WORK IN PROGRESS
1. Check if event source you wish to log into exists or create event source in the registry
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\YOURLOGSOURCE]
"EventMessageFile"="C:\\WINDOWS\\Microsoft.NET\\Framework\\v2.0.50727\\EventLogMessages.dll"
Copy and paste the above into the notepad and save with ANSI encoding with .reg extension.
2. Identify which windows user your application runs under.
//TODO:(SD) Provide guidance and tools
3. Knowing the name of user or group, find out the SID of the user/group from point #2.
User may have a well-known SID : http://support.microsoft.com/kb/243330
Otherwise:
use powershell: http://www.microsoft.com/technet/scriptcenter/resources/pstips/feb08/pstip0201.mspx
(Doesn't require knowledge of user's password)use vbscript: http://www.activexperts.com/activmonitor/windowsmanagement/adminscripts/usersgroups/localusers/
use whoami:
use runas to run cmd console as the app pool user
use whoami /all when running the console as a designated user to find the SIDuse .net code:
NTAccount account = new NTAccount("domain\\username")
System.Console.WriteLine("SID: " + account.Translate(typeof(System.Security.Principal.SecurityIdentifier)).Value);
Use SID of either the user or the required group it belongs to.
4. Append the required SDDL string to the current SDDL value of the eventlog registry CustomSD entry (e.g. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ if you set up your event source in the Application node):
(A;; 0xY;;;SID)
Where 0xY is access flags field is calculated as a bitmask of:
• 1= Read
• 2 = Write
• 4 = ClearSo for example 0x3 gives read and write access. More info on SDDL: http://support.microsoft.com/kb/323076
SID is the SID value found in step 3.
http://www.microsoft.com/technet/scriptcenter/resources/pstips/feb08/pstip0201.mspx
No comments:
Post a Comment