"Requested registry access is not allowed" when writting to EventLog in Windows App

Doug Taylor · Sep 15, 2003

I have a C#.net Windows App (not a Web App) in which I try to write to
the EventLog. A special "minimal" user is set up to run the
application. Under 2000 the user had no problem with this task.
Under XP, the same user gets the SecurityException: Requested registry
access is not allowed.

The user is called "tris" and is defined only on the local machine. I
could find no way in "User Accounts" to grant him this access.

The special log file and source are previously set up by an account
with administrator privileges and the whole thing works fine for that
account.

I tried RegEdt32 and modified:
HKEY_LOCALMACHINE\System\CurrentControlSet\Services\EventLog\TRISClient
to give full permission to the tris user with no success.

A code snippet follows:

private void EventLogger( string sMsg, EventLogEntryType oType )
{
bool bHasPermissions = false;

try
{
// Determine if this user account has permissions to create a
source ...
try
{
EventLog.SourceExists("TRISClient");
bHasPermissions = true;
}
catch
{
bHasPermissions = false;
}

// If this user has permissions ...
if ( bHasPermissions )
{
if (!(EventLog.SourceExists("TRISClient")))
{
EventLog.CreateEventSource("TRISClient",
"TRISClient");
}
}
// Write to the event log
eventLog1.Source = "TRISClient";
eventLog1.Log = "TRISClient";

// Note: This is the line that generates the error for the basic user

eventLog1.WriteEntry(sMsg, oType);
}
catch ( Exception ex )
{
MessageBox.Show( ex.ToString(), "Error" );
}
}

BTW; If someone has a better way to determine whether the user has the
create permission, I'd like to see it.

Yan-Hong Huang[MSFT] · Sep 17, 2003

Hello Doug,

Thanks for posting in the group.

The reason of the problem is oblious. The account has no right to finish
the registry operation. You could code as the following:
{
EventLog eventLog = new EventLog(logName);
eventLog.Source = source;
try
{
eventLog.WriteEntry(message, EventLogEntryType.Error);
}
catch(ArgumentException e)
{
//Various. See MSDN
}
catch(InvalidOperationException e)
{
//The method attempted to open the event log with write access, but
you do not have write access to the log.
}
catch(Exception e)
{
//The registry entry for the Log could not be opened on a remote
computer.
}
}

Also, please use RegMon tool at www.sysinternals.com to monitor the system
to make sure which registry key is not allowed to be accessed in the
program.

Does that answer your question?

This response contains a reference to a third-party World Wide Web site.
Microsoft is providing this information as a convenience to you. Microsoft
does not control these sites and has not tested any software or information
found on these sites; therefore, Microsoft cannot make any representations
regarding the quality, safety, or suitability of any software or
information found there. There are inherent dangers in the use of any
software found on the Internet, and Microsoft cautions you to make sure
that you completely understand the risk before retrieving any software from
the Internet.

Best regards,
Yanhong Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
!From: (e-mail address removed) (Doug Taylor)
!Newsgroups: microsoft.public.dotnet.framework
!Subject: "Requested registry access is not allowed" when writting to
EventLog in Windows App
!Date: 15 Sep 2003 08:15:49 -0700
!Organization: http://groups.google.com/
!Lines: 63
!Message-ID: <[email protected]>
!NNTP-Posting-Host: 148.134.37.3
!Content-Type: text/plain; charset=ISO-8859-1
!Content-Transfer-Encoding: 8bit
!X-Trace: posting.google.com 1063638952 14594 127.0.0.1 (15 Sep 2003
15:15:52 GMT)
!X-Complaints-To: (e-mail address removed)
!NNTP-Posting-Date: 15 Sep 2003 15:15:52 GMT
!Path:
cpmsftngxa07.phx.gbl!cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08
.phx.gbl!news-out.cwix.com!newsfeed.cwix.com!tdsnet-transit!newspeer.tds.net
!sn-xit-02!sn-xit-06!sn-xit-09!supernews.com!postnews1.google.com!not-for-ma
il
!Xref: cpmsftngxa07.phx.gbl microsoft.public.dotnet.framework:53588
!X-Tomcat-NG: microsoft.public.dotnet.framework
!
!I have a C#.net Windows App (not a Web App) in which I try to write to
!the EventLog. A special "minimal" user is set up to run the
!application. Under 2000 the user had no problem with this task.
!Under XP, the same user gets the SecurityException: Requested registry
!access is not allowed.
!
!The user is called "tris" and is defined only on the local machine. I
!could find no way in "User Accounts" to grant him this access.
!
!The special log file and source are previously set up by an account
!with administrator privileges and the whole thing works fine for that
!account.
!
!I tried RegEdt32 and modified:
!HKEY_LOCALMACHINE\System\CurrentControlSet\Services\EventLog\TRISClient
!to give full permission to the tris user with no success.
!
!A code snippet follows:
!
!private void EventLogger( string sMsg, EventLogEntryType oType )
!{
! bool bHasPermissions = false;
!
! try
! {
! // Determine if this user account has permissions to create a
!source ...
! try
! {
! EventLog.SourceExists("TRISClient");
! bHasPermissions = true;
! }
! catch
! {
! bHasPermissions = false;
! }
!
! // If this user has permissions ...
! if ( bHasPermissions )
! {
! if (!(EventLog.SourceExists("TRISClient")))
! {
! EventLog.CreateEventSource("TRISClient",
!"TRISClient");
! }
! }
! // Write to the event log
! eventLog1.Source = "TRISClient";
! eventLog1.Log = "TRISClient";
!
!// Note: This is the line that generates the error for the basic user
!
! eventLog1.WriteEntry(sMsg, oType);
! }
! catch ( Exception ex )
! {
! MessageBox.Show( ex.ToString(), "Error" );
! }
!}
!
!
!BTW; If someone has a better way to determine whether the user has the
!create permission, I'd like to see it.
!

Doug Taylor · Sep 17, 2003

Yanhong Huang,

Thank you very much for your response. I have been able to find the
answer. The key was the Regmon tool from Sysinternals. Kudos to Mark
Russinovich and Bryce Cogswell for their product.

I had to give full access to the tris user for the following entries:

HKEY_LOCALMACHINE\System\CurrentControlSet\Services\EventLog\TRISClient
HKEY_LOCALMACHINE\System\CurrentControlSet\Services\EventLog\TRISClient\TRISClient

I had to give read access to the tris user for the following entries:

HKEY_LOCALMACHINE\System\CurrentControlSet\Services\EventLog\System
HKEY_LOCALMACHINE\System\CurrentControlSet\Services\EventLog\Security
HKEY_LOCALMACHINE\System\CurrentControlSet\Services\EventLog\Application
and
HKEY_LOCALMACHINE\System\CurrentControlSet\Services\EventLog

For some reason, every time I try to write to my event log, it always
tries to access the other three first.

Thanks again.

Yan-Hong Huang[MSFT] · Sep 18, 2003

Hello Doug,

You are welcome. It is my pleasure to be of assistance.

Thank you for participating the community.

Best regards,
Yanhong Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
!From: (e-mail address removed) (Doug Taylor)
!Newsgroups: microsoft.public.dotnet.framework
!Subject: Re: "Requested registry access is not allowed" when writting to
EventLog in Windows App
!Date: 17 Sep 2003 07:53:59 -0700
!Organization: http://groups.google.com/
!Lines: 165
!Message-ID: <[email protected]>
!References: <[email protected]>
<[email protected]>
!NNTP-Posting-Host: 148.134.37.3
!Content-Type: text/plain; charset=ISO-8859-1
!Content-Transfer-Encoding: 8bit
!X-Trace: posting.google.com 1063810441 3960 127.0.0.1 (17 Sep 2003
14:54:01 GMT)
!X-Complaints-To: (e-mail address removed)
!NNTP-Posting-Date: 17 Sep 2003 14:54:01 GMT
!Path:
cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!news-out.cwix.com!insomnia!news!ne
wsfeed.cwix.com!tdsnet-transit!newspeer.tds.net!205.215.62.125.MISMATCH!in.1
00proofnews.com!in.100proofnews.com!pd2nf1so.cg.shawcable.net!residential.sh
aw.ca!sn-xit-03!sn-xit-01!sn-xit-09!supernews.com!postnews1.google.com!not-f
or-mail
!Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework:53955
!X-Tomcat-NG: microsoft.public.dotnet.framework
!
!Yanhong Huang,
!
!Thank you very much for your response. I have been able to find the
!answer. The key was the Regmon tool from Sysinternals. Kudos to Mark
!Russinovich and Bryce Cogswell for their product.
!
!I had to give full access to the tris user for the following entries:
!
!HKEY_LOCALMACHINE\System\CurrentControlSet\Services\EventLog\TRISClient
!HKEY_LOCALMACHINE\System\CurrentControlSet\Services\EventLog\TRISClient\TRI
SClient
!
!I had to give read access to the tris user for the following entries:
!
!HKEY_LOCALMACHINE\System\CurrentControlSet\Services\EventLog\System
!HKEY_LOCALMACHINE\System\CurrentControlSet\Services\EventLog\Security
!HKEY_LOCALMACHINE\System\CurrentControlSet\Services\EventLog\Application
!and
!HKEY_LOCALMACHINE\System\CurrentControlSet\Services\EventLog
!
!For some reason, every time I try to write to my event log, it always
!tries to access the other three first.
!
!Thanks again.
!
[email protected] (Yan-Hong Huang[MSFT]) wrote in message
!> Hello Doug,
!>
!> Thanks for posting in the group.
!>
!> The reason of the problem is oblious. The account has no right to finish
!> the registry operation. You could code as the following:
!> {
!> EventLog eventLog = new EventLog(logName);
!> eventLog.Source = source;
!> try
!> {
!> eventLog.WriteEntry(message, EventLogEntryType.Error);
!> }
!> catch(ArgumentException e)
!> {
!> //Various. See MSDN
!> }
!> catch(InvalidOperationException e)
!> {
!> //The method attempted to open the event log with write access,
but
!> you do not have write access to the log.
!> }
!> catch(Exception e)
!> {
!> //The registry entry for the Log could not be opened on a remote
!> computer.
!> }
!> }
!>
!> Also, please use RegMon tool at www.sysinternals.com to monitor the
system
!> to make sure which registry key is not allowed to be accessed in the
!> program.
!>
!> Does that answer your question?
!>
!> This response contains a reference to a third-party World Wide Web site.
!> Microsoft is providing this information as a convenience to you.
Microsoft
!> does not control these sites and has not tested any software or
information
!> found on these sites; therefore, Microsoft cannot make any
representations
!> regarding the quality, safety, or suitability of any software or
!> information found there. There are inherent dangers in the use of any
!> software found on the Internet, and Microsoft cautions you to make sure
!> that you completely understand the risk before retrieving any software
from
!> the Internet.
!>
!> Best regards,
!> Yanhong Huang
!> Microsoft Online Partner Support
!>
!> Get Secure! - www.microsoft.com/security
!> This posting is provided "AS IS" with no warranties, and confers no
rights.
!>
!> --------------------
!> !From: (e-mail address removed) (Doug Taylor)
!> !Newsgroups: microsoft.public.dotnet.framework
!> !Subject: "Requested registry access is not allowed" when writting to
!> EventLog in Windows App
!> !Date: 15 Sep 2003 08:15:49 -0700
!> !Organization: http://groups.google.com/
!> !Lines: 63
!> !Message-ID: <[email protected]>
!> !NNTP-Posting-Host: 148.134.37.3
!> !Content-Type: text/plain; charset=ISO-8859-1
!> !Content-Transfer-Encoding: 8bit
!> !X-Trace: posting.google.com 1063638952 14594 127.0.0.1 (15 Sep 2003
!> 15:15:52 GMT)
!> !X-Complaints-To: (e-mail address removed)
!> !NNTP-Posting-Date: 15 Sep 2003 15:15:52 GMT
!> !Path:
!>
cpmsftngxa07.phx.gbl!cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08
!>
phx.gbl!news-out.cwix.com!newsfeed.cwix.com!tdsnet-transit!newspeer.tds.net
!>
!sn-xit-02!sn-xit-06!sn-xit-09!supernews.com!postnews1.google.com!not-for-ma
!> il
!> !Xref: cpmsftngxa07.phx.gbl microsoft.public.dotnet.framework:53588
!> !X-Tomcat-NG: microsoft.public.dotnet.framework
!> !
!> !I have a C#.net Windows App (not a Web App) in which I try to write to
!> !the EventLog. A special "minimal" user is set up to run the
!> !application. Under 2000 the user had no problem with this task.
!> !Under XP, the same user gets the SecurityException: Requested registry
!> !access is not allowed.
!> !
!> !The user is called "tris" and is defined only on the local machine. I
!> !could find no way in "User Accounts" to grant him this access.
!> !
!> !The special log file and source are previously set up by an account
!> !with administrator privileges and the whole thing works fine for that
!> !account.
!> !
!> !I tried RegEdt32 and modified:
!> !HKEY_LOCALMACHINE\System\CurrentControlSet\Services\EventLog\TRISClient
!> !to give full permission to the tris user with no success.
!> !
!> !A code snippet follows:
!> !
!> !private void EventLogger( string sMsg, EventLogEntryType oType )
!> !{
!> ! bool bHasPermissions = false;
!> !
!> ! try
!> ! {
!> ! // Determine if this user account has permissions to create a
!> !source ...
!> ! try
!> ! {
!> ! EventLog.SourceExists("TRISClient");
!> ! bHasPermissions = true;
!> ! }
!> ! catch
!> ! {
!> ! bHasPermissions = false;
!> ! }
!> !
!> ! // If this user has permissions ...
!> ! if ( bHasPermissions )
!> ! {
!> ! if (!(EventLog.SourceExists("TRISClient")))
!> ! {
!> ! EventLog.CreateEventSource("TRISClient",
!> !"TRISClient");
!> ! }
!> ! }
!> ! // Write to the event log
!> ! eventLog1.Source = "TRISClient";
!> ! eventLog1.Log = "TRISClient";
!> !
!> !// Note: This is the line that generates the error for the basic user
!> !
!> ! eventLog1.WriteEntry(sMsg, oType);
!> ! }
!> ! catch ( Exception ex )
!> ! {
!> ! MessageBox.Show( ex.ToString(), "Error" );
!> ! }
!> !}
!> !
!> !
!> !BTW; If someone has a better way to determine whether the user has the
!> !create permission, I'd like to see it.
!> !
!