Re: Cannot open log for source {0}. You may not have write access. (Access right wanish after a while)

From: Nicole Calinoiu (calinoiu)
Date: 04/14/05


Date: Thu, 14 Apr 2005 09:06:21 -0400

Is the ECONTROL\wsbts (as opposed to ECONTROL\pantse) account being used in
any way by your application? If so, how?

"jblo" <jarmo.blomsterN0SPM@ccc.fi> wrote in message
news:Twt7e.175$jt3.28@read3.inet.fi...
>
> "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message
> news:OOTlDgOQFHA.1500@TK2MSFTNGP09.phx.gbl...
>> It's actually quite normal for non-admin accounts other than the
> interactive
>> user to be denied access to HKCU, and there's no reason that this denial
>> should affect writing to the event log. I suspect that you might find
>> the
>> same denial occurring even when the event log writes are successful.
> There is no ACCDENIED at all in OK case.
>
> In error case there is quite lot of ACCDENIED like:
> 9613 6.67599106 w3wp.exe:920 OpenKey HKLM\SOFTWARE\Microsoft\Microsoft SQL
> Server\ECONTROL\MSSQLServer\CurrentVersion ACCDENIED ECONTROL\wsbts
> and
> 9866 6.69436411 w3wp.exe:920 CreateKey
> HKLM\SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib\LastConnect
> ACCDENIED ECONTROL\wsbts
>
>
> And once the
> 2066 4.55175423 w3wp.exe:5624 OpenKey HKCU ACCDENIED ECONTROL\pantse
>
>> Do you
>> see any failures at all (access denied or otherwise) for anything on the
>> HKLM\SYSTEM\CurrentControlSet\Services\Eventlog path?
> In the error case there is entries like:
> 2300 4.56403786 w3wp.exe:5624 OpenKey
> HKLM\SYSTEM\CurrentControlSet\Services\EventLog REPARSE
> 2301 4.56406584 w3wp.exe:5624 OpenKey
> HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS
> 2302 4.56409347 w3wp.exe:5624 QueryKey
> HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Subkeys = 6
> 2303 4.56411436 w3wp.exe:5624 EnumerateKey
> HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: Application
> 2304 4.56413188 w3wp.exe:5624 EnumerateKey
> HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: Directory
> Service
> 2305 4.56414850 w3wp.exe:5624 EnumerateKey
> HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: DNS Server
> 2306 4.56416525 w3wp.exe:5624 EnumerateKey
> HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: File Replication
> Service
> 2307 4.56418143 w3wp.exe:5624 EnumerateKey
> HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: Security
> 2308 4.56419762 w3wp.exe:5624 EnumerateKey
> HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: System
> 2309 4.56422423 w3wp.exe:5624 OpenKey
> HKLM\SYSTEM\ControlSet001\Services\EventLog\Application SUCCESS
> 2310 4.56425171 w3wp.exe:5624 OpenKey
> HKLM\SYSTEM\ControlSet001\Services\EventLog\Application\eControlServer
> SUCCESS
> 2311 4.56427026 w3wp.exe:5624 CloseKey
> HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS
> 2312 4.56428460 w3wp.exe:5624 CloseKey
> HKLM\SYSTEM\ControlSet001\Services\EventLog\Application\eControlServer
> SUCCESS
>
> In the OK-case there is entries like:
> 2148 3.96112042 w3wp.exe:4296 OpenKey
> HKLM\SYSTEM\CurrentControlSet\Services\EventLog REPARSE
> 2149 3.96114665 w3wp.exe:4296 OpenKey
> HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS
> 2150 3.96117347 w3wp.exe:4296 QueryKey
> HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Subkeys = 6
> 2151 3.96119397 w3wp.exe:4296 EnumerateKey
> HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: Application
> 2152 3.96121122 w3wp.exe:4296 EnumerateKey
> HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: Directory
> Service
> 2153 3.96122767 w3wp.exe:4296 EnumerateKey
> HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: DNS Server
> 2154 3.96124411 w3wp.exe:4296 EnumerateKey
> HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: File Replication
> Service
> 2155 3.96125993 w3wp.exe:4296 EnumerateKey
> HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: Security
> 2156 3.96127606 w3wp.exe:4296 EnumerateKey
> HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS Name: System
> 2157 3.96130268 w3wp.exe:4296 OpenKey
> HKLM\SYSTEM\ControlSet001\Services\EventLog\Application SUCCESS
> 2158 3.96133093 w3wp.exe:4296 OpenKey
> HKLM\SYSTEM\ControlSet001\Services\EventLog\Application\eControlServer
> SUCCESS
> 2159 3.96134932 w3wp.exe:4296 CloseKey
> HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS
> 2160 3.96136367 w3wp.exe:4296 CloseKey
> HKLM\SYSTEM\ControlSet001\Services\EventLog\Application\eControlServer
> SUCCESS
> 2161 3.96138943 w3wp.exe:4296 CloseKey
> HKLM\SYSTEM\ControlSet001\Services\EventLog\Application SUCCESS
> 2162 3.96142832 w3wp.exe:4296 OpenKey
> HKLM\SYSTEM\CurrentControlSet\Services\EventLog REPARSE
> 2163 3.96144886 w3wp.exe:4296 OpenKey
> HKLM\SYSTEM\ControlSet001\Services\EventLog SUCCESS
>
> I think that tells att least that
> HKLM\SYSTEM\CurrentControlSet\Services\EventLog can be opened in both
> cases.
>
> //Jarmo
>
>



Relevant Pages

  • RE: Cant get rid of success audits in security portion of event viewer!
    ... I understand that you want to disable the success Security Auditing on the ... Business Server Auditing Policy. ...
    (microsoft.public.windows.server.sbs)
  • RE: Frequent logon success audits in event viewer
    ... In SBS 2003, the full security audit is enabled by default so that you are ... If you do want to stop these events, you can turn off Success logon ...
    (microsoft.public.windows.server.sbs)
  • RE: Large amounts of event ids 538 and 540
    ... In SBS 2003, the full security audit is enabled by default so that you are ... double-click Audit logon events and clear the Success ... SBS 2003 creates a GPO on the DC container named Small Business Server ...
    (microsoft.public.windows.server.sbs)
  • Re: 4 users logging in 39,250 times a day?!
    ... Success auditing is good from a security perspective. ... If you have 300,000 logon failures and they are continuing you basically don't have a lot to worry about, someone is cracking your server by brute force and your password complexity policy is stopping them. ... IF however you have 300,000 logon failures and they suddenly stop, just after a success event for the same process/IP, you have a MAJOR PROBLEM, your server is toast, owned by someone else and you have the proof of it in your logs. ... SBS remote support services. ...
    (microsoft.public.windows.server.sbs)
  • RE: Network+ and Security+
    ... Subject: Network+ and Security+ ... And Google is you friend. ... knowledge and sidelines to your highway to success + enjoy your work! ...
    (Security-Basics)