locked
Check if event log source exists for non admins RRS feed

  • Question

  • Hi there,

    I permid via "wevtutil" a user to write to application event log. That means this user is able to execute the command

    new-eventlog -logname "Application" -source "abc"

    without any errors. But same user can't execute

    [System.Diagnostics.EventLog]::SourceExists("abc")

    because he is not able to check all event logs if the source exists. How to scope 2nd command to the application log where this user has access rights?

    ök

    Tuesday, May 7, 2019 12:38 PM

Answers

  • You can't.  The method can only check for the whole computer.  Only an Admin has access to that call when the event logs are protected.


    \_(ツ)_/


    • Edited by jrv Tuesday, May 7, 2019 12:58 PM
    • Marked as answer by Zero3000 Tuesday, May 7, 2019 3:45 PM
    Tuesday, May 7, 2019 12:54 PM

All replies

  • You can't.  The method can only check for the whole computer.  Only an Admin has access to that call when the event logs are protected.


    \_(ツ)_/


    • Edited by jrv Tuesday, May 7, 2019 12:58 PM
    • Marked as answer by Zero3000 Tuesday, May 7, 2019 3:45 PM
    Tuesday, May 7, 2019 12:54 PM
  • Also note that, if the source exists, a $true will be returned and there will be no error.  If the source does not exist then an exception will be thrown.  This will tell you that the source does not exist. This will never work if you try to create a source and use it in the Security log.


    \_(ツ)_/

    Tuesday, May 7, 2019 1:16 PM
  • But my user has access to the application event logs. Is there no call for this container?
    Tuesday, May 7, 2019 1:53 PM
  • Ah ok, u mean there is only a call for the whole computer because the source names has to be unique over all containers?

    • Edited by Zero3000 Tuesday, May 7, 2019 1:57 PM
    Tuesday, May 7, 2019 1:57 PM
  • Ah ok, u mean there is only a call for the whole computer because the source names has to be unique over all containers?

    That is what the docs tell you.  If it is not found then the security log and state logs will be searched but those registry keys are protected.  If it is found then the call will return true.  The logs are searched in alphabetical order.  Since the name has to be unique then the search stops when a match is found.


    \_(ツ)_/

    Tuesday, May 7, 2019 2:04 PM