Requested registry access is not allowed.

Discussion in 'ASP .Net Security' started by Web Developer, Oct 12, 2005.

  1. When errors occur in my ASP.Net apps, I write them to the application event
    log. However, I can't write to the log if my web app isn't registered as a
    valid EventLog source (as designated by the
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\
    registry key). If my app tries to create the key on-the-fly, I get a
    "Requested registry access is not allowed." exception.

    I tried creating a custom CASPOL permission set called LocalIntranetExtended
    that inherited from LocalIntranet and added a Registry permission with write
    and create options for the
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\
    key. Then I set the CASPOL LocalIntranet_Zone's permission set to
    LocalIntranetExtended, but it din't resolve the issue.

    How can I create a CASPOL policy to allow the W3WP.exe process to create
    registry entries under the following key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\?
    I don't want to create .reg files for each new web app to create the keys
    manually. I'd rather give permissions to the worker process to create them
    on the fly.

    Thank you!
    Web Developer, Oct 12, 2005
    #1
    1. Advertising

  2. Hello Web,

    you need admin privileges to create event sources.

    simply call CreateEventSource from a console app that runs as admin.


    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > When errors occur in my ASP.Net apps, I write them to the application
    > event log. However, I can't write to the log if my web app isn't
    > registered as a valid EventLog source (as designated by the
    > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Applicat
    > ion\ registry key). If my app tries to create the key on-the-fly, I
    > get a "Requested registry access is not allowed." exception.
    >
    > I tried creating a custom CASPOL permission set called
    > LocalIntranetExtended that inherited from LocalIntranet and added a
    > Registry permission with write and create options for the
    > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Applicat
    > ion\ key. Then I set the CASPOL LocalIntranet_Zone's permission set
    > to LocalIntranetExtended, but it din't resolve the issue.
    >
    > How can I create a CASPOL policy to allow the W3WP.exe process to
    > create registry entries under the following key:
    > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Applicat
    > ion\? I don't want to create .reg files for each new web app to
    > create the keys manually. I'd rather give permissions to the worker
    > process to create them on the fly.
    >
    > Thank you!
    >
    Dominick Baier [DevelopMentor], Oct 12, 2005
    #2
    1. Advertising

  3. Thanks for your reply.

    As I mentioned, I want to have the sources created automatically. My team
    builds tons of web apps, and I don't want to go through a manual registration
    process for each one.

    How can I provide registry privilages to the ASP.Net worker process
    (W3WP.exe)?

    Thanks again.
    Web Developer, Oct 12, 2005
    #3
  4. Hello Web,

    ok - what's wrong with running a exe on app installation time??

    anyway -

    Creating Event Sources
    If your application needs to create event sources, you need to ensure that
    the application's identity has the relevant permissions on the following
    registry key.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog

    At minimum, your Web application process identity, which defaults to Network
    Service on Windows Server 2003, must have the following permissions on this
    registry key:

    Query key value
    Set key value
    Create subkey
    Enumerate subkeys
    Notify
    Read

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Thanks for your reply.
    >
    > As I mentioned, I want to have the sources created automatically. My
    > team builds tons of web apps, and I don't want to go through a manual
    > registration process for each one.
    >
    > How can I provide registry privilages to the ASP.Net worker process
    > (W3WP.exe)?
    >
    > Thanks again.
    >
    Dominick Baier [DevelopMentor], Oct 12, 2005
    #4
  5. Because I'm lazy .. that what. :)

    Your suggestion worked. Thank you!

    Do you know of a way to accomplish the same thing using a CASPOL policy?

    Thanks again!
    Web Developer, Oct 12, 2005
    #5
  6. Hello Web,

    what do you want to do with CASPOL?
    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Because I'm lazy .. that what. :)
    >
    > Your suggestion worked. Thank you!
    >
    > Do you know of a way to accomplish the same thing using a CASPOL
    > policy?
    >
    > Thanks again!
    >
    Dominick Baier [DevelopMentor], Oct 12, 2005
    #6
  7. Even though a SecurityException is thrown, the issue is not a CAS issue.
    CASPOL cannot help you here. It is a Windows security issue.

    Joe K.

    "Web Developer" <> wrote in message
    news:...
    > Because I'm lazy .. that what. :)
    >
    > Your suggestion worked. Thank you!
    >
    > Do you know of a way to accomplish the same thing using a CASPOL policy?
    >
    > Thanks again!
    Joe Kaplan \(MVP - ADSI\), Oct 13, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Gary
    Replies:
    2
    Views:
    1,250
    Jeffrey Tan[MSFT]
    Jan 17, 2004
  2. HK
    Replies:
    1
    Views:
    3,605
    Cowboy \(Gregory A. Beamer\)
    Apr 1, 2004
  3. Kovan A.
    Replies:
    0
    Views:
    989
    Kovan A.
    May 31, 2004
  4. =?Utf-8?B?Sm9zaCBGbGFuYWdhbg==?=

    Requested registry access is not allowed.

    =?Utf-8?B?Sm9zaCBGbGFuYWdhbg==?=, Oct 21, 2004, in forum: ASP .Net
    Replies:
    11
    Views:
    8,741
    Alex Drougov
    Nov 5, 2004
  5. Ray5531
    Replies:
    2
    Views:
    6,889
    Ray5531
    May 19, 2005
Loading...

Share This Page