Re: NotifyChangeEventLog() & impersonation
- From: Chuck Chopp <ChuckChopp@xxxxxxxxxxx>
- Date: Tue, 02 May 2006 19:24:40 -0400
Alex Fedotov wrote:
Chuck Chopp wrote:
I have some code that calls OpenEventLog() for the Security EventLog.
It then creates an unnamed event and calls NotifyChangeEventLog().
This works OK when my service is running as Local System or when logged on as Administrator. However, I'm trying to fine-tune the rights requirements so that the thread that actually executes this code inside the service-mode EXE can do this successfully while it is impersonating a specific identity via LogonUser() / ImpersonateLoggedOnUser().
What I'm observing right now is that NotifyChangeEventLog() returns FALSE and GetLastError() returns 5 [access denied]. The identity that I'm impersonating is a member of the domain "Administrators" group and it has the SE_SECURITY_NAME and "Log on as service" rights on the DC on which the service is installed & running.
Do you call OpenEventLog while impersonating as well? Do you create the event object while impersonating?
Yes, I do the following *after* the call to ImpersonateLoggedOnUser():
hSecEvtLog = OpenEventLog(NULL,L"Security");
hNewEvent = CreateEvent(NULL,TRUE,FALSE,NULL);
bResult = NotifyChangeEventLog(hSecEvtLog,hNewEvent);
dwResult = GetLastError();
Of course, I'm not including the error handling code that tests for a null hSecEvtLog handle or a null hNewEvent handle.
NotifyChangeEventLog() is returning FALSE [zero] and GetLastError() is returning 5 [access denied].
I'm wondering if the function fails because it cannot gain access to the event object you are passing in. I would try to relax event security (by setting a NULL DACL, for example) and see if it makes any difference.
ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com
RTFM Consulting Services Inc. 864 801 2795 voice & voicemail
103 Autumn Hill Road 864 801 2774 fax
Greer, SC 29651
"Racing to save lives"
The Leukemia & Lymphoma Society - Team in Training
Do not send me unsolicited commercial email.
- Prev by Date: Re: Desperate for Help on Copying EFS files and Mainting Encryption.
- Next by Date: Re: How to call LogonUser with non clear text password
- Previous by thread: Re: NotifyChangeEventLog() & impersonation
- Next by thread: Re: Desperate for Help on Copying EFS files and Mainting Encryption.