Re: What program is used to write events to the event log??????

From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 02/24/04 

Date: Tue, 24 Feb 2004 01:26:06 -0700

Hi J,

I believe that the event logging functionality is implemented as
a part of services.exe
It may be that part of one of the mechanisms that may be used
to get an event message into the logs is what is actually blocked.

You have gone about as far in trying to decipher how Safer is
persisting its settings as have I to date. I have seen as of yet
no references that detail how to export Safer settings so that
they are transportable, but I have searched, and have seen this
asked a few times (in NGs frequented by MS staff) with no answer.
I would be interested in your further experiments, as it has been
on my to-do (but not of urgent need) list.

Regards,
Roger

<BillMadison@nospam.com> wrote in message
news:bagl30hqcsuvhu73n0s7qd2gimjp3ttqtq@4ax.com...
> Hi All,
>
> Been testing software restriction policies on virtual PC for the last
couple a days and have
> encountered a minor problem.
>
> I have now created a deny all exe policy with certain "allow only exe's"
that windows needs in
> normal operation.
> The problem however is that in a normal user account everything works ok
but for one
> issue....whenever there is an exe being started it normally writes this
event to the event log so as
> admin you can see what program or exe it was that was about to get
started.
> After applying my restrictions I now don't see these events in my log
anymore so that means that one
> exe is being denied from writing to the log.
>
> Now my question ofcourse,...what exe or program is used to write these
events to the event log?
>
> Also, a few days ago I posted a question about wether these policies could
be exported...the
> question remained unanswered then but I have now found a way to do it
(maybe....)
>
> The thing is, these policies get written to three different parts of the
registry
>
> [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy
>
Objects\LocalMachine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifie
rs]
>
>
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifier
s]
>
> [HKEY_USERS\***insert ADMIN SID
here***\Software\Microsoft\Windows\CurrentVersion\Group Policy
>
Objects\LocalMachine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifie
rs]
>
> So, normally you would think that by exporting these and reimporting them
in a default install would
> be sufficient for these policies to be applied on a new installation.
Would I be correct in that
> assumption????
>
> I noticed that each path rule I created has an unique GUID associated with
it but when using the
> search function it can only be found in the registry at the three above
mentioned registry branches.
> Does this then mean that they will work on a new machine when importing
them since no other
> reference of these GUIDs can be found on the system.
> I even searched my harddrive to all files with a text containing one of
these gui's to see if there
> would be a place where windows stores these GUID's as a reference and also
came up empty. Maybe they
> are just created as GUIDS for the sole purpose of creating a unique string
each time under these
> registry keys but thats only my logical conclusion to this and I could
ofcourse be wrong.
>
> Anyway, thats about all I wanted to ask for now,...and as always I hope
someone who has read this
> till the end and can provide some more details then I would be much
obliged.
>
> Kind Regards,
> J
>

Relevant Pages

  • What program is used to write events to the event log??????
    ... Been testing software restriction policies on virtual PC for the last couple a days and have ... issue....whenever there is an exe being started it normally writes this event to the event log so as ... Now my question ofcourse,...what exe or program is used to write these events to the event log? ... search function it can only be found in the registry at the three above mentioned registry branches. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: SEHException at app startup
    ... > Who entered this in the registry in the first place? ... > should never contain your exe. ... AppVerifier is not installed on this computer. ... >>> Droopy. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Local policy, IE and SP2...
    ... I must mention here that I rarely use GPEdit and almost always I change the Explorer or System policies through registry. ... The same I did for those tests I mentioned for SP2. ... this is true - those policies will not allow you to lock user accounts from launching applications from hidden drives. ...
    (microsoft.public.windowsxp.embedded)
  • Re: Mobile Service & Auto Start
    ... The RegRestoreFile API is only supported by the object store-based registry. ... have never needed to write an app like this and I just figured ... So I have an exe that I start 5 min after I push a button. ...
    (microsoft.public.dotnet.framework.compactframework)
  • RE: Moving from NT4 policy to Group Policy
    ... The mixed environment of Group policies and System policies ... policies which are permanently applied in the registry and Group Policy ... which is all documented by MS for non GPO ...
    (microsoft.public.windows.server.active_directory)