Requested registry access is not allowed.

G

Guest

I am trying to write to the event log from ASP.NET, on Windows XP SP1.
As soon as I try to write an event (or even query the source with
EventLog.SourceExists() or EventLog.LogNameFromSourceName()) I get a
SecurityException "Requested registry access is not allowed.".

I have read the KB article associated with this error message, which
indicates the source needs to be created outside of ASP.NET. I created an
Installer class, and ran InstallUtil against it successfully. I even
verified the source was created by writing to it from a command-line program
(as opposed to ASP.NET).

I have also used Regedt32 to grant the local ASPNET account has Full Control
permissions on the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
registry key (and its children). I have rebooted the machine to make sure
the old permissions were not cached somewhere.

FYI, the event source writes to a custom event log (which was created by
running InstallUtil against my installer class).

The website is configured to allow Anonymous access, and I do not use
impersonation.
The exception details (I use a modified form of the EMAB to build the log
text) indicate the ThreadIdentityName is blank, and the WindowsIdentityName
is MACHINE\ASPNET.

What else needs to be done to allow ASP.NET to write to an event source in a
custom event log?
 
S

Steven Cheng[MSFT]

Hi Josh,

As for the problem you mentioned, I also feel a bit strange since you've
done all the general steps on the asp.net eventlog issue. Also, as
currently you still receive the "access denied" error, I suggest that you
try the following things:
1. Change the ASP.NET's process Account(in the <processModel> elemetn in
machine.config) from machine\aspnet to SYSTEM and see whehther it can work.

2.If Local SYSTEM account can work, there should still exist somethings
incorrect for the registry accessing.
I think you can use the regmon tool to have a look when calling the writing
evenlog code in asp.net and verify whether it is still the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog key that
cause the problem.

If there is any new finding, please feel free to post here.
Thanks.


Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
G

Guest

I used RegMon, and discovered it is definitely a registry security issue, but
I'm not sure how to resolve it. Here is the offending output from RegMon
(hopefully it is readable):

OpenKey HKLM\SYSTEM\CurrentControlSet\Services\EventLog SUCCESS Access:
0x20019
QueryKey HKLM\SYSTEM\CurrentControlSet\Services\EventLog SUCCESS Subkeys = 4
EnumerateKey HKLM\SYSTEM\CurrentControlSet\Services\EventLog SUCCESS Name:
Application
EnumerateKey HKLM\SYSTEM\CurrentControlSet\Services\EventLog SUCCESS Name:
Security
EnumerateKey HKLM\SYSTEM\CurrentControlSet\Services\EventLog SUCCESS Name:
System
EnumerateKey HKLM\SYSTEM\CurrentControlSet\Services\EventLog SUCCESS Name:
ValueChain
OpenKey HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application SUCCESS Access: 0x20019
OpenKey HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\VC
Authorization NOTFOUND
CloseKey HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application SUCCESS
OpenKey HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security ACCDENIED Access: 0x20019 WXP-D20HT11\ASPNET

I am attempting to write to an event source "VC Authorization", in the
"ValueChain" custom log (not the Application log).
You can see that the access problem is on the EventLog\Security key. Should
it need access to the Security key, if I am writing to a custom log?
Something that might be related... when I originally created the event
source, I tried to create one called "Security", and associate it with my
custom "ValueChain" log. That failed, since the source "Security" already
existed (associated with the Security log) -- I didn't realize that sources
had to be unique across all logs. After that failed, I changed the source
name to "VC Authorization", and now get this error. I'm wondering if my
attempt to use the "Security" source has left remnants in my registry
somewhere, so attempts to write to my custom log still try to write to
Security as well. Is that possible? Is it possible to clean out these
associations? Of course, this could be complete unrelated. Any help would
be appreciated.
 
S

Steven Cheng[MSFT]

Hi Josh,

Thanks for your response. As you mentioned that you used to try creating
"Security" custom log under the EvetLog entry and then changed to "VC
Authorization" after that, and it seems that after it, the accessing to the
VC authentication will be incorrectly redirected to the "Eventlog/Security"
entiry and cause the "Access Denied" ?

I'm not sure whether this is your problem's actual cause. But since it is
not recommeded that we create eventlog entry ourself directly under the
EventLog entry. So think you can try deleting your custom logs under
EventLog node and also clear the other nodes you created under the
application node and try creating some new Application event sources to see
whether you can get them work.

Thanks.


Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
G

Guest

Creating the event source mistakenly as "Security" is not the problem. I
tried running the code on a different computer - where I had not made the
mistake of trying to create a new "Security" event source - and I have the
same problem.

What do you mean it is not recommended that we create our own Event logs?
Is this documented somewhere? The Win32 API and the .NET Framework both
provide methods to create custom event logs, why would it not be recommended?

Creating event sources under the Application event log will not solve my
problem. I am trying to create an event source for a custom event log, as
the API provides.
 
S

Steven Cheng[MSFT]

Hi Josh,

Thanks for your followup. I'm sorry for my incorrect info on the
=============
t is not recommended that we create our own Event logs
=================
I'm mistaken it from anything else and please forget it .

Also, as for the current status of this issue, can I state it as below:

You're able to accessing the EventSource under the "Application" log after
the guide in the
http://support.microsoft.com/?id=842795

kb article , but still failed when trying to access a Custom EventLog under
the "\Service\EventLog" entry, yes? If so, I still think there're some
permission things we need to do and currrently I'll peform some local tests
on my side and will update you as soon as I got any findings. Also, if you
have any other update, please feel free to let me know. Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
S

Steven Cheng[MSFT]

Hi Josh,

Sorry for keep you waiting, after some tests, it seems that generally it's
ok for us to write custom event source in asp.net web application. I've
tested on a XP PRO (SP2) MACHINE(WITH 1.0 AND 1.1 .NET FRAMEWORK).

I log on using an Administrator account and create a Custom EventLog (also
with a source under it ) under the Service\EventLog registry key via a
winform application.

#You receive the "Requested registry access is not allowed" error message
when you try to create a custom event log
http://support.microsoft.com/?id=842795

After that, I try writing event entries into that customlog source in an
asp.net web application which didn't use impersonate or windows
authentication( just running under the local machiine\aspnet account) and
that worked. Also, there doesn't occur security issues from accessing the
"Security log". So currently I'm not sure whether there're any othe steps
different from our creating process. Would you please try creating a new
customlog and write entry into it via the steps I mentioned above? Or you
can try it on another clean machine.
Please feel free let me know if you have any further updates or concerns.
Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
G

Guest

I am creating the custom event log and event source using an
EventLogInstaller and the InstallUtil.exe utiltity.
I changed my EventLogInstaller to create a new source in the Application
log. I then modified my assembly used by the ASP.NET website to write to
this new source, and it worked correctly.
I changed my EventLogInstaller back to its original state (creating a new
source in the custom "ValueChain" log). As part of the Installer class, I
have it write an entry to the new log, and it succeeds. I then update the
assembly used by the ASP.NET website to write to this new source (which goes
to a custom event log), run the website, and it fails with the "Requested
registry access is not allowed" exception.

I am not (and cannot) creating my event source using a WinForms application.
Is there a difference between calling that CreateEventSource() method, and
using the EventLogInstaller class?

I am running .NET Framework 1.1 on WinXP PRO SP1.

I just tried following the steps in http://support.microsoft.com/?id=842795
under "Grant permission to create a custom event log". Instead of the Users
group, I used the ASPNET account. In adddtion, while on the "Advanced"
permissions tab, I checked the "Replace permission entries on all child
objects with entries shown here that apply to child objects" box. After
applying this change, I was able to successfully write to my custom event log
from ASP.NET.
However, I don't believe this is a valid solution. I effectively gave the
ASPNET account rights to create event sources, which was not the goal. The
intent of the EventLogInstaller class is to allow you to create custom
sources from an administrator account, so that code running under
lesser-priveleged accounts (ASPNET) can use them. I should not need to give
the ASPNET account rights to create event sources, when I only need to write
to the event log.
 
S

Steven Cheng[MSFT]

Hi Josh,

Yes, the creating the customlog via winform or a custom Installer class
dosn't matter since I've tested on both and both are ok. Currently I'm
still thinking there maybe something configured different on your box. Is
your asp.net web application's Trust Level on that machine set as "Full" ?
This can be configured in machine.config or override in web.config file.
And only the "Full" level has unrestricted permission ot the EventLog, see
below;

#ASP.NET Code Access Security
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconaspnetcodeaccessse
curity.asp?frame=true

http://msdn.microsoft.com/library/en-us/cpguide/html/cpconaspnettrustlevelsp
olicyfiles.asp?frame=true

Also, you can try testing on some other XP machines to see whether the
asp.net app can write entries to CUSTOM LOG created via ourselves.
Hope helps. Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
S

Steven Cheng[MSFT]

Hi Josh,

Have you got any progresses on this issue? If there is anything else we can
help, please feel free to post here. Thanks.


Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
G

Guest

I am having a similar problem. Trying to deploy a .NET Windows Service that
unfortunately creates Event Log sources at runtime. It is outside of scope of
our project to fix the code, nor can we easily enumerate the number/names of
the sources that need creating. Historically, the solution the customer has
been using to date was to give the service account local admin membership.
Not a great idea.

To resolve this, I tried giving explicit permissions to the service account
on the EventLog and custom EventLog registry keys, however this did not work
(even with Full control being granted and inherited!). However, once I
checked the box "Replace permission entries on all child objects with entries
shown here that apply to child objects", I was able to successfully drop the
local admin memberships.

Am I missing something? What did checking this box do that I couldn't have
done explicitly? I have even looked for differences in security descriptors
and don't see what this box has changed. Any insight would be greatly
appreciated!

Thanks,
Chris
 
A

Alex Drougov

Hi Josh, Steven,

I had the exact same issue. It made me crazy, because another
application on my machine behave nicely.

Now I hope I can help you:
Try to prefix the name of your event log with '.'.

And here is why:

EMAB. class DefaultPublisher. method VerifyValidSource.
the following line has a bug
if (!EventLog.SourceExists(applicationName))

It is looking for event source simply by iterating through
all cildren entries of HKLM\SYSTEM\CurrentControlSet\Services\EventLog
in alphabetical order, as soon as it gets to the read-only 'Security'
.... well ... I guess, just to be secure, it stops right there

RegMon result on my machine is similar to Josh's...

It looks like starting event logs name with character [T-Z] it is not
an option ... for now. :(

Thanks,
AD
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top