By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
426,034 Members | 1,714 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 426,034 IT Pros & Developers. It's quick & easy.

Windows Service - Event Log

P: n/a
I am building an windows service that is to be deployed on a windows
server 2003 and I want to have activity written to the event log, I
want its own log called ('CustomLog')

Below is what I have so far...its builds fine but when I go to start
the service i get the following error.

---------------------------
Services
---------------------------
The CWindowService service on Local Computer started and then stopped.
Some services stop automatically if they have no work to do, for
example, the Performance Logs and Alerts service.
---------------------------
OK
---------------------------
What am I doing wrong? Right after this code I have this line....and it
never had an issue.
EventLog.WriteEntry("Refresh started successfully.");

//1. Create the source, if it does not already exist.
if (!EventLog.SourceExists("CustomLog"))
{
EventLog.CreateEventSource("CustomLog", "MyNewLog");
}
//2. Create an EventLog instance and assign its source.
EventLog myLog = new EventLog();
myLog.Source = "CustomLog";
//3. Write an informational entry to the event log.
myLog.WriteEntry("Writing to event log.");

Jun 27 '06 #1
Share this Question
Share on Google+
27 Replies


P: n/a
Without seeing more of the start code i couldn't say for sure,
however, when I was working with this recently I found that by having
evaluating code in my OnStart event I had a tendancy of recieving the
same error. What I would recommend you do is add a component timer to
the service(not a form timer) and put your code in the Elapsed event of
the timer. Then in your OnStart method you just activate the timer.

-Bill

Jun 27 '06 #2

P: n/a
Hi,

You need to post more code, or more details at least.

Where are you running this?
What your onStart looks like?

Are you creating a new thread in the onStart ?

Usually what I do is in the onStart just create and Start a thread that is
the one who does the real thing. in this way the onStart returns
inmediately.
--
--
Ignacio Machin,
ignacio.machin AT dot.state.fl.us
Florida Department Of Transportation

<pi*****@hotmail.com> wrote in message
news:11**********************@u72g2000cwu.googlegr oups.com...
I am building an windows service that is to be deployed on a windows
server 2003 and I want to have activity written to the event log, I
want its own log called ('CustomLog')

Below is what I have so far...its builds fine but when I go to start
the service i get the following error.

---------------------------
Services
---------------------------
The CWindowService service on Local Computer started and then stopped.
Some services stop automatically if they have no work to do, for
example, the Performance Logs and Alerts service.
---------------------------
OK
---------------------------
What am I doing wrong? Right after this code I have this line....and it
never had an issue.
EventLog.WriteEntry("Refresh started successfully.");

//1. Create the source, if it does not already exist.
if (!EventLog.SourceExists("CustomLog"))
{
EventLog.CreateEventSource("CustomLog", "MyNewLog");
}
//2. Create an EventLog instance and assign its source.
EventLog myLog = new EventLog();
myLog.Source = "CustomLog";
//3. Write an informational entry to the event log.
myLog.WriteEntry("Writing to event log.");

Jun 27 '06 #3

P: n/a
What credentials is the Service running under? It is possible that the
Service's account does not have the necessary permission to write to the
Event Log.

--
HTH,

Kevin Spencer
Microsoft MVP
Professional Chicken Salad Alchemist

Big thicks are made up of lots of little thins.
<pi*****@hotmail.com> wrote in message
news:11**********************@u72g2000cwu.googlegr oups.com...
I am building an windows service that is to be deployed on a windows
server 2003 and I want to have activity written to the event log, I
want its own log called ('CustomLog')

Below is what I have so far...its builds fine but when I go to start
the service i get the following error.

---------------------------
Services
---------------------------
The CWindowService service on Local Computer started and then stopped.
Some services stop automatically if they have no work to do, for
example, the Performance Logs and Alerts service.
---------------------------
OK
---------------------------
What am I doing wrong? Right after this code I have this line....and it
never had an issue.
EventLog.WriteEntry("Refresh started successfully.");

//1. Create the source, if it does not already exist.
if (!EventLog.SourceExists("CustomLog"))
{
EventLog.CreateEventSource("CustomLog", "MyNewLog");
}
//2. Create an EventLog instance and assign its source.
EventLog myLog = new EventLog();
myLog.Source = "CustomLog";
//3. Write an informational entry to the event log.
myLog.WriteEntry("Writing to event log.");

Jun 27 '06 #4

P: n/a
On 2006-06-27, pi*****@hotmail.com <pi*****@hotmail.com> wrote:
I am building an windows service that is to be deployed on a windows
server 2003 and I want to have activity written to the event log, I
want its own log called ('CustomLog')

Below is what I have so far...its builds fine but when I go to start
the service i get the following error.


When i tried that (on a default windows 2003 installation) i experienced
a problem with access rights. If i remember well, i had to give the
'network' user access rights to the registry keys..

--
Met vriendelijke groeten,
Tim Van Wassenhove <http://timvw.madoka.be>
Jun 28 '06 #5

P: n/a
Check your service account, only admin accounts have the right to "create"
private logs. If your service run with restricted privileges (which is
good), you'll need to create the log from another program, not from within
your service.

Willy.
<pi*****@hotmail.com> wrote in message
news:11**********************@u72g2000cwu.googlegr oups.com...
|I am building an windows service that is to be deployed on a windows
| server 2003 and I want to have activity written to the event log, I
| want its own log called ('CustomLog')
|
| Below is what I have so far...its builds fine but when I go to start
| the service i get the following error.
|
| ---------------------------
| Services
| ---------------------------
| The CWindowService service on Local Computer started and then stopped.
| Some services stop automatically if they have no work to do, for
| example, the Performance Logs and Alerts service.
| ---------------------------
| OK
| ---------------------------
|
|
| What am I doing wrong? Right after this code I have this line....and it
| never had an issue.
| EventLog.WriteEntry("Refresh started successfully.");
|
| //1. Create the source, if it does not already exist.
| if (!EventLog.SourceExists("CustomLog"))
| {
| EventLog.CreateEventSource("CustomLog", "MyNewLog");
| }
|
|
| //2. Create an EventLog instance and assign its source.
| EventLog myLog = new EventLog();
| myLog.Source = "CustomLog";
|
|
| //3. Write an informational entry to the event log.
| myLog.WriteEntry("Writing to event log.");
|
Jun 28 '06 #6

P: n/a

"Tim Van Wassenhove" <ti***@users.sourceforge.net> wrote in message
news:e8**************@TK2MSFTNGP03.phx.gbl...
| On 2006-06-27, pi*****@hotmail.com <pi*****@hotmail.com> wrote:
| > I am building an windows service that is to be deployed on a windows
| > server 2003 and I want to have activity written to the event log, I
| > want its own log called ('CustomLog')
| >
| > Below is what I have so far...its builds fine but when I go to start
| > the service i get the following error.
|
| When i tried that (on a default windows 2003 installation) i experienced
| a problem with access rights. If i remember well, i had to give the
| 'network' user access rights to the registry keys..
|

What registry key's?
The "Network Service" account is a restricted service account with
sufficient privileges to write/read to/from the eventlog, if you elevate
it's privileges, you break what it was designed for.

Willy.
Jun 28 '06 #7

P: n/a
On 2006-06-28, Willy Denoyette [MVP] <wi*************@telenet.be> wrote:

"Tim Van Wassenhove" <ti***@users.sourceforge.net> wrote in message
news:e8**************@TK2MSFTNGP03.phx.gbl...
| On 2006-06-27, pi*****@hotmail.com <pi*****@hotmail.com> wrote:
| > I am building an windows service that is to be deployed on a windows
| > server 2003 and I want to have activity written to the event log, I
| > want its own log called ('CustomLog')
| >
| > Below is what I have so far...its builds fine but when I go to start
| > the service i get the following error.
|
| When i tried that (on a default windows 2003 installation) i experienced
| a problem with access rights. If i remember well, i had to give the
| 'network' user access rights to the registry keys..
|

What registry key's?


HKLM/System/CurrentControlSet/Services/Eventlog (or one of it's
children).
--
Met vriendelijke groeten,
Tim Van Wassenhove <http://timvw.madoka.be>
Jun 28 '06 #8

P: n/a
Yes, but why do you want your service to write to this key?
Only Administrators (and localsystem) are allowed to write to HKLM and
descendants, Service accounts are not supposed to write to HKLM. If you
really need your service to write to HKLM, you need to run as "localsystem".
Again if you grant a non privileged account write access to HKLM, you
severely compromise your system's security.

Willy.

"Tim Van Wassenhove" <ti***@users.sourceforge.net> wrote in message
news:uu**************@TK2MSFTNGP03.phx.gbl...
| On 2006-06-28, Willy Denoyette [MVP] <wi*************@telenet.be> wrote:
| >
| > "Tim Van Wassenhove" <ti***@users.sourceforge.net> wrote in message
| > news:e8**************@TK2MSFTNGP03.phx.gbl...
| >| On 2006-06-27, pi*****@hotmail.com <pi*****@hotmail.com> wrote:
| >| > I am building an windows service that is to be deployed on a windows
| >| > server 2003 and I want to have activity written to the event log, I
| >| > want its own log called ('CustomLog')
| >| >
| >| > Below is what I have so far...its builds fine but when I go to start
| >| > the service i get the following error.
| >|
| >| When i tried that (on a default windows 2003 installation) i
experienced
| >| a problem with access rights. If i remember well, i had to give the
| >| 'network' user access rights to the registry keys..
| >|
| >
| > What registry key's?
|
| HKLM/System/CurrentControlSet/Services/Eventlog (or one of it's
| children).
|
|
| --
| Met vriendelijke groeten,
| Tim Van Wassenhove <http://timvw.madoka.be>
Jun 28 '06 #9

P: n/a
Every Windows Service runs under a specific user account, which is assigned
to it, either by the developer when creating the installation for the
service, or by an administrator/authorized user via the Services snap-in.
So, there is no single user account under which all Windows Services run.

--
HTH,

Kevin Spencer
Microsoft MVP
Professional Chicken Salad Alchemist

Big thicks are made up of lots of little thins.
"Willy Denoyette [MVP]" <wi*************@telenet.be> wrote in message
news:uk**************@TK2MSFTNGP02.phx.gbl...

"Tim Van Wassenhove" <ti***@users.sourceforge.net> wrote in message
news:e8**************@TK2MSFTNGP03.phx.gbl...
| On 2006-06-27, pi*****@hotmail.com <pi*****@hotmail.com> wrote:
| > I am building an windows service that is to be deployed on a windows
| > server 2003 and I want to have activity written to the event log, I
| > want its own log called ('CustomLog')
| >
| > Below is what I have so far...its builds fine but when I go to start
| > the service i get the following error.
|
| When i tried that (on a default windows 2003 installation) i experienced
| a problem with access rights. If i remember well, i had to give the
| 'network' user access rights to the registry keys..
|

What registry key's?
The "Network Service" account is a restricted service account with
sufficient privileges to write/read to/from the eventlog, if you elevate
it's privileges, you break what it was designed for.

Willy.

Jun 28 '06 #10

P: n/a
> Only Administrators (and localsystem) are allowed to write to HKLM and
descendants, Service accounts are not supposed to write to HKLM.
Services write to Event Logs all the time, and run under a variety of user
accounts. In fact, the majority of the Events in the Event Log are written
by Services. If you look in the Application and System Event Logs, for
example, you will see that almost all Events are written by Services.

That said, by default, members of the Administrators group and the Local
System account are the only accounts allowed to write to the Event Log on a
Windows 2003 server. On the other hand, a Service can certainly run under
the Local System Account, and an account other than the Administrators group
or the Local System account may be granted permission to create and write to
Event Logs as well.

--
HTH,

Kevin Spencer
Microsoft MVP
Professional Chicken Salad Alchemist

Big thicks are made up of lots of little thins.
"Willy Denoyette [MVP]" <wi*************@telenet.be> wrote in message
news:Ox**************@TK2MSFTNGP04.phx.gbl... Yes, but why do you want your service to write to this key?
Only Administrators (and localsystem) are allowed to write to HKLM and
descendants, Service accounts are not supposed to write to HKLM. If you
really need your service to write to HKLM, you need to run as
"localsystem".
Again if you grant a non privileged account write access to HKLM, you
severely compromise your system's security.

Willy.

"Tim Van Wassenhove" <ti***@users.sourceforge.net> wrote in message
news:uu**************@TK2MSFTNGP03.phx.gbl...
| On 2006-06-28, Willy Denoyette [MVP] <wi*************@telenet.be> wrote:
| >
| > "Tim Van Wassenhove" <ti***@users.sourceforge.net> wrote in message
| > news:e8**************@TK2MSFTNGP03.phx.gbl...
| >| On 2006-06-27, pi*****@hotmail.com <pi*****@hotmail.com> wrote:
| >| > I am building an windows service that is to be deployed on a
windows
| >| > server 2003 and I want to have activity written to the event log, I
| >| > want its own log called ('CustomLog')
| >| >
| >| > Below is what I have so far...its builds fine but when I go to
start
| >| > the service i get the following error.
| >|
| >| When i tried that (on a default windows 2003 installation) i
experienced
| >| a problem with access rights. If i remember well, i had to give the
| >| 'network' user access rights to the registry keys..
| >|
| >
| > What registry key's?
|
| HKLM/System/CurrentControlSet/Services/Eventlog (or one of it's
| children).
|
|
| --
| Met vriendelijke groeten,
| Tim Van Wassenhove <http://timvw.madoka.be>

Jun 28 '06 #11

P: n/a
I am currently developing/building this on a Windows XP machine (this
is where the problem is currently) but it will be deployed to a Windows
Server 2003.

As for the comments about the OnStart, is it suggested not put the
writing to logs in this event? I want to have an entry 'Service started
successfully' isnt the that best spot for it.

With regards to permission and access rights, what is the final verdict
on this?

Jun 28 '06 #12

P: n/a
Guilty.

--
HTH,

Kevin Spencer
Microsoft MVP
Professional Chicken Salad Alchemist

Big thicks are made up of lots of little thins.

<pi*****@hotmail.com> wrote in message
news:11*********************@75g2000cwc.googlegrou ps.com...
I am currently developing/building this on a Windows XP machine (this
is where the problem is currently) but it will be deployed to a Windows
Server 2003.

As for the comments about the OnStart, is it suggested not put the
writing to logs in this event? I want to have an entry 'Service started
successfully' isnt the that best spot for it.

With regards to permission and access rights, what is the final verdict
on this?

Jun 28 '06 #13

P: n/a
Who's talking about writing to the eventlog? Tim and I are talking about
writing to the registry ( HKLM ).
Willy.
"Kevin Spencer" <uc*@ftc.gov> wrote in message
news:O5**************@TK2MSFTNGP04.phx.gbl...
|> Only Administrators (and localsystem) are allowed to write to HKLM and
| > descendants, Service accounts are not supposed to write to HKLM.
|
| Services write to Event Logs all the time, and run under a variety of user
| accounts. In fact, the majority of the Events in the Event Log are written
| by Services. If you look in the Application and System Event Logs, for
| example, you will see that almost all Events are written by Services.
|
| That said, by default, members of the Administrators group and the Local
| System account are the only accounts allowed to write to the Event Log on
a
| Windows 2003 server. On the other hand, a Service can certainly run under
| the Local System Account, and an account other than the Administrators
group
| or the Local System account may be granted permission to create and write
to
| Event Logs as well.
|
| --
| HTH,
|
| Kevin Spencer
| Microsoft MVP
| Professional Chicken Salad Alchemist
|
| Big thicks are made up of lots of little thins.
|
|
| "Willy Denoyette [MVP]" <wi*************@telenet.be> wrote in message
| news:Ox**************@TK2MSFTNGP04.phx.gbl...
| > Yes, but why do you want your service to write to this key?
| > Only Administrators (and localsystem) are allowed to write to HKLM and
| > descendants, Service accounts are not supposed to write to HKLM. If you
| > really need your service to write to HKLM, you need to run as
| > "localsystem".
| > Again if you grant a non privileged account write access to HKLM, you
| > severely compromise your system's security.
| >
| > Willy.
| >
| > "Tim Van Wassenhove" <ti***@users.sourceforge.net> wrote in message
| > news:uu**************@TK2MSFTNGP03.phx.gbl...
| > | On 2006-06-28, Willy Denoyette [MVP] <wi*************@telenet.be>
wrote:
| > | >
| > | > "Tim Van Wassenhove" <ti***@users.sourceforge.net> wrote in message
| > | > news:e8**************@TK2MSFTNGP03.phx.gbl...
| > | >| On 2006-06-27, pi*****@hotmail.com <pi*****@hotmail.com> wrote:
| > | >| > I am building an windows service that is to be deployed on a
| > windows
| > | >| > server 2003 and I want to have activity written to the event log,
I
| > | >| > want its own log called ('CustomLog')
| > | >| >
| > | >| > Below is what I have so far...its builds fine but when I go to
| > start
| > | >| > the service i get the following error.
| > | >|
| > | >| When i tried that (on a default windows 2003 installation) i
| > experienced
| > | >| a problem with access rights. If i remember well, i had to give the
| > | >| 'network' user access rights to the registry keys..
| > | >|
| > | >
| > | > What registry key's?
| > |
| > | HKLM/System/CurrentControlSet/Services/Eventlog (or one of it's
| > | children).
| > |
| > |
| > | --
| > | Met vriendelijke groeten,
| > | Tim Van Wassenhove <http://timvw.madoka.be>
| >
| >
|
|
Jun 28 '06 #14

P: n/a
I'm talking about the predefined "Service accounts", these are "SYSTEM" or
'localsystem', 'Local Service' and 'Network Service' In the early day's of
NT4, all services ran under localsystem, since then MSFT learned a lesson,
that is Services where the preferred target for the bad guy's, especially
those who ran with 'interact with the desktop'.
Since then, they added the least privileged 'Service accounts' and advised
to run the services using one of the least privileged "service accounts",
that is 'Local Service or Network Service'. And on Vista, all (system
supplied) services run under one of these Service accounts.
Whether you run a service under another account is up to you, but a system
admin right in it's mind will never allow a service to run as Administrator
or as an account with administrative privileges, he will always apply the
"Least Privilege" security principle.
Willy.

"Kevin Spencer" <uc*@ftc.gov> wrote in message
news:%2******************@TK2MSFTNGP05.phx.gbl...
| Every Windows Service runs under a specific user account, which is
assigned
| to it, either by the developer when creating the installation for the
| service, or by an administrator/authorized user via the Services snap-in.
| So, there is no single user account under which all Windows Services run.
|
| --
| HTH,
|
| Kevin Spencer
| Microsoft MVP
| Professional Chicken Salad Alchemist
|
| Big thicks are made up of lots of little thins.
|
|
| "Willy Denoyette [MVP]" <wi*************@telenet.be> wrote in message
| news:uk**************@TK2MSFTNGP02.phx.gbl...
| >
| > "Tim Van Wassenhove" <ti***@users.sourceforge.net> wrote in message
| > news:e8**************@TK2MSFTNGP03.phx.gbl...
| > | On 2006-06-27, pi*****@hotmail.com <pi*****@hotmail.com> wrote:
| > | > I am building an windows service that is to be deployed on a windows
| > | > server 2003 and I want to have activity written to the event log, I
| > | > want its own log called ('CustomLog')
| > | >
| > | > Below is what I have so far...its builds fine but when I go to start
| > | > the service i get the following error.
| > |
| > | When i tried that (on a default windows 2003 installation) i
experienced
| > | a problem with access rights. If i remember well, i had to give the
| > | 'network' user access rights to the registry keys..
| > |
| >
| > What registry key's?
| > The "Network Service" account is a restricted service account with
| > sufficient privileges to write/read to/from the eventlog, if you elevate
| > it's privileges, you break what it was designed for.
| >
| > Willy.
| >
| >
|
|
Jun 28 '06 #15

P: n/a
yes the original question what about writing to the event log, not the
registry.

Jun 28 '06 #16

P: n/a
Your problem is that you are trying to create your own private log from
within your service, only admins are allowed to do that, that would mean
that your service needs to run with administrative privileges (for instance
as SYSTEM) only to create a log which is a bad idea. So my suggestion is to
have a separate program that creates the log and let the administrator run
this program at install time.

Willy.

<pi*****@hotmail.com> wrote in message
news:11*********************@75g2000cwc.googlegrou ps.com...
|I am currently developing/building this on a Windows XP machine (this
| is where the problem is currently) but it will be deployed to a Windows
| Server 2003.
|
| As for the comments about the OnStart, is it suggested not put the
| writing to logs in this event? I want to have an entry 'Service started
| successfully' isnt the that best spot for it.
|
| With regards to permission and access rights, what is the final verdict
| on this?
|
Jun 28 '06 #17

P: n/a
Right, but Tim has split the thread and talked about writing to the Registry
(HKLM) and I replied to him not to You, right?.

Willy.

<pi*****@hotmail.com> wrote in message
news:11**********************@j72g2000cwa.googlegr oups.com...
| yes the original question what about writing to the event log, not the
| registry.
|
Jun 28 '06 #18

P: n/a
On 2006-06-28, Willy Denoyette [MVP] <wi*************@telenet.be> wrote:
Right, but Tim has split the thread and talked about writing to the Registry
(HKLM) and I replied to him not to You, right?.


No, i said that in order to write to the eventlog, you need to have
permissions to do so.

--
Met vriendelijke groeten,
Tim Van Wassenhove <http://timvw.madoka.be>
Jun 28 '06 #19

P: n/a
On 2006-06-28, Willy Denoyette [MVP] <wi*************@telenet.be> wrote:
Who's talking about writing to the eventlog? Tim and I are talking about
writing to the registry ( HKLM ).
Willy.
"Kevin Spencer" <uc*@ftc.gov> wrote in message
news:O5**************@TK2MSFTNGP04.phx.gbl...
|> Only Administrators (and localsystem) are allowed to write to HKLM and
| > descendants, Service accounts are not supposed to write to HKLM.
|
| Services write to Event Logs all the time, and run under a variety of user
| accounts. In fact, the majority of the Events in the Event Log are written
| by Services. If you look in the Application and System Event Logs, for
| example, you will see that almost all Events are written by Services.
|
| That said, by default, members of the Administrators group and the Local
| System account are the only accounts allowed to write to the Event Log on
a
| Windows 2003 server. On the other hand, a Service can certainly run under
| the Local System Account, and an account other than the Administrators
group
| or the Local System account may be granted permission to create and write
to
| Event Logs as well.
|
| --
| HTH,
|
| Kevin Spencer
| Microsoft MVP
| Professional Chicken Salad Alchemist
|
| Big thicks are made up of lots of little thins.
|
|
| "Willy Denoyette [MVP]" <wi*************@telenet.be> wrote in message
| news:Ox**************@TK2MSFTNGP04.phx.gbl...
| > Yes, but why do you want your service to write to this key?
| > Only Administrators (and localsystem) are allowed to write to HKLM and
| > descendants, Service accounts are not supposed to write to HKLM. If you
| > really need your service to write to HKLM, you need to run as
| > "localsystem".
| > Again if you grant a non privileged account write access to HKLM, you
| > severely compromise your system's security.
| >
| > Willy.
| >
| > "Tim Van Wassenhove" <ti***@users.sourceforge.net> wrote in message
| > news:uu**************@TK2MSFTNGP03.phx.gbl...
| > | On 2006-06-28, Willy Denoyette [MVP] <wi*************@telenet.be>
wrote:
| > | >
| > | > "Tim Van Wassenhove" <ti***@users.sourceforge.net> wrote in message
| > | > news:e8**************@TK2MSFTNGP03.phx.gbl...
| > | >| On 2006-06-27, pi*****@hotmail.com <pi*****@hotmail.com> wrote:
| > | >| > I am building an windows service that is to be deployed on a
| > windows
| > | >| > server 2003 and I want to have activity written to the event log,
I
| > | >| > want its own log called ('CustomLog')
| > | >| >
| > | >| > Below is what I have so far...its builds fine but when I go to
| > start
| > | >| > the service i get the following error.
| > | >|
| > | >| When i tried that (on a default windows 2003 installation) i
| > experienced
| > | >| a problem with access rights. If i remember well, i had to give the
| > | >| 'network' user access rights to the registry keys..
| > | >|
| > | >
| > | > What registry key's?
| > |
| > | HKLM/System/CurrentControlSet/Services/Eventlog (or one of it's
| > | children).
| > |
| > |
| > | --
| > | Met vriendelijke groeten,
| > | Tim Van Wassenhove <http://timvw.madoka.be>
| >
| >
|
|

--
Met vriendelijke groeten,
Tim Van Wassenhove <http://timvw.madoka.be>
Jun 28 '06 #20

P: n/a

"Tim Van Wassenhove" <ti***@users.sourceforge.net> wrote in message
news:eF**************@TK2MSFTNGP03.phx.gbl...
| On 2006-06-28, Willy Denoyette [MVP] <wi*************@telenet.be> wrote:
| > Right, but Tim has split the thread and talked about writing to the
Registry
| > (HKLM) and I replied to him not to You, right?.
|
| No, i said that in order to write to the eventlog, you need to have
| permissions to do so.
Per default, all users have the write privileges to the Application log or
any other private log, only administrator have the write privs. to the
System log, and no-one can directly write to the Security log.
But this is not the point, You said...

If i remember well, i had to give the
| 'network' user access rights to the registry keys..
|
I asked..
What registry key's?


and you replied with:
HKLM/System/CurrentControlSet/Services/Eventlog (or one of it's
children).

and I answered with:

Yes, but why do you want your service to write to this key?
Only Administrators (and localsystem) are allowed to write to HKLM and
descendants, Service accounts are not supposed to write to HKLM. If you
really need your service to write to HKLM, you need to run as "localsystem".
Again if you grant a non privileged account write access to HKLM, you
severely compromise your system's security.

And the point is that giving network user (I guess you mean "Network
Service) write access privileges to
HKLM/System/CurrentControlSet/Services/Eventlog is only required if you want
"Network service" to create the 'source' (private log), which is bad
practice.
Let an administrator create the source (remember "Network Service" is a
restricted account, don't give hime more rights than he deserves :-) and
"Network service" will automatically be able to write to this log without
granting any elevated privileges.
Willy.


Jun 28 '06 #21

P: n/a
>> Who's talking about writing to the eventlog? Tim and I are talking about
writing to the registry ( HKLM ).

You (Tim and you, as you prefer to put it, although I could almost swear
that I am too) are talking about creating an Event Log, and writing to it.
Yes, this is done via the System registry, but the registry does not have a
single set of permissions for all registry keys. It has highly granular
permissions. If writing a .Net application, you are not likely to be writing
directly to the registry in order to do this, but more likely to be using
the EventLog classes.

To create an Event Log, the user account must be a member of the
Administrators group on the local machine, or the local System account. The
permissions can be changed as well, but that is not likely to be helpful
(as, when the application moves to a different machine, the permissions must
be changed on any machine it is moved to). So, what I said still stands: If
you want your service to create an Event Log, it must run as a user account
that is either the Local System or a member of the Administrators group. If
you have a look at your Service Manager, you will see that many Services run
under these types of accounts, and for a variety of reasons.

--
HTH,

Kevin Spencer
Microsoft MVP
Professional Chicken Salad Alchemist

Big thicks are made up of lots of little thins.
"Tim Van Wassenhove" <ti***@users.sourceforge.net> wrote in message
news:ed**************@TK2MSFTNGP03.phx.gbl... On 2006-06-28, Willy Denoyette [MVP] <wi*************@telenet.be> wrote:
Who's talking about writing to the eventlog? Tim and I are talking about
writing to the registry ( HKLM ).
Willy.
"Kevin Spencer" <uc*@ftc.gov> wrote in message
news:O5**************@TK2MSFTNGP04.phx.gbl...
|> Only Administrators (and localsystem) are allowed to write to HKLM and
| > descendants, Service accounts are not supposed to write to HKLM.
|
| Services write to Event Logs all the time, and run under a variety of
user
| accounts. In fact, the majority of the Events in the Event Log are
written
| by Services. If you look in the Application and System Event Logs, for
| example, you will see that almost all Events are written by Services.
|
| That said, by default, members of the Administrators group and the Local
| System account are the only accounts allowed to write to the Event Log
on
a
| Windows 2003 server. On the other hand, a Service can certainly run
under
| the Local System Account, and an account other than the Administrators
group
| or the Local System account may be granted permission to create and
write
to
| Event Logs as well.
|
| --
| HTH,
|
| Kevin Spencer
| Microsoft MVP
| Professional Chicken Salad Alchemist
|
| Big thicks are made up of lots of little thins.
|
|
| "Willy Denoyette [MVP]" <wi*************@telenet.be> wrote in message
| news:Ox**************@TK2MSFTNGP04.phx.gbl...
| > Yes, but why do you want your service to write to this key?
| > Only Administrators (and localsystem) are allowed to write to HKLM and
| > descendants, Service accounts are not supposed to write to HKLM. If
you
| > really need your service to write to HKLM, you need to run as
| > "localsystem".
| > Again if you grant a non privileged account write access to HKLM, you
| > severely compromise your system's security.
| >
| > Willy.
| >
| > "Tim Van Wassenhove" <ti***@users.sourceforge.net> wrote in message
| > news:uu**************@TK2MSFTNGP03.phx.gbl...
| > | On 2006-06-28, Willy Denoyette [MVP] <wi*************@telenet.be>
wrote:
| > | >
| > | > "Tim Van Wassenhove" <ti***@users.sourceforge.net> wrote in
message
| > | > news:e8**************@TK2MSFTNGP03.phx.gbl...
| > | >| On 2006-06-27, pi*****@hotmail.com <pi*****@hotmail.com> wrote:
| > | >| > I am building an windows service that is to be deployed on a
| > windows
| > | >| > server 2003 and I want to have activity written to the event
log,
I
| > | >| > want its own log called ('CustomLog')
| > | >| >
| > | >| > Below is what I have so far...its builds fine but when I go to
| > start
| > | >| > the service i get the following error.
| > | >|
| > | >| When i tried that (on a default windows 2003 installation) i
| > experienced
| > | >| a problem with access rights. If i remember well, i had to give
the
| > | >| 'network' user access rights to the registry keys..
| > | >|
| > | >
| > | > What registry key's?
| > |
| > | HKLM/System/CurrentControlSet/Services/Eventlog (or one of it's
| > | children).
| > |
| > |
| > | --
| > | Met vriendelijke groeten,
| > | Tim Van Wassenhove <http://timvw.madoka.be>
| >
| >
|
|

--
Met vriendelijke groeten,
Tim Van Wassenhove <http://timvw.madoka.be>

Jun 29 '06 #22

P: n/a

"Kevin Spencer" <uc*@ftc.gov> wrote in message
news:%2***************@TK2MSFTNGP03.phx.gbl...
| >> Who's talking about writing to the eventlog? Tim and I are talking
about
| >> writing to the registry ( HKLM ).
|
| You (Tim and you, as you prefer to put it, although I could almost swear
| that I am too)
No, I was only talking about writing to the Registry (more exactly to HKLM)
again re-read my response to Tim.
You (and Tim as I found out later) are talking about writing to the Registry
for the purpose of creating a log entry.

| Yes, this is done via the System registry, but the registry does not have
a
| single set of permissions for all registry keys. It has highly granular
| permissions. If writing a .Net application, you are not likely to be
writing
| directly to the registry in order to do this, but more likely to be using
| the EventLog classes.
|

That's what I tried to explain to Tim - user applications and user services
for that matter, better stay away from the registry security settings
especially from HKLM, right?

| To create an Event Log, the user account must be a member of the
| Administrators group on the local machine, or the local System account.

That's right, but that doesn't mean it's the task of the service to create
the log, you don't want your service to run as localsystem (or worse as
administrator), just for the purpose of a one time creation of a log entry
(source) do you? This is the task of a separate administrative tool, a
simple five lines C# application or a simple vbscript, that should be run as
part of the service deployement.

The
| permissions can be changed as well, but that is not likely to be helpful
| (as, when the application moves to a different machine, the permissions
must
| be changed on any machine it is moved to). So, what I said still stands:
If
| you want your service to create an Event Log, it must run as a user
account
| that is either the Local System or a member of the Administrators group.
If
| you have a look at your Service Manager, you will see that many Services
run
| under these types of accounts, and for a variety of reasons.
|

None of the services run as Administrator, a great deal run as SYSTEM (on
anything except Vista and LH server) but this will soon be history, MSFT has
learned a lesson. A number of servives still run as localsystem, just
because they can't/won't change that to a less privileged user without
changing other depending processes as well, those that could be changed
easely are now running as Local Service or Network Service.
The major reason (bute there are others) for this is a design flaw in the
"LogonUser" API which requires TCB privileges on anything below XP and W2K3.
TCB privileges are only granted to 'localsystem' on NT4 and W2K, that means
that Services that need to impersonate must run as SYSTEM on these downlevel
OS'ses. Again these services are the number one security attack targets, and
it's not because MSFT made a mistake that you should follow their example
right?

Willy.



Jun 29 '06 #23

P: n/a
Just one comment:
None of the services run as Administrator, a great deal run as SYSTEM (on
I didn't say the Administrator account. I said "a member of the
Administrators group on the local machine."

That said, I didn't advocate using a member of the Administrator's group; it
was just information.

As to whether or not a Service should run as the Local System account,
that's a matter of what the Service does (requirements). Whether it should
be run as Local System just to create an Event Log, that isn't necessary, as
the installation could set up the Event Log. Of course, the person running
the installation would have to be a member of the Administrator's group to
do this.

--
HTH,

Kevin Spencer
Microsoft MVP
Professional Chicken Salad Alchemist

Big thicks are made up of lots of little thins.
"Willy Denoyette [MVP]" <wi*************@telenet.be> wrote in message
news:Oc**************@TK2MSFTNGP02.phx.gbl...
"Kevin Spencer" <uc*@ftc.gov> wrote in message
news:%2***************@TK2MSFTNGP03.phx.gbl...
| >> Who's talking about writing to the eventlog? Tim and I are talking
about
| >> writing to the registry ( HKLM ).
|
| You (Tim and you, as you prefer to put it, although I could almost swear
| that I am too)
No, I was only talking about writing to the Registry (more exactly to
HKLM)
again re-read my response to Tim.
You (and Tim as I found out later) are talking about writing to the
Registry
for the purpose of creating a log entry.

| Yes, this is done via the System registry, but the registry does not
have
a
| single set of permissions for all registry keys. It has highly granular
| permissions. If writing a .Net application, you are not likely to be
writing
| directly to the registry in order to do this, but more likely to be
using
| the EventLog classes.
|

That's what I tried to explain to Tim - user applications and user
services
for that matter, better stay away from the registry security settings
especially from HKLM, right?

| To create an Event Log, the user account must be a member of the
| Administrators group on the local machine, or the local System account.

That's right, but that doesn't mean it's the task of the service to create
the log, you don't want your service to run as localsystem (or worse as
administrator), just for the purpose of a one time creation of a log entry
(source) do you? This is the task of a separate administrative tool, a
simple five lines C# application or a simple vbscript, that should be run
as
part of the service deployement.

The
| permissions can be changed as well, but that is not likely to be helpful
| (as, when the application moves to a different machine, the permissions
must
| be changed on any machine it is moved to). So, what I said still stands:
If
| you want your service to create an Event Log, it must run as a user
account
| that is either the Local System or a member of the Administrators group.
If
| you have a look at your Service Manager, you will see that many Services
run
| under these types of accounts, and for a variety of reasons.
|

None of the services run as Administrator, a great deal run as SYSTEM (on
anything except Vista and LH server) but this will soon be history, MSFT
has
learned a lesson. A number of servives still run as localsystem, just
because they can't/won't change that to a less privileged user without
changing other depending processes as well, those that could be changed
easely are now running as Local Service or Network Service.
The major reason (bute there are others) for this is a design flaw in the
"LogonUser" API which requires TCB privileges on anything below XP and
W2K3.
TCB privileges are only granted to 'localsystem' on NT4 and W2K, that
means
that Services that need to impersonate must run as SYSTEM on these
downlevel
OS'ses. Again these services are the number one security attack targets,
and
it's not because MSFT made a mistake that you should follow their example
right?

Willy.


Jun 30 '06 #24

P: n/a

"Kevin Spencer" <uc*@ftc.gov> wrote in message
news:O8**************@TK2MSFTNGP04.phx.gbl...
| Just one comment:
|
| > None of the services run as Administrator, a great deal run as SYSTEM
(on
|
| I didn't say the Administrator account. I said "a member of the
| Administrators group on the local machine."
|
Nor did I, an Administrator IS a member of the administrators group, I
didn't spell THE Administrator, right? But if you insist, none of my
services run as 'a member of the Administrators group".
| That said, I didn't advocate using a member of the Administrator's group;
it
| was just information.
|
| As to whether or not a Service should run as the Local System account,
| that's a matter of what the Service does (requirements). Whether it should
| be run as Local System just to create an Event Log, that isn't necessary,
as
| the installation could set up the Event Log. Of course, the person running
| the installation would have to be a member of the Administrator's group to
| do this.

Sure, but that's the role of an admin, execute tasks that require
administrative privileges. The problem with the framework however is, that
none of the API's are documenting these security requirements.

Consider the sample in the docs:
// Create the source, if it does not already exist.
if(!EventLog.SourceExists("MySource")){
EventLog.CreateEventSource("MySource", "MyNewLog");
Console.WriteLine("CreatingEventSource");

....

This should be run by an "administrator", for two reasons:
1. The CreateEventSource call, creates the key MySource in
HKLM/System/CurrentControlSet/Services/Eventlog
2. and CreateEventSource creates the logfile in %windir%\system32\config
which only allows admins to create files into.

Someone running this code as non-admin, will encounter two security issues
and will start tweaking the registry and the filesystem, bummer. More, he
will probably post this as THE solution for the issue at hand.

Willy.



Jun 30 '06 #25

P: n/a


It has got nothing to do with Event log and permissions.
Check your Onstart Method. Have a timer on your service design page and
have timer1.Enabled = true in your start method and
write every thing else in timer1.elapsed event.

*** Sent via Developersdex http://www.developersdex.com ***
Jul 10 '06 #26

P: n/a
I get most of my info from the Internet, but sometimes I have to revert
to good old faithful MSDN, which in itself is sometimes a nightmare to
find relevant solutions. Sometimes I need to take a shower and really
start thinking. The following solution I cannot guarantee, but in .NET
developed applications, where you have a lot of memory and high speed
processors, especially dual processors and that includes hyper threaded
processors, this just may help solving the problem.

The Garbage Collector plays a big role in this. If you opens the tread,
instantiate an object and does not use that object fast enough, it just
may end up in the GC purse. So turn off the aggressive garbage
collection by the following statement:

//C# Code
CG.KeepAlive(myObject);

I have a service using System.Timers namespace. Yesterday everything
was working fine, all of a sudden my PC restarted while the timer
service was running, and I could not get the service up and running,
until the line of code above.

As I said it may not work in all instances, especially I cannot help
those calling of-the-shelve applications.

Hope this will help.

Pierre

*** Sent via Developersdex http://www.developersdex.com ***
Jul 8 '07 #27

P: n/a


I hope you added the local webreference in the windows Service.

Simply you change service process installer Account into LocalSystem.

*** Sent via Developersdex http://www.developersdex.com ***
Dec 28 '07 #28

This discussion thread is closed

Replies have been disabled for this discussion.