Accessing the Event Logs

 Last reviewed: November 2, 1995
Article ID: Q108230
The information in this article applies to:
  • Microsoft Win32 Application Programming Interface (API) included with: 

        - Microsoft Windows NT versions 3.1 and 3.5

SUMMARY

Event logs are used to store significant events, such as warnings, errors, or information. There are five operations that can be performed on event logs through the event logging application programming interface (API): backup, clear, query, read, and write.

The default event logs are the Application event log, the Security event log, and the System event log. Access to these event logs is determined by which account the application is running under.

MORE INFORMATION

The following table shows which accounts are granted access to which logs and what type of access is granted under Windows NT 3.1: 

   Log           Account     Access Granted
   -------------------------------------------
   Application   LocalSys    read write clear
                 Admins      read write clear
                 ServerOp    read write clear
                 World       read write

   Security      LocalSys    read write clear
                 Admins      read       clear

   System        LocalSys    read write clear
                 Admins      read       clear
                 ServerOp    read       clear
                 World       read
   -------------------------------------------
   Table 1 - access granted in Windows NT 3.1
The Local System account (LocalSys) is a special account that may be used by Windows NT services. The Administrator account (Admins) consists of the administrators for the system. The Server Operator account (ServerOp) consists of the administrators of the domain server. The World account includes all users on all systems.

Changes made were for Windows NT 3.5: 

   Log           Account     Access Granted
   -------------------------------------------
   Application   LocalSys    read write clear
                 Admins      read write clear
                 ServerOp    read write clear
                 World       read write

   Security      LocalSys    read write clear
                 Admins      read       clear
                 World       read       clear *

   System        LocalSys    read write clear
                 Admins      read write clear **
                 ServerOp    read       clear
                 World       read
   -------------------------------------------
   Table 2 - access granted under Windows NT 3.5

    * Users that have been granted manage auditing and security log rights
      can read and clear the Security log.

   ** Admins can write to the System log.
The following table shows which types of access are required for the corresponding event logging API: 

   Event Logging API         Access Required
   -------------------------------------------
   OpenEventLog()            read
   OpenBackupEventLog()      read
   RegisterEventSource()     write
   ClearEventLog()           clear
   -------------------------------------------
   Table 3 - access required for event logging APIs
As an example, OpenEventLog() requires read access (see Table 2). A member of the ServerOp account can call OpenEventLog() for the Application event log and the System event log, because ServerOp has read access for both of these logs (see Table 1). However, a member of the ServerOp account cannot call OpenEventLog() for the Security log, because it does not have read access for this log (see Table 1).

Additional reference words: 3.10 3.50
KBCategory: kbprg
KBSubcategory: BseMisc

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: November 2, 1995
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.