Re: NotifyChangeEventLog() & impersonation

---

• From: Chuck Chopp <ChuckChopp@xxxxxxxxxxx>
• Date: Tue, 02 May 2006 19:24:40 -0400

---

Alex Fedotov wrote:

Chuck Chopp wrote:

I have some code that calls OpenEventLog() for the Security EventLog.
It then creates an unnamed event and calls NotifyChangeEventLog().

This works OK when my service is running as Local System or when logged on as Administrator. However, I'm trying to fine-tune the rights requirements so that the thread that actually executes this code inside the service-mode EXE can do this successfully while it is impersonating a specific identity via LogonUser() / ImpersonateLoggedOnUser().

What I'm observing right now is that NotifyChangeEventLog() returns FALSE and GetLastError() returns 5 [access denied]. The identity that I'm impersonating is a member of the domain "Administrators" group and it has the SE_SECURITY_NAME and "Log on as service" rights on the DC on which the service is installed & running.

Do you call OpenEventLog while impersonating as well? Do you create the event object while impersonating?

Yes, I do the following *after* the call to ImpersonateLoggedOnUser():

hSecEvtLog = OpenEventLog(NULL,L"Security");
hNewEvent = CreateEvent(NULL,TRUE,FALSE,NULL);
bResult = NotifyChangeEventLog(hSecEvtLog,hNewEvent);
dwResult = GetLastError();

Of course, I'm not including the error handling code that tests for a null hSecEvtLog handle or a null hNewEvent handle.

NotifyChangeEventLog() is returning FALSE [zero] and GetLastError() is returning 5 [access denied].

I'm wondering if the function fails because it cannot gain access to the event object you are passing in. I would try to relax event security (by setting a NULL DACL, for example) and see if it makes any difference.

--
Chuck Chopp

ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com

RTFM Consulting Services Inc. 864 801 2795 voice & voicemail
103 Autumn Hill Road 864 801 2774 fax
Greer, SC 29651

"Racing to save lives"
The Leukemia & Lymphoma Society - Team in Training
http://www.active.com/donate/tntsc/tntscCChopp

Do not send me unsolicited commercial email.
.

---

• References:
  • NotifyChangeEventLog() & impersonation
    • From: Chuck Chopp
  • Re: NotifyChangeEventLog() & impersonation
    • From: Alex Fedotov

• Prev by Date: Re: Desperate for Help on Copying EFS files and Mainting Encryption.
• Next by Date: Re: How to call LogonUser with non clear text password
• Previous by thread: Re: NotifyChangeEventLog() & impersonation
• Next by thread: Re: Desperate for Help on Copying EFS files and Mainting Encryption.
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Using SetNamedSecurityInfo with impersonation ... Cheers for that advice on GetLastError - it turned out I was barking up the ... > previous API call has failed with a non-zero error code. ... >> I'm calling SetNamedSecurityInfo to set the owner of an object. ... >> fine when logged on interactively, but when impersonating the call ... (microsoft.public.platformsdk.security) Re: NotifyChangeEventLog() & impersonation ... This works OK when my service is running as Local System or when logged on as Administrator. ... I'm trying to fine-tune the rights requirements so that the thread that actually executes this code inside the service-mode EXE can do this successfully while it is impersonating a specific identity via LogonUser/ ImpersonateLoggedOnUser. ... I'm wondering if the function fails because it cannot gain access to the event object you are passing in. ... (microsoft.public.platformsdk.security) Re: Calling NotifyChangeEventLog() from a thread that is performing impersonation... ... and GetLastError() returns 5. ... impersonating is a member of the domain "Administrators" group and it has ... (microsoft.public.win32.programmer.kernel)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.platformsdk.security  > 2006-05