Platform SDK: Debugging and Error Handling

Event Logging Security

Access to the event logs is determined by the account under which the application is running. The LocalSystem account is a special account that service applications can use. The Administrator account consists of the administrators for the system. The Server Operator account (ServerOp) consists of the administrators of the domain server. The World account includes all users on all systems.

The following table shows which accounts are granted read, write, and clear access to each log.

Log Account Access       
Application LocalSystem Read Write Clear
  Administrator Read Write Clear
ServerOp Read Write Clear
World Read Write
Security LocalSystem Read Write Clear
  Administrator Read Clear
World
System LocalSystem Read Write Clear
  Administrator Read Write Clear
ServerOp Read Clear
World Read

In addition, users can read and clear the Security log if they have been granted one of the following:

The following table shows which types of access are required for the event logging functions.

Function Access Required
OpenEventLog Read
OpenBackupEventLog Read
RegisterEventSource Write
ClearEventLog Clear

As an example, OpenEventLog requires read access. A member of the ServerOp account can call OpenEventLog for the Application event log and the System event log, because ServerOp has read access for both of these logs. However, a member of the ServerOp account cannot call OpenEventLog for the Security log, because it does not have read access for this log.

Access to the Application event log is restricted. To grant access to the members of the Guests account, change the following registry entry from 1 (the default) to 0:

HKEY_LOCAL_MACHINE
    SYSTEM
      CurrentControlSet
        Services
          EventLog
            Application
              RestrictGuestAccess