Error while writing to Application Logs

• Saturday, October 06, 2012 1:17 PM

   

   
  

  0

  Hi All,

  I am writing a script with custom delegation to write an event in application logs.
  I want a specific group members to write into application log, I tried a lot using SSDL string manipulation but no go, still getting access denied error.

  I have added that particular group with read/write access on C:\Windows\system32\winevt\Logs

  HKLM\System\CurrentControlSet\Services\EventLog\[EventLogName].
  Edit/Create a new string value called CustomSD.
  Add this:(A;;0×3;;;<GroupSID>)
  
  Tried using wevtutil and changed the channelAccess entry and tried to import but its also failing. Tried GPO method to modify Sceregvl.inf file but still same error and if i dump the SSDL i can't see that group SID added to channelAccess entry (wevtutil gl application >ca.txt).
  wevtutil sl Application /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)(A;;0×3;;;<GroupSID>)
  
  Here is the code snippet.
  
  ########
  Param(
  [Int]$TimeInterval
  )
  
  $Date = get-date
  $Edate = $Date.AddMinutes($TimeInterval)
  $Interval = ($Edate-$Date).TotalMinutes
  $CurrentUser = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
  $Message = "Maintenance Mode: ON for " + $Interval + " minutes: " + $Interval + " . Turned on by:`r`n`r`n" + $CurrentUser
  $WSH = New-Object -com WScript.Shell
  $a=$WSH.LogEvent(4,$message)
  ########
  
  Is there anything I am missing? NOTE: I am using PSRemoting to write these events but I tried locally as will without any success. Any help or pointers will be appreciated.

  
  

  • Edited by P-R Saturday, October 06, 2012 1:18 PM
  •  
  • Reply
  • Quote