I’ve had this problem today so thought I’d post it here as it was quite hard to sort out and the thing that finally fixed it was a reply in a forum somewhere.
You may find that you get a message similar to the following when your application attempts to write to an event log:
Cannot open log for source XYZ. You may not have write access.
The solution is straightforward, but sadly there is no GUI to implement it, instead you must edit a registry string value using SDDL.
Here’s the steps to take to try and resolve this issue:
1. Open regedit.exe.
2. Navigate to HKLM\System\CurrentControlSet\Services\EventLog\[EventLogName].
3. Edit/Create a new string value called CustomSD.
4. Append the following to the CustomSD string value (without the quotes): “(A;;0x7;;;S-1-1-0)“.
Hopefully your application should now be working, but this isn’t the perfect solution, as it’s akin to granting “Everyone” all access to read/write/clear your event log. Let me explain.
AceType: “A” = 0x00 (ACCESS_ALLOWED_ACE_TYPE)
AceFlags: “” = 0x00
Access Mask: “0x7” = Read, Write, Clear
Ace Sid: “S-1-0-0” = Security Identifier (SID) (found using whoami.exe) of the Everyone user
Obviously you should probably change the access mask and ACE SID to be more locked-down, but admittedly this is what I did to get things working.
Hope this has helped. These are the websites I used to get me this far:
- The forum where I found my answer.
- MSDN article on configuring access.
- SDDL Syntax.
- ACE Strings.
- Google search that got me going.