Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to view Windows Event Log remotely with limited privileges

To debug some code, I would like to view the Windows event log of a remote machine (target is Windows2003). With mmc.exe I can add the event log for a remote machine, but only if I have sufficient permissions. For this remote machine, they do not want to give me permissions to log in remotely (or admin privileges for that matter). Is there a specific permission I can be given to view the event log and not much else?

like image 892
Frank Schwieterman Avatar asked Jan 06 '09 18:01

Frank Schwieterman


4 Answers

On newer Windows versions (Windows 7, Windows Server 2008...) you can simply add the corresponding account to the built-in group Event Log Readers.

Source: Jane Lewis's Weblog on TechNet, Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008

This source also describes an alternative if you need more fine-grained control.

(The OP asked for Windows 2003, where this method doesn't work, but as Windows Server 2003 is no longer supported, people might be interested in this method.)

like image 102
oefe Avatar answered Nov 13 '22 08:11

oefe


For the security log, users need the privilege "Manage auditing and security log"

For the system and applciation logs you should be able to read them as just a guest unless they have set the RestrictGuestAZccess value under the following registry keys: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application

like image 31
Marcus Erickson Avatar answered Nov 13 '22 09:11

Marcus Erickson


One Option is to get a local ID that is on the remote local admin group.

Next, from your system, map to a drive on the remote server using the new remote local ID.

Create a new MMC from the Windows Run start menu - by typing in MMC /a

Add the EventView Snap-in

When it prompts you for local or remote server - put in the Host name of the server that you mapped to.

Tip: Windows uses established secure connection - if it can. Hence the map a drive trick work VERY well.

Please Note: I use this trick with WMI query(s) - hence the query never fails do to a timeout issue.

like image 26
user102015 Avatar answered Nov 13 '22 09:11

user102015


Joshua Flanagan outlined a process to delegate rights through modifying the security descriptor of the event logs.

like image 1
Colin Bowern Avatar answered Nov 13 '22 09:11

Colin Bowern