Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to view Windows Event Log remotely with limited privileges

Tags:

windows-server-2003

event-log

To debug some code, I would like to view the Windows event log of a remote machine (target is Windows2003). With mmc.exe I can add the event log for a remote machine, but only if I have sufficient permissions. For this remote machine, they do not want to give me permissions to log in remotely (or admin privileges for that matter). Is there a specific permission I can be given to view the event log and not much else?

like image 892
Frank Schwieterman Avatar asked Jan 06 '09 18:01

Frank Schwieterman

4 Answers

On newer Windows versions (Windows 7, Windows Server 2008...) you can simply add the corresponding account to the built-in group Event Log Readers.

Source: Jane Lewis's Weblog on TechNet, Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008

This source also describes an alternative if you need more fine-grained control.

(The OP asked for Windows 2003, where this method doesn't work, but as Windows Server 2003 is no longer supported, people might be interested in this method.)

like image 102
oefe Avatar answered Nov 13 '22 08:11

oefe

For the security log, users need the privilege "Manage auditing and security log"

For the system and applciation logs you should be able to read them as just a guest unless they have set the RestrictGuestAZccess value under the following registry keys: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application

like image 31
Marcus Erickson Avatar answered Nov 13 '22 09:11

Marcus Erickson

One Option is to get a local ID that is on the remote local admin group.

Next, from your system, map to a drive on the remote server using the new remote local ID.

Create a new MMC from the Windows Run start menu - by typing in MMC /a

Add the EventView Snap-in

When it prompts you for local or remote server - put in the Host name of the server that you mapped to.

Tip: Windows uses established secure connection - if it can. Hence the map a drive trick work VERY well.

Please Note: I use this trick with WMI query(s) - hence the query never fails do to a timeout issue.

like image 26
user102015 Avatar answered Nov 13 '22 09:11

user102015

Joshua Flanagan outlined a process to delegate rights through modifying the security descriptor of the event logs.

like image 1
Colin Bowern Avatar answered Nov 13 '22 09:11

Colin Bowern
Sign in to Comment

Related questions

SHA256 not working even after hotfixes
SSL broken after modifying permissions on “Machine Keys” folder - Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error
How can I kill a process, using VBScript, started by a particular user
ASP.Net - It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level
Automate services restart in windows server 2003
Install ASP.NET 4.0 alongside ASP.NET 2.0 on IIS6
does favicon 404 affect performance
Tomcat 6.0.18 service will not start on a windows server

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!