| Platform SDK: Debugging and Error Handling |
Access to the event logs is determined by the account under which the application is running. The LocalSystem account is a special account that service applications can use. The Administrator account consists of the administrators for the system. The Server Operator account (ServerOp) consists of the administrators of the domain server. The World account includes all users on all systems.
The following table shows which accounts are granted read, write, and clear access to each log.
| Log | Account | Access | ||
|---|---|---|---|---|
| Application | LocalSystem | Read | Write | Clear |
| Administrator | Read | Write | Clear | |
| ServerOp | Read | Write | Clear | |
| World | Read | Write | ||
| Security | LocalSystem | Read | Write | Clear |
| Administrator | Read | Clear | ||
| World | ||||
| System | LocalSystem | Read | Write | Clear |
| Administrator | Read | Write | Clear | |
| ServerOp | Read | Clear | ||
| World | Read |
In addition, users can read and clear the Security log if they have been granted one of the following:
The following table shows which types of access are required for the event logging functions.
| Function | Access Required |
|---|---|
| OpenEventLog | Read |
| OpenBackupEventLog | Read |
| RegisterEventSource | Write |
| ClearEventLog | Clear |
As an example, OpenEventLog requires read access. A member of the ServerOp account can call OpenEventLog for the Application event log and the System event log, because ServerOp has read access for both of these logs. However, a member of the ServerOp account cannot call OpenEventLog for the Security log, because it does not have read access for this log.
Access to the Application event log is restricted. To grant access to the members of the Guests account, change the following registry entry from 1 (the default) to 0:
HKEY_LOCAL_MACHINE
SYSTEM
CurrentControlSet
Services
EventLog
Application
RestrictGuestAccess