Writing to the Windows Event Log from an ASP.NET or ASP application fails.

Article translations Article translations
Close Close
Article ID: 2028427 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

You have an ASP.NET or legacy ASP application running on Internet Information Services (IIS) 6.0 or later. Your application logs events to the Windows Event Logs. Writing to the event logs fails with an error message similar to the following:  


ASP.NET application

  
System.Security.SecurityException: Requested registry access is not allowed.


System.ComponentModel.Win32Exception: Access is denied

 
InvalidOperationException : Cannot open log for source 'Application'. You may not have write access.

  


Legacy ASP application

Permission Denied.


CAUSE

This problem occurs because by default the user token of the application does not have the required user rights to write to the windows event logs due to limited security access. 



RESOLUTION

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756  How to back up and restore the registry in Windows

To provide the required permissions to the thread identity, modify the security of the event log through the below registry keys on the server machine. You should select the event log that your application is writing to:


HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\System\CustomSD 


The CustomSD registry value is of type REG_SZ and contains a security descriptor in Security Descriptor Definition Language (SDDL) syntax.  For more information on SDDL Syntax, please see the links in the More Information section below. 

To construct a SDDL string, note that there are three distinct rights that pertain to event logs: Read, Write, and Clear. These rights correspond to the following bits in the access rights field of the ACE string:


1= Read
2 = Write
4 = Clear



Important: You can configure the security log in the same way. However, you can change only Read and Clear access permissions. Write access to the security log is reserved only for the Windows Local Security Authority (LSA).



The following is a sample SDDL that shows the default SDDL string for the Application log. Access rights (in hexadecimal) are bold-faced:


O:BAG:SYD:(D;; 0xf0007;;;AN)(D;; 0xf0007;;;BG)(A;; 0xf0007;;;SY)(A;; 0x5;;;BA)(A;; 0x7;;;SO)(A;; 0x3;;;IU)(A;; 0x2;;;BA)(A;; 0x2;;;LS)(A;; 0x2;;;NS) 



Entry Meanings:

O:BA Object owner is Built-in Admin (BA).
G:SY Primary group is System (SY).
D: This is a DACL, rather than an audit entry or SACL.
(D;;0xf0007;;;AN) Deny Anonymous (AN) all access. (1=Read + 2=Write + 4=Clear) (First ACE string in this SDDL)
(D;;0xf0007;;;BG) Deny Built-in Guests (BG) all access.
(A;;0xf0005;;;SY) Allow System Read and Clear (1=Read + 4=Clear), including DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER (indicated by the 0xf0000).
(A;;0x7;;;BA) Allow Built-in Admin READ, WRITE and CLEAR.
(A;;0x7;;;SO) Allow Server Operators READ, WRITE and CLEAR.
(A;;0x3;;;IU) Allow Interactive Users READ and WRITE.
(A;;0x3;;;SU) Allow Service accounts READ and WRITE.



You should add the proper ACE string so that your web page is able access the event logs. If your web page is running anonymously (in other words, running using Anonymous authentication in IIS), you will have to give the IUSR or the custom Anonymous account the proper permissions on this CustomSD reg key. If it is running on Windows Integrated Authentication, then the Authenticated Users group should have the required permissions. 

To do this, append the below entry to the default value of CustomSD under the event log that you selected.


For the Authenticated Users group (in case of windows Integrated authentication): (A;;0x0003;;;AU) where AU = Authenticated Users


For IUSR or the custom configured Anonymous account (in case of Anonymous Authentication)
, find the SID for that account and then create one which looks like: (A;;0x3;;;S-1-5-21-1985444312-785446638-2839930158-1121) where the last field is the SID for the IUSR account on my machine.

For Windows Authentication on IIS and ASP.NET impersonation turned ON with a specific user account, find the SID for that impersonated account and then create a SDDL string which looks like: (A;;0x3;;;S-1-5-21-1985444312-785446638-2839930158-1121) where the last field is the SID for the impersonated account.

To give your group read permissions, add the following to the CustomSD value: 

(A;;0x1;;; [Your Group Name/user account SID]) at the end of the current CustomSD string.



To give your group read and write permissions, add the following to the CustomSD value:

 (A;;0x3;;; [Your Group Name/user account SID]) at the end of the current CustomSD string.


Windows Server 2008

Alternatively, on Windows 2008 server, if you are giving the users and groups in question read access to all event logs, you can just add them to the built-in Event Log Readers group. However, if you do not want to give access to ALL event logs you still have to resort to using the SDDL, for which you can use wevtutil utility. The following example demonstrates defining access to the System event log on Windows 2008 Server:

1. Open the command prompt, and run the following command to dump out the SDDL for the System log out to a txt file.

wevtutil gl system > C:\temp\out.txt


2. Open the text file and copy the channelAccess: entry

channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;AU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;S-1-5-33)


3.  Add your user or group to this and run the following command to apply the new SDDL (Replace the O:BAG:XXXX with your SDDL String you created in the previous step):

wevtutil sl System /ca:O:BAG:XXXX


Note: Once you edit this value and restart the computer, the new setting will take effect. Be certain that you fully understand SDDL and the default permissions that are placed on each event log before you use this procedure. Also, be certain to test any changes thoroughly before you implement them in a production environment, because you could accidentally configure the ACLs on an event log in such a way that no one can access it. 


MORE INFORMATION

How to set event log security locally or by using Group Policy in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;323076

Event Log Security
http://technet.microsoft.com/en-us/library/cc722385(WS.10).aspx

Security Descriptor String Format 
http://msdn.microsoft.com/en-us/library/aa379570.aspx

CustomSD EventLog value 
http://msdn.microsoft.com/en-us/library/aa363648.aspx 

How To Log Events from Active Server Pages 
http://support.microsoft.com/kb/301309
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2028427 - Last Review: June 8, 2010 - Revision: 3.0
APPLIES TO
  • Microsoft Active Server Pages 4.0
  • Microsoft ASP.NET 2.0
  • Microsoft ASP.NET 3.5
  • Microsoft Internet Information Server 1.01
Keywords: 
KB2028427

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com