Re: Windows Service - Event Log
- From: "Willy Denoyette [MVP]" <willy.denoyette@xxxxxxxxxx>
- Date: Thu, 29 Jun 2006 21:02:37 +0200
"Kevin Spencer" <uce@xxxxxxx> wrote in message
news:%23rTGi02mGHA.192@xxxxxxxxxxxxxxxxxxxxxxx
| >> Who's talking about writing to the eventlog? Tim and I are talking
about
| >> writing to the registry ( HKLM ).
|
| You (Tim and you, as you prefer to put it, although I could almost swear
| that I am too)
No, I was only talking about writing to the Registry (more exactly to HKLM)
again re-read my response to Tim.
You (and Tim as I found out later) are talking about writing to the Registry
for the purpose of creating a log entry.
| Yes, this is done via the System registry, but the registry does not have
a
| single set of permissions for all registry keys. It has highly granular
| permissions. If writing a .Net application, you are not likely to be
writing
| directly to the registry in order to do this, but more likely to be using
| the EventLog classes.
|
That's what I tried to explain to Tim - user applications and user services
for that matter, better stay away from the registry security settings
especially from HKLM, right?
| To create an Event Log, the user account must be a member of the
| Administrators group on the local machine, or the local System account.
That's right, but that doesn't mean it's the task of the service to create
the log, you don't want your service to run as localsystem (or worse as
administrator), just for the purpose of a one time creation of a log entry
(source) do you? This is the task of a separate administrative tool, a
simple five lines C# application or a simple vbscript, that should be run as
part of the service deployement.
The
| permissions can be changed as well, but that is not likely to be helpful
| (as, when the application moves to a different machine, the permissions
must
| be changed on any machine it is moved to). So, what I said still stands:
If
| you want your service to create an Event Log, it must run as a user
account
| that is either the Local System or a member of the Administrators group.
If
| you have a look at your Service Manager, you will see that many Services
run
| under these types of accounts, and for a variety of reasons.
|
None of the services run as Administrator, a great deal run as SYSTEM (on
anything except Vista and LH server) but this will soon be history, MSFT has
learned a lesson. A number of servives still run as localsystem, just
because they can't/won't change that to a less privileged user without
changing other depending processes as well, those that could be changed
easely are now running as Local Service or Network Service.
The major reason (bute there are others) for this is a design flaw in the
"LogonUser" API which requires TCB privileges on anything below XP and W2K3.
TCB privileges are only granted to 'localsystem' on NT4 and W2K, that means
that Services that need to impersonate must run as SYSTEM on these downlevel
OS'ses. Again these services are the number one security attack targets, and
it's not because MSFT made a mistake that you should follow their example
right?
Willy.
.
- Follow-Ups:
- Re: Windows Service - Event Log
- From: Kevin Spencer
- Re: Windows Service - Event Log
- References:
- Windows Service - Event Log
- From: pisquem
- Re: Windows Service - Event Log
- From: Tim Van Wassenhove
- Re: Windows Service - Event Log
- From: Willy Denoyette [MVP]
- Re: Windows Service - Event Log
- From: Tim Van Wassenhove
- Re: Windows Service - Event Log
- From: Willy Denoyette [MVP]
- Re: Windows Service - Event Log
- From: Kevin Spencer
- Re: Windows Service - Event Log
- From: Willy Denoyette [MVP]
- Re: Windows Service - Event Log
- From: Tim Van Wassenhove
- Re: Windows Service - Event Log
- From: Kevin Spencer
- Windows Service - Event Log
- Prev by Date: DateTime question year, month, day from 38896
- Next by Date: IEnumerable is strange
- Previous by thread: Re: Windows Service - Event Log
- Next by thread: Re: Windows Service - Event Log
- Index(es):
Relevant Pages
|
