System.Security.SecurityException: The source was not found, but some or all event logs could not be searched. Inaccessible logs: Security.

Sometimes enhanced security translates to enhanced frustration. I think the exception gracing the title of this post is a decent example of this phenomenon…

This exception occurs in a couple situations involving creation of an EventLog object. Legitimate causes include:

  • Writing an entry (WriteEntry) via an EventLog object with a non-existent source (source that was not created via CreateEventSource(…) call
  • Calling CreateEventSource in the context of an account with insufficient credentials (i.e. non-admin)

Before Windows Vista, when creating an EventLog object, it is a good idea to do the following:

EventLog m_oEventLog = new EventLog();
if (!EventLog.SourceExists("MyApp"))
    EventLog.CreateEventSource("MyApp", "MyLog");

In this case, we are checking if the the source name “MyApp” already exists, and if not, we create this event source (Here I am creating a source in a custom log, but it could be “Application”).

Starting with Vista, and nowadays in Windows7 as well as Server 2008, you will encounter the aforementioned exception if you are not running as ‘Administrator’. This exception will occur if you are running in the context of a service, for example, because it will be in the context of the LOCAL SERVICE user.

The catch is that running in the user context with Administrative privileges is NOT enough! This is the piece that threw me for a spin..

Another annoying aspect is that the exception will occur on both ‘EventLog.SourceExists‘ and ‘EventLog.CreateEventSource‘ calls. In both cases, the underlying framework attempts to enumerate the ‘Security’ log and fails.

Well, there are two workarounds:

  • run the application explicitly as user ‘Administrator’ (e.g. “runas /user:Administrator MyApp.exe“)
  • Disable User Access Control (UAC) on the machine where the code needs to run…

For most case, the ‘runas’ method is the way to go… (By the way, once the event source is created, everything will work smoothly, so running an application once as administrator will allow non-admin applications to use the event source..) For development box, however… I chose to disable UAC.. After reboot, running simply as a user with admin privileges (not explicitly as Administrator) was sufficient. Here are some decent instructions on how to disable UAC in Vista and Windows 7. (http://www.howtogeek.com/howto/windows-vista/disable-user-account-control-uac-the-easy-way-on-windows-vista/)

I hope that there is a Security Policy setting I am missing, but I’ve tried a few and can’t seem to allow anyone but ‘Administrator’ ability to enumerate Security log. (Please let me know if you have a better solution).

Cheers!