How to setup event log security programmatically using the .Net Framework

Source: Microsoft Support

RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.

Windows allows for customization of access rights to event logs.  If your environment requires this, you can use the .Net Framework to setup a custom security descriptor for event logs.

The security of each event log is configured locally through the following registry value:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\LogName\CustomSD

The CustomSD registry value is of type REG_SZ and contains a security descriptor in Security Descriptor Definition Language (SDDL) form.  For more information on the expected format of the CustomSD value or SDDL, please see the links in the More Information section below.

You can use the .Net Framework to setup the security for the event log programmatically.  The following sample code shows how to accomplish this using the C#.  Note, an application must be running with administrator privileges to have write access to the CustomSD value since it resides under HKEY_LOCAL_MACHINE.

    public static class EventLogSecurity
    {
        // Event Log Registry path
        const string EventLogRegPath = @"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\";

        // Access Masks
        public const int CustomSD_READ_ACCESS = 0x1;
        public const int CustomSD_WRITE_ACCESS = 0x2;
        public const int CustomSD_CLEAR_ACCESS = 0x4;
        public const int CustomSD_ALL_ACCESS = 0x7;

        public static bool EventLogHasCustomSD(string logName)
        {
            return (ReferenceEquals(Registry.GetValue(EventLogRegPath + logName, "CustomSD", null), null) == false);
        }

        public static void CreateEventLogCustomSD(string logName)
        {
            // By default, give all local admins all access  
            SecurityIdentifier LocalAdminGroup = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
           
            // Setup the DACL
            DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 1);
            dacl.AddAccess(AccessControlType.Allow, LocalAdminGroup, CustomSD_ALL_ACCESS, InheritanceFlags.None, PropagationFlags.None);

            // Create the Security Descriptor
            CommonSecurityDescriptor sd = new CommonSecurityDescriptor(false, false, ControlFlags.DiscretionaryAclPresent, LocalAdminGroup, LocalAdminGroup, null, dacl);
           
            // Save the SDDL into the CustomSD
            WriteEventLogCustomSD(logName, sd);           
        }

        public static CommonSecurityDescriptor GetSecDescForCurrentCustomSD(string logName)
        {
            string sddl = (string)Registry.GetValue(EventLogRegPath + logName, "CustomSD", null);
            if (ReferenceEquals(sddl, null))
                return null;
            return new CommonSecurityDescriptor(false, false, sddl);
        }

        public static void WriteEventLogCustomSD(string logName, CommonSecurityDescriptor sd)
        {
            WriteEventLogCustomSD(logName, sd.GetSddlForm(AccessControlSections.All));
        }
        public static void WriteEventLogCustomSD(string logName, string sddl)
        {
            Registry.SetValue(EventLogRegPath + logName, "CustomSD", sddl, RegistryValueKind.String);
        }

        public static void AddUserToEventLogCustomSD(string logName, string domain, string account, int mask)
        {
            // Create a SID for the user
            SecurityIdentifier RemoteUserSid = (SecurityIdentifier)(new NTAccount(domain, account).Translate(typeof(SecurityIdentifier)));

            AddUserToEventLogCustomSD(logName, RemoteUserSid, mask);           
        }

        public static void AddUserToEventLogCustomSD(string logName, SecurityIdentifier RemoteUserSid, int mask)
        {
            // Make sure we have a CustomSD in place
            if (!EventLogHasCustomSD(logName))
                CreateEventLogCustomSD(logName);

            // Get the current SD
            CommonSecurityDescriptor sd = GetSecDescForCurrentCustomSD(logName);

            // add the ACE
            sd.DiscretionaryAcl.AddAccess(AccessControlType.Allow, RemoteUserSid, mask, InheritanceFlags.None, PropagationFlags.None);

            // Save the SDDL into the CustomSD
            WriteEventLogCustomSD(logName, sd);
        }

        public static void RemoveUserFromEventLogCustomSD(string logName, string domain, string account)
        {
            // Create a SID for the user
            SecurityIdentifier RemoteUserSid = (SecurityIdentifier)(new NTAccount(domain, account).Translate(typeof(SecurityIdentifier)));

            RemoveUserFromEventLogCustomSD(logName, RemoteUserSid);
        }
        public static void RemoveUserFromEventLogCustomSD(string logName, SecurityIdentifier RemoteUserSid)
        {
            bool found = false;
            CommonAce foundAce = null;

            // Make sure we have a CustomSD in place, if not bail
            if (!EventLogHasCustomSD(logName))
                return;

            // get the current sd
            CommonSecurityDescriptor sd = GetSecDescForCurrentCustomSD(logName);

            // find the sid in the sd
            AceEnumerator it = sd.DiscretionaryAcl.GetEnumerator();
            while(it.MoveNext())
            {
                foundAce = it.Current as CommonAce;
                if (foundAce.SecurityIdentifier.Equals(RemoteUserSid))
                {
                    found = true;                   
                    break;
                }
            }

            // if not found, bail
            if (!found)
                return;

            // remove the ace for that sid
            sd.DiscretionaryAcl.RemoveAccessSpecific(AccessControlType.Allow, RemoteUserSid, foundAce.AccessMask, InheritanceFlags.None, PropagationFlags.None);

            // write out the CustomSD
            WriteEventLogCustomSD(logName, sd);
        }       
    }

Security Descriptor String Format 
    http://msdn.microsoft.com/en-us/library/aa379570.aspx (http://msdn.microsoft.com/en-us/library/aa379570.aspx)

CustomSD EventLog value 
    http://msdn.microsoft.com/en-us/library/aa363648.aspx (http://msdn.microsoft.com/en-us/library/aa363648.aspx)  

    

MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE “MATERIALS”) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.