EventLog write permissions

Question

My question is related to write permissions to the Windows Event Log. I have looked around several posts concering this, and have found some ways to solve my problem, but none of these are acceptable for my current scenario.

I use C# in .NET 4.0. I use the EventLog class: EventLog class

In short, I need to see if there is a way to impersonate or authenticate with an authenticated user and password to reach the right I need to write to the Event Log. The server will always be in the Windows Server family, but the version may vary.

My application is a Windows Service running with one of the following accounts:

• Network Service
• Local Service
• Local System
• User with restricted rights (Users or Domain Users groups)

Here are some other criterias I have:

• I cannot put the service user as Administrator, not even local administrator on the server
• I cannot edit or alter the registry
• I cannot alter the UAC or any group policies on the server
• I have a user with Administrator rights, but it cannot be used to run the service
• The Event Log will always be the local Event Log, not on a remote machine
• The Log will probably always be the "Application" log
• The Source may vary, and that seems to be the heart of the problem

My question is : Is this at all possible?

Can I impersonate a user in my code to achieve what I need? I do that when connecting to web services, logging on to smtp servers and of courseclogging in to databases etc.

I stumbled into this class: EventLogPermission Class

But I cannot seem to get a good concept on how to use the class.

I hope I have expressed my problem good. I don't concider this a duplicate of another post because of my criterias.

Answer 1

By default, any authenticated user is able to write to application event log. However only administrators can create new event Sources. If all event Sources are known at the service installation time, I recommend register those sources ahead of time, then you will be all set up. Registering is a simple call to EventLog.CreateEventSource.

If you need more flexibility on event sources, you can customize permissions. Those defaults could be customized by tweaking a registry key:

  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD 

A process described in this KB Article. A wevtutil tool, which is part of OS, available on Server 2008 and above, makes it a bit easier than going through regedit.

Answer 2

The answer showed to be "no".

I realize there are no good way of solving this the way I requested. There must be a manual job done.

So the solution I pick for this scenario is that customers who cannot run the service as an administrator or do a manual registry edit cannot use the functions around logging to event log. And I will make it possible to enable and disable the logging from the config.

Admin user and registry edit are known ways for me, but as stated something I was trying to avoid. But that is, as it seems, not possible according to my criterias this time.