Getting error "Microsoft VBScript runtime error '800a0046' Permission denied" when writing to event logs through ASP page
Few days back I worked upon an issue where we were trying to write into the Events logs from classic ASP page using Windows Script. You can find more details about this on How To Log Events from Active Server Pages and about using the Windows Script here Windows Scripts
The code of the ASP page looked like:
<%
'Use these Constants to designate the type of Event Log.
const SUCCESS = 0
const ERROR = 1
const WARNING = 2
const INFORMATION = 4
const AUDIT_SUCCESS = 8
const AUDIT_FAILURE = 16
dim WshShell
set WshShell = Server.CreateObject("WScript.Shell")
wshshell.Logevent WARNING, "Test Event Log by Windows Script Host!"
set wshshell=nothing
Response.write "Event Logged Successfully by Windows Script Host!"
%>
However by default there is limited security access rights to system event logs. Hence in order to achieve this, we need to modify a registry key which could provide required access to event logs. Now to give the thread or lets say context identity rights to read/write the Application and/or System event log, one must modify the security of event log through the registry values under (select the event log that your application is writing to):
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\System\CustomSD
The Security Descriptor or in other words the value for the CustomSD for each log is specified by using Security Descriptor Definition Language (SDDL) syntax. Get more information on SDDL Syntax here.
By default this is the value of CustomSD key for the Application event log:
O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)
To construct an SDDL string, note that there are three distinct rights that pertain to event logs: Read, Write, and Clear. These rights correspond to the following bits in the access rights field of the ACE string:
1= Read
2 = Write
4 = Clear
Entry Meaning
O:BA Object owner is Built-in Admin (BA).
G:SY Primary group is System (SY).
D: This is a DACL, rather than an audit entry or SACL.
(D;;0xf0007;;;AN) Deny Anonymous (AN) all access. (1=Read + 2=Write + 4=Clear)
(D;;0xf0007;;;BG) Deny Built-in Guests (BG) all access.
(A;;0xf0005;;;SY) Allow System Read and Clear (1=Read + 4=Clear), including DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER (indicated by the 0xf0000).
(A;;0x7;;;BA) Allow Built-in Admin READ, WRITE and CLEAR.
(A;;0x7;;;SO) Allow Server Operators READ, WRITE and CLEAR.
(A;;0x3;;;IU) Allow Interactive Users READ and WRITE.
(A;;0x3;;;SU) Allow Service accounts READ and WRITE.
- By default this is the security for the System event log:
O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;; 0x5;;;BA)(A;; 0x7;;;SO)(A;; 0x3;;;IU)(A;; 0x2;;;BA)(A;; 0x2;;;LS)(A;; 0x2;;;NS)
Entry Meaning
O:BA Object owner is Built-in Admin (BA).
G:SY Primary group is System (SY).
D: This is a DACL, rather than an audit entry or SACL.
(D;;0xf0007;;;AN) Deny Anonymous (AN) all access.
(D;;0xf0007;;;BG) Deny Built-in Guests (BG) all access.
(A;;0xf0005;;;SY) Allow System Read and Clear, including DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER (indicated by the 0xf0000).
(A;;0x7;;;BA) Allow Built-in Admin READ, WRITE and CLEAR.
(A;;0x7;;;SO) Allow Server Operators READ, WRITE and CLEAR.
(A;;0x3;;;IU) Allow Interactive Users READ and WRITE.
(A;;0x2;;;LS) Allow Local Service WRITE.
(A;;0x2;;;NS) Allow Network Service WRITE.
Hence if your ASP page is running on Anonymous, you will have to give the IUSR or the custom Anonymous account the proper permissions on this CustomSD reg key. And if it's running on Windows Integrated, then Authenticated users group should have the required permissions. Here's how it can be done: Append the below entry to the default value of CustomSD under the event log that you selected
For Authenticated users group (in case of windows Integrated authentication) : (A;;0x0003;;;AU) where AU = Authenticated Users
For IUSR or the custom configured Anonymous account (in case of Anonymous Authentication) , find the SID for that account and then create one which looks like: (A;;0x3;;;S-1-5-21-1985444312-785446638-2839930158-1121) where the last field is the SID for the IUSR account on my machine.
So conclusively, for example to give your group read permissions add the following to the CustomSD value (A;;0x1;;; [Your Group Name/user account SID]) at the end of the current string and for read and write permissions, (A;;0x3;;; [Your Group Name/user account SID])
Other related references:
How to set event log security locally or by using Group Policy in Windows Server 2003
How To Log Events from Active Server Pages