Weird registry behavior when writing to custom event log

From: Michael Carr (mcarr_at_umich.edu)
Date: 07/15/05 

Date: Fri, 15 Jul 2005 16:02:42 -0400

I experienced the following strange behavior when trying to write to a
custom event log in an ASP.NET application (although the problem would occur
with any non-priviledged account)

I created a custom event log named "MyCustomLog" and created a source within
it called "MyCustomLogSource" following the directions in
http://support.microsoft.com/Default.aspx?id=329291. For testing purposes, I
also created a source within Application called "MyApplicationSounce"

>From my ASP.NET app, I executed the following line of code and everything
works great:

eventLog = new EventLog("Application", ".", "MyApplicationSource");

However, when I execute the following I get an error:

eventLog = new EventLog("MyCustomLog", ".", "MyCustomLogSource");

The error is:

Security Exception
Description: The application attempted to perform an operation not allowed
by the security policy. To grant this application the required permission
please contact your system administrator or change the application's trust
level in the configuration file.
Exception Details: System.Security.SecurityException: Requested registry
access is not allowed.

Using RegMon I see the following access pattern:

7.01499081 aspnet_wp.exe:4512 EnumerateKey
HKLM\SYSTEM\CurrentControlSet\Services\EventLog SUCCESS
7.01502752 aspnet_wp.exe:4512 OpenKey
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application SUCCESS
7.01505136 aspnet_wp.exe:4512 OpenKey
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\MyCustomLogSource
NOT FOUND
7.01506662 aspnet_wp.exe:4512 CloseKey
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application SUCCESS
7.01515818 aspnet_wp.exe:4512 OpenKey
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security ACCESS DENIED

So it appears that what is happening is that System.Diagnostics is looking
through ALL of the event logs for the one that contains the
MyCustomLogSource source, even though I have clearly told it that it exists
within MyCustomLog. The only way to fix this problem is to give the ASPNET
user read access to the Security log, after which it works correctly and I
get the following registry trace:

2.66786623 aspnet_wp.exe:4512 EnumerateKey
HKLM\SYSTEM\CurrentControlSet\Services\EventLog SUCCESS
2.66789460 aspnet_wp.exe:4512 OpenKey
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application SUCCESS
2.66791654 aspnet_wp.exe:4512 OpenKey
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\MyCustomLogSource
NOT FOUND
2.66792893 aspnet_wp.exe:4512 CloseKey
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application SUCCESS
2.66795588 aspnet_wp.exe:4512 OpenKey
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security SUCCESS
2.66797757 aspnet_wp.exe:4512 OpenKey
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security\MyCustomLogSource
NOT FOUND
2.66799212 aspnet_wp.exe:4512 CloseKey
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security SUCCESS
2.66874981 aspnet_wp.exe:4512 OpenKey
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\System SUCCESS
2.66879916 aspnet_wp.exe:4512 OpenKey
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\System\MyCustomLogSource NOT
FOUND
2.66881847 aspnet_wp.exe:4512 CloseKey
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\System SUCCESS
2.66885090 aspnet_wp.exe:4512 OpenKey
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\MyCustomLog SUCCESS
2.66888428 aspnet_wp.exe:4512 OpenKey
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\MyCustomLog\MyCustomLogSource
SUCCESS

So, long story short, I was able to fix this problem by lowering my registry
security settings on the Security event log... not exactly the best solution
I think.

    Michael Carr

Relevant Pages