Security- access to Event Viewer



I have the following code, which regardless which works fine and logs to the
EventViewer regardless of whether
<processModel/> section of machine.config is set to username="SYSTEM" or

---Start of test.aspx----
<%@ Page language="C#" AutoEventWireup="false" %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<title> test</title>


System.Diagnostics.EventLog objEventLog;

if (!System.Diagnostics.EventLog.SourceExists("TESTSOURCE"))


objEventLog = new System.Diagnostics.EventLog();
objEventLog.Source = "TESTSOURCE";

if ( objEventLog.Log.ToUpper() != "APPLICATION" )
System.Console.WriteLine("Some other application is
using the source!");


catch (Exception e)

} //end try
----End of test.aspx----
However, if I have some very similar code in a Logging.cs file as follows:

--Start of logging.cs--
using System;
using System.Diagnostics;

namespace website.classes

public class Logging
private const string EVENT_SOURCE = "YJBWEBSITE";
private const string EVENT_LOG = "Applicaiton";

public Logging()
//Default constructor

public static void LogEventViewer(string
strMessage,EventLogEntryType objLogEntryType)
EventLog objEventLog;

if (!EventLog.SourceExists(EVENT_SOURCE))

objEventLog = new EventLog();
objEventLog.Source = EVENT_SOURCE;

if ( objEventLog.Log.ToUpper() != EVENT_LOG.ToUpper() )
System.Console.WriteLine("Some other application is
using the source!");


catch (Exception e)

} //end try

} //end LogEventViewer

public static void LogError(string strMessage)

} //end class Logging
---end of logging.cs--

then, whenver I try to call from ASPX Logging.LogError("an error message"),
I got an error, and when I debug the code, I found that it is failing on the
call to EventLog.SourceExists.
{"Requested registry access is not allowed." }
[System.Security.SecurityException]: {"Requested registry access is not
System.Object: {System.Security.SecurityException}
_className: null
_COMPlusExceptionCode: -532459699
_exceptionMethod: <undefined value>
_exceptionMethodString: null
_helpURL: null
_HResult: -2146233078
_innerException: { }
_message: "Requested registry access is not allowed."
_remoteStackIndex: 0
_remoteStackTraceString: null
_source: null
_stackTrace: {System.Array}
_stackTraceString: null
_xcode: -532459699
_xptrs: 0
HelpLink: null
HResult: -2146233078
InnerException: { }
Message: "Requested registry access is not allowed."
Source: "mscorlib"
StackTrace: " at Microsoft.Win32.RegistryKey.OpenSubKey(String name,
Boolean writable)\r\n at
System.Diagnostics.EventLog.FindSourceRegistration(String source, String
machineName, Boolean readOnly)\r\n at
System.Diagnostics.EventLog.SourceExists(String source, String
machineName)\r\n at System.Diagnostics.EventLog.SourceExists(String
source)\r\n at YJB_Website.classes.Logging.LogEventViewer(String
strMessage, EventLogEntryType objLogEntryType) in
c:\\inetpub\\wwwroot\\yjb_website\\classes\\logging.cs:line 74"
TargetSite: {System.Reflection.RuntimeMethodInfo}

The only way I could get this working is to set <processModel />,

But this is not desirable as I don't want to high level of access. and I am
surprised why the code works when run from ASPX but not from a class? Note
also I also have the following settings on machine.config
<identity impersonate="false" userName="Domain\user"

Peter O'Reilly

- either do not specify an event source and your information will be written
to the application event log*
- give the aspnet worker process account administrative rights to the local

You can read more about it here, in this KB article:
PRB: "Requested Registry Access Is Not Allowed" Error Message When ASP.NET
Application Tries to Write New EventSource in the EventLog;en-us;329291&Product=aspnet

In general, is a good place to start
for troubleshooting such matters

*If you already have your custom event source created in the event viewer,
you may be able to write to it w/o admin privileges. IIRC, this may no
longer be the case with .Net v 1.1. a simple test can confirm this.

Hope this helps. Good luck


Does't quite work!

I have done both of what is listed under;en-us;329291&Product=aspnet .

Having tried first approach on the Microsoft article, it doesn't work, so I
deleted the Key and tried second approach. Second approach does the same as
first approach, except that that under
st, it created a String Key called EventMessageFile, pointing to
C:\WINNT\Microsoft.NET\Framework\v1.1.4322\EventLogMessages.dll (this is on
Win2K SP4)

According to my Trace, the call to .WriteEvent failed with:
System.InvalidOperationException: Cannot open log for source {0}. You may
not have write access. ---> System.ComponentModel.Win32Exception: Access is
--- End of inner exception stack trace ---
at System.Diagnostics.EventLog.OpenForWrite()
at System.Diagnostics.EventLog.WriteEvent(Int32 eventID, Int16 category,
EventLogEntryType type, String[] strings, Byte[] rawData)
at System.Diagnostics.EventLog.WriteEntry(String message,
EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData)
at System.Diagnostics.EventLog.WriteEntry(String message,
EventLogEntryType type, Int32 eventID, Int16 category)
at System.Diagnostics.EventLog.WriteEntry(String message,
EventLogEntryType type, Int32 eventID)
at System.Diagnostics.EventLog.WriteEntry(String message,
EventLogEntryType type)
at Website.classes.Logging.LogEventViewer(String strMessage,
EventLogEntryType objLogEntryType)System.InvalidOperationException: Cannot
open log for source {0}. You may not have write access. --->
System.ComponentModel.Win32Exception: Access is denied

giving write+modify permission to IWAM_MachineName for
c:\winnt\system32\config\AppEvent.evt does not help solving the problem

The code snipet is as follows:
EventLog objEventLog;
objEventLog = new EventLog();
objEventLog.Log = "Application";
objEventLog.Source = "TEST";
if ( objEventLog.Log.ToUpper() != "APPLICATION")
System.Console.WriteLine("Some other application is
using the source!");

catch (Exception e)
} //end try

Steven Cheng[MSFT]

Hi Patrick,

Thanks for your effort and time!

I would like to restate the current status as following. Please check if I
understood the problem correctly.

1. Now you are directly calling "WriteEntry" to add the event to the Event
Log. However, the error message still appear.

2. When you use impersonation on the Windows 2000 SP4 machine, the
test.aspx page works fine. However, without impersonation, it will fail.

If I have misunderstood, please don't hesitate to let me know.

Patrick, as we have discussed, if we do not enable impersonation, the
default account (ASPNET on Windows 2000) for ASP.NET work process do not
have permission to create the new event log category. This is the cause for
the error message.

However, by default the account "ASPNET" has permission to add one event
item with "WriteEntry". The following code also works fine on my side. Can
you help to double confirm with the following code on your side again?
Thanks for your help!

using System;
using System.Collections;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Web;
using System.Web.SessionState;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.HtmlControls;
using System.Diagnostics;

namespace eventtest
/// <summary>
/// Summary description for WebForm1.
/// </summary>
public class WebForm1 : System.Web.UI.Page
protected System.Web.UI.WebControls.Button Button1;

private void Page_Load(object sender, System.EventArgs e)
// Put user code to initialize the page here

#region Web Form Designer generated code
override protected void OnInit(EventArgs e)
// CODEGEN: This call is required by the ASP.NET Web Form Designer.

/// <summary>
/// Required method for Designer support - do not modify
/// the contents of this method with the code editor.
/// </summary>
private void InitializeComponent()
this.Button1.Click += new System.EventHandler(this.Button1_Click);
this.Load += new System.EventHandler(this.Page_Load);


private void Button1_Click(object sender, System.EventArgs e)
Logging.LogError("an error message");


public class Logging
private const string EVENT_SOURCE = "YJBWEBSITE";
private const string EVENT_LOG = "Applicaiton";

public Logging()
//Default constructor

public static void LogEventViewer(string
strMessage,EventLogEntryType objLogEntryType)
EventLog objEventLog;

objEventLog = new EventLog();
objEventLog.Source = "application";


catch (Exception e)

} //end try

} //end LogEventViewer

public static void LogError(string strMessage)

} //end class Logging

If there are any new findings, please feel free to let me know. Thanks!


Steven Cheng
Microsoft Online Support

Get Secure!
(This posting is provided "AS IS", with no warranties, and confers no rights.)

Get Preview at ASP.NET whidbey


I have added in some Trace code and changed the code to do the logging on
Page_Load and tested(code appended below).

Note, it works on a (not very locked down) Windows XP Professional SP2
running IIS5.1, but not on a fairly locked down Windows 2000 SP4 running
IIS5.0. The exceptions from trace is:
before writeSystem.InvalidOperationException: Cannot open log for source
{0}. You may not have write access. --->
System.ComponentModel.Win32Exception: Access is denied
--- End of inner exception stack trace ---
at System.Diagnostics.EventLog.OpenForWrite()
at System.Diagnostics.EventLog.WriteEvent(Int32 eventID, Int16 category,
EventLogEntryType type, String[] strings, Byte[] rawData)
at System.Diagnostics.EventLog.WriteEntry(String message,
EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData)
at System.Diagnostics.EventLog.WriteEntry(String message,
EventLogEntryType type, Int32 eventID, Int16 category)
at System.Diagnostics.EventLog.WriteEntry(String message,
EventLogEntryType type, Int32 eventID)
at System.Diagnostics.EventLog.WriteEntry(String message,
EventLogEntryType type)
at eventtest.Logging.LogEventViewer(String strMessage, EventLogEntryType

What other security permissions are required just to write to the event

As discussed, previously, on the win2K SP4 box
1) ACL has been completely relaxed on c:\winnt\system32\config\AppEvt.cfg
(the file for the Application Event
Log), to give everyone Full control to that file
2) The Event Source was entered as a Key under
3) it has the the High Security Template for Domain Controller
(c:\winnt\security\hisecdc.inf) applied using the Security Configuration &
Analysis MMC snap in.

What other security permissions are required just to write to the event
viewer? As you have suggested and as stated in
6ie%3DUTF-8%26oe%3DUTF-8%26sa%3DN%26tab%3Dwg, the standard ASP.NET worker
process should have permission to write to the Event Viewer using an
existing event source!

-Standard Assembly.Info and Global.asax file with a ASP.NET C# Project in
Visual Studio 2003 Enterprise Architect version.
---start of webform1.aspx----
<%@ Page language="c#" Codebehind="WebForm1.aspx.cs" AutoEventWireup="false"
Inherits="eventtest.WebForm1" %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7.1">
<meta name="CODE_LANGUAGE" Content="C#">
<meta name="vs_defaultClientScript" content="JavaScript">
<meta name="vs_targetSchema"
<body MS_POSITIONING="GridLayout">
<form id="Form1" method="post" runat="server">
<asp:Button id="Button1" style="Z-INDEX: 101; LEFT: 168px;
POSITION: absolute; TOP: 112px" runat="server"
Text="test" Width="96px" Height="24px"></asp:Button>
---end of webform1.aspx----

---start of webform1.aspx.cs----
using System;
using System.Collections;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Web;
using System.Web.SessionState;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.HtmlControls;
using System.Diagnostics;

namespace eventtest
/// <summary>
/// Summary description for WebForm1.
/// </summary>
public class WebForm1 : System.Web.UI.Page

protected System.Web.UI.WebControls.Button Button1;

private void Page_Load(object sender, System.EventArgs e)
Logging.LogError("an error message");
// Put user code to initialize the page here

#region Web Form Designer generated code
override protected void OnInit(EventArgs e)
// CODEGEN: This call is required by the ASP.NET Web Form

/// <summary>
/// Required method for Designer support - do not modify
/// the contents of this method with the code editor.
/// </summary>
private void InitializeComponent()
this.Load += new System.EventHandler(this.Page_Load);



public class Logging
private const string EVENT_SOURCE = "TEST";
private const string EVENT_LOG = "Application";

public Logging()
//Default constructor

public static void LogEventViewer(string
strMessage,EventLogEntryType objLogEntryType)
EventLog objEventLog;

objEventLog = new EventLog();
objEventLog.Source = EVENT_SOURCE;
objEventLog.Log = EVENT_LOG;
Trace.Write("before write");


Trace.Write("after write");

catch (Exception e)
} //end try

} //end LogEventViewer

public static void LogError(string strMessage)

} //end class Logging
---end of webform1.aspx.cs----

---Start of Web.config---
<?xml version="1.0" encoding="utf-8" ?>
<trace autoflush="true" indentsize="3">

<add name="myListener"
initializeData="c:\\temp\\CMSTraceFile.txt" />
<remove type="System.Diagnostics.DefaultTraceListener"/>


Set compilation debug="true" to enable ASPX debugging. Otherwise,
setting this value to
false will improve runtime performance of this application.
Set compilation debug="true" to insert debugging symbols (.pdb
into the compiled page. Because this creates a larger file that
more slowly, you should set this value to true only when debugging
and to
false at all other times. For more information, refer to the
documentation about
debugging ASP.NET files.

Set customErrors mode="On" or "RemoteOnly" to enable custom error
messages, "Off" to disable.
Add <error> tags for each of the errors you want to handle.

"On" Always display custom (friendly) messages.
"Off" Always display detailed ASP.NET error information.
"RemoteOnly" Display custom (friendly) messages only to users not
on the local Web server. This setting is recommended for security
purposes, so
that you do not display application detail information to remote

This section sets the authentication policies of the application.
Possible modes are "Windows",
"Forms", "Passport" and "None"

"None" No authentication is performed.
"Windows" IIS performs authentication (Basic, Digest, or
Integrated Windows) according to
its settings for the application. Anonymous access must be
disabled in IIS.
"Forms" You provide a custom form (Web page) for users to enter
their credentials, and then
you authenticate them in your application. A user credential
token is stored in a cookie.
"Passport" Authentication is performed via a centralized
authentication service provided
by Microsoft that offers a single logon and core profile services
for member sites.
<authentication mode="Windows" />

This section sets the authorization policies of the application.
You can allow or deny access
to application resources by user or role. Wildcards: "*" mean
everyone, "?" means anonymous
(unauthenticated) users.

<allow users="*" /> <!-- Allow all users -->
<!-- <allow users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
<deny users="[comma separated list of users]"
roles="[comma separated list of roles]"/>

Application-level tracing enables trace log output for every page
within an application.
Set trace enabled="true" to enable application trace logging. If
pageOutput="true", the
trace information will be displayed at the bottom of each page.
Otherwise, you can view the
application trace log by browsing the "trace.axd" page from your
web application

By default ASP.NET uses cookies to identify which requests belong
to a particular session.
If cookies are not available, a session can be tracked by adding a
session identifier to the URL.
To disable cookies, set sessionState cookieless="true".

This section sets the globalization settings of the application.


---End of web.config----


Environment- Windows 2000 SP4, IIS5.0, domain controller, .NET Framework
1.1, High Security Template for Domain Controller applied

Running- Microsoft Content Management Server 2002 SP1A (ASP.NET
application), ASP Application, SQL Server

What I have been doing
1) Testing with ASP.NET process Model, etc. to get ASP.NET to write to the
Event Viewer
2) Deploying a new COM+ which is used by a seperate ASP application (it
2.1) removing serveral classes from COM+, restarting server, deleting old
DLL, copying over new DLL, installing new DLL
2.2) Changing Domain Security Policy to lock out accounts after 4 invalid
logons, secedit /refreshpolicy machine_policy

Now, everything have stopped working!
In System Log:
Event Type: Error
Event Source: DCOM
Event Category: None
User: N/A
DCOM got error "Overlapped I/O operation is in progress. " and was unable to
logon .\IWAM_YJBWEBLIVE in order to run the server:

In Application Log:
Event Type: Error
Event Source: ASP.NET 1.1.4322.0
Event Category: None
Event ID: 1007
User: N/A
aspnet_wp.exe could not be launched because the username and/or password
supplied in the processModel section of the config file are invalid.

Event Type: Error
Event Source: ASP.NET 1.1.4322.0
Event Category: None
Event ID: 1084
User: N/A
aspnet_wp.exe could not be started. The error code for the failure is
80004005. This error can be caused when the worker process account has
insufficient rights to read the .NET Framework files. Please ensure that the
..NET Framework is correctly installed and that the ACLs on the installation
directory allow access to the configured account.

Research revealed that this could be caused by IWAM_machinename passwords
getting out of sync, I have reviewed:;en-us;Q296851

I have reset password in AD for IWAM_MachineName, used adsutil.vbs to set
password of IWAM_MachineName to the password I set manually in AD

I tried to run cscript synciwam.vbs -v, but I get
Updating Applications:
Name: IIS-{} Key:
Name: IIS-{Administration Web Site//ROOT/cgi-bin} Key:
Name: IIS Out-Of-Process Pooled Applications Key:
Error: 80110414:

Also tried making IUSR_MachineName and IWAM_MachineName temporarily member
of Administrators group first, but still that does not allow the script to
run without error!

Now, I can't even run a simple test.asp or test.aspx with no code in it!
when I try to load test.asp, I get the DCOM error in system log. when I try
to load the test.aspx, I get the 2 error in the Applicaiton log

At present, machine.config is set to
1) no impersonation settings
2) processModel set to run as "machine" user

I could get ASP.NET pages running if I change processModel to run as
"SYSTEM" user, but this is not the settings I have on the live system.
Also, IWAM_MachineUser does have full control to the "Temporary ASP.NET
Files" folder!



It has always work with IIS5.0 which is the version with Windows 2000

IIS5.1 if I remember rightly is for Windows XP only.


IIS problem resolved, IWAM_MachineName account was locked out.

However, ASP.NET still can't write to EventViewer!!

Aaron Bertrand - MVP

by what I know, you need IIS 5.1 or version above to run .net

No, this is not true! Where do people get this "advice"?

Aaron Bertrand - MVP

However, ASP.NET still can't write to EventViewer!!

What does "can't write" mean? Do you get an error message? If so, what is
it? Have you fixed the permissions for the IWAM and IUSR accounts? Have
you considered using Windows authentication (it's odd you would want
anonymous users to be able to write to the event log).

Steven Cheng[MSFT]

Hi Patrick,

From the error message "aspnet_wp.exe could not be launched because the
username and/or password supplied in the processModel section of the config
file are invalid.", I believe this error is related with the account

Actually, when we set "machine" as the user in processModel, ASP.NET work
process is running with the account "ASPNET". Please perform the following
steps to make the web application works:

1. I would like to double confirm the settings in machine.config. Please
make sure the user name and password is:

userName="machine" password="AutoGenerate"

Note: Please do not overwrite "AutoGenerate" with another password.

2. Delete the "ASPNET" account.

This is a local account, not a domain account.

3. In the command window, locate the following directory:

C:\<Windows Directory>\Microsoft.Net\Framework\VersionNote:

You must replace <Windows Directory> in this path with the correct
directory for your system and replace <Version> with the version of the
.NET Frame work installed on your system.

4. Type "aspnet_regiis -i" (without the quotation marks) to configure the
required application mappings correctly.

This will reinstall ASP.NET on the machine.

Now, please try to run the ASP.NET web application again. If there are any
new findings, please don't hesitate to let me know.


Steven Cheng
Microsoft Online Support

Get Secure!
(This posting is provided "AS IS", with no warranties, and confers no rights.)

Get Preview at ASP.NET whidbey


Actually, the "aspnet_wp.exe could not be launched because the username
and/or password supplied in the processModel section of the config file are
invalid." error was caused by the the IWAM_MachineName user account being
locked out. The problem was resolved by unlocking the user.

anyway, I am still getting the error with the call to WriteEvent:
System.InvalidOperationException: Cannot open log for source {0}. You may
not have write access. ---> System.ComponentModel.Win32Exception: Access is
denied --- End of inner exception stack trace --- at
System.Diagnostics.EventLog.OpenForWrite() at
System.Diagnostics.EventLog.WriteEvent(Int32 eventID, Int16 category,
EventLogEntryType type, String[] strings, Byte[] rawData) at
System.Diagnostics.EventLog.WriteEntry(String message, EventLogEntryType
type, Int32 eventID, Int16 category, Byte[] rawData) at
System.Diagnostics.EventLog.WriteEntry(String message, EventLogEntryType
type, Int32 eventID, Int16 category) at
System.Diagnostics.EventLog.WriteEntry(String message, EventLogEntryType
type, Int32 eventID) at System.Diagnostics.EventLog.WriteEntry(String
message, EventLogEntryType type) at
_ASP.eventLog_aspx.__Render__control1(HtmlTextWriter __output, Control


Hi Patrick

I am having a very similar problem with the (ASP.Net) Web Service I developed.

My WebService logs events into the event log. If I configure the Web Service (as a virtual directory) under the Default Site, everything is fine

However, if I run it in a virtual directory under a different site it gives me exactly the same error you are getting.

Funny that I have compared all security related settings between the default and the other site and could not find any significant differences

I think we both need good luck to find where the real problem lies.



Steven Cheng[MSFT]

Hi Patrick,

Thanks for your effort!

I would like to double confirm the following setting with you: Have you
enabled "Impersonate=true" in the config file now?

Patrick, if we have not enabled Impersonate (Impersonate=false), the
aspnet_wp.exe will run with the account in <processmodel>. However, if we
enabled "Impersonate=true", then the aspnet_wp.exe will run with the
authenticated user account or the anonymous account.

Please perform the following steps to check the settings:

If "Impersonate=false" in the config file:

Please make sure you have not modify the permission for the "ASPNET"
account. By default, the ASPNET user account has access to write to the
application event log. You can also replace "machine" in <processmodel>
with another user account, who has permission to write Event items to
perform a test. Please let me know the result.

If "Impersonate=true" in the config file:

Please make sure the current logon user or anonymous account (if we enabled
"Anonymous" authentication for the web application) has write permission to
the Event log.

For detail security settings for the event log, please check the following

Event Logging Security

For more information about security descriptor definition language (SDDL)
used for the setting, please also check the following information:

Security Descriptor Definition Language


Steven Cheng
Microsoft Online Support

Get Secure!
(This posting is provided "AS IS", with no warranties, and confers no rights.)

Get Preview at ASP.NET whidbey


According to ,
everyone could write to the Event Viewer!

After setting impersonate=true in machine.config and iisreset, I am still
getting System.InvalidOperationException: Cannot open log for source {0}.
You may not have write access.....

However, taking IWAM_Machine user out of the Guests Security group works!
We had a Domain Controller Security Policy "Restrict guest access to
Application Log" under Security Settings-> Event Log-> Settings for Event
Logs set to ENABLED.

Does IWAM_Machine user needs to be a member of the guest account group?


Also wonder what the effect would be if I "move" the Logging code to a Class
Library and call a public method in the class library from the ASP.NET code
to do the logging?

