value since it resides under HKEY_LOCAL_MACHINE.

    public static class EventLogSecurity
    {
        // Event Log Registry path
        const string EventLogRegPath = @"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\";

        // Access Masks
        public const int CustomSD_READ_ACCESS = 0x1;
        public const int CustomSD_WRITE_ACCESS = 0x2;
        public const int CustomSD_CLEAR_ACCESS = 0x4;
        public const int CustomSD_ALL_ACCESS = 0x7;

        public static bool EventLogHasCustomSD(string logName)
        {
            return (ReferenceEquals(Registry.GetValue(EventLogRegPath + logName, "CustomSD", null), null) == false);
        }

        public static void CreateEventLogCustomSD(string logName)
        {
            // By default, give all local admins all access  
            SecurityIdentifier LocalAdminGroup = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
           
            // Setup the DACL
            DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 1);
            dacl.AddAccess(AccessControlType.Allow, LocalAdminGroup, CustomSD_ALL_ACCESS, InheritanceFlags.None, PropagationFlags.None);

            // Create the Security Descriptor
            CommonSecurityDescriptor sd = new CommonSecurityDescriptor(false, false, ControlFlags.DiscretionaryAclPresent, LocalAdminGroup, LocalAdminGroup, null, dacl);
           
            // Save the SDDL into the CustomSD
            WriteEventLogCustomSD(logName, sd);           
        }

        public static CommonSecurityDescriptor GetSecDescForCurrentCustomSD(string logName)
        {
            string sddl = (string)Registry.GetValue(EventLogRegPath + logName, "CustomSD", null);
            if (ReferenceEquals(sddl, null))
                return null;
            return new CommonSecurityDescriptor(false, false, sddl);
        }

        public static void WriteEventLogCustomSD(string logName, CommonSecurityDescriptor sd)
        {
            WriteEventLogCustomSD(logName, sd.GetSddlForm(AccessControlSections.All));
        }
        public static void WriteEventLogCustomSD(string logName, string sddl)
        {
            Registry.SetValue(EventLogRegPath + logName, "CustomSD", sddl, RegistryValueKind.String);
        }

        public static void AddUserToEventLogCustomSD(string logName, string domain, string account, int mask)
        {
            // Create a SID for the user
            SecurityIdentifier RemoteUserSid = (SecurityIdentifier)(new NTAccount(domain, account).Translate(typeof(SecurityIdentifier)));

            AddUserToEventLogCustomSD(logName, RemoteUserSid, mask);           
        }

        public static void AddUserToEventLogCustomSD(string logName, SecurityIdentifier RemoteUserSid, int mask)
        {
            // Make sure we have a CustomSD in place
            if (!EventLogHasCustomSD(logName))
                CreateEventLogCustomSD(logName);

            // Get the current SD
            CommonSecurityDescriptor sd = GetSecDescForCurrentCustomSD(logName);

            // add the ACE
            sd.DiscretionaryAcl.AddAccess(AccessControlType.Allow, RemoteUserSid, mask, InheritanceFlags.None, PropagationFlags.None);

            // Save the SDDL into the CustomSD
            WriteEventLogCustomSD(logName, sd);
        }

        public static void RemoveUserFromEventLogCustomSD(string logName, string domain, string account)
        {
            // Create a SID for the user
            SecurityIdentifier RemoteUserSid = (SecurityIdentifier)(new NTAccount(domain, account).Translate(typeof(SecurityIdentifier)));

            RemoveUserFromEventLogCustomSD(logName, RemoteUserSid);
        }
        public static void RemoveUserFromEventLogCustomSD(string logName, SecurityIdentifier RemoteUserSid)
        {
            bool found = false;
            CommonAce foundAce = null;

            // Make sure we have a CustomSD in place, if not bail
            if (!EventLogHasCustomSD(logName))
                return;

            // get the current sd
            CommonSecurityDescriptor sd = GetSecDescForCurrentCustomSD(logName);

            // find the sid in the sd
            AceEnumerator it = sd.DiscretionaryAcl.GetEnumerator();
            while(it.MoveNext())
            {
                foundAce = it.Current as CommonAce;
                if (foundAce.SecurityIdentifier.Equals(RemoteUserSid))
                {
                    found = true;                   
                    break;
                }
            }

            // if not found, bail
            if (!found)
                return;

            // remove the ace for that sid
            sd.DiscretionaryAcl.RemoveAccessSpecific(AccessControlType.Allow, RemoteUserSid, foundAce.AccessMask, InheritanceFlags.None, PropagationFlags.None);

            // write out the CustomSD
            WriteEventLogCustomSD(logName, sd);
        }       
    }

Back to the top

More Information



Security Descriptor String Format 
    http://msdn.microsoft.com/en-us/library/aa379570.aspx (http://msdn.microsoft.com/en-us/library/aa379570.aspx)

CustomSD EventLog value 
    http://msdn.microsoft.com/en-us/library/aa363648.aspx (http://msdn.microsoft.com/en-us/library/aa363648.aspx) 

    

Back to the top

DISCLAIMER

MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE “MATERIALS”) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.

Back to the top

APPLIES TO
•Microsoft .NET Framework 2.0
•Microsoft .NET Framework 3.0
•Microsoft .NET Framework 3.5

Back to the top

Keywords: 
kbnomt kbrapidpub KB953587

Back to the top

        

Community Feedback System

Very often, it takes hours to solve a problem. Very often, you've looked high and low, and have tried a lot of solutions. When you finally found it, chances are, it was because someone else helped you. Here's your chance to give back. Use our community feedback tool to let others know what worked for you and what didn't.

Please also understand that the community feedback system is not warranted to be correct, it's simply a system that we've built to let people try and help each other. If something in a feedback response doesn't make sense to you, or you're not comfortable making changes that the feedback talks about (like registry edits), please consult a professional.

Thank you for using kbAlertz.com Feedback System.

-- Scott Cate

Be the first to leave feedback, to help others about this knowledge base article.

(Optional) Name
(Optional) Public URL Or Email
Comments
No HTML -- Text Only Please

 



Copyright © 2002-2007 KBALERTZ.COM.  All Rights Reserved. Terms / PrivacyDiscount ASP.NET Hosting