Microsoft KB Archive/108230

{| = Accessing the Event Logs =
 * width="100%"|

Article ID: Q108230

The information in this article applies to: Microsoft Win32 Application Programming Interface (API) included with: - Microsoft Windows NT versions 3.1 and 3.5

SUMMARY
Event logs are used to store significant events, such as warnings, errors, or information. There are five operations that can be performed on event logs through the event logging application programming interface (API): backup, clear, query, read, and write.

The default event logs are the Application event log, the Security event log, and the System event log. Access to these event logs is determined by which account the application is running under.

MORE INFORMATION
The following table shows which accounts are granted access to which logs and what type of access is granted under Windows NT 3.1:

Log          Account     Access Granted ---  Application   LocalSys    read write clear Admins     read write clear ServerOp   read write clear World      read write

Security     LocalSys    read write clear Admins     read       clear

System       LocalSys    read write clear Admins     read       clear ServerOp   read       clear World      read ---  Table 1 - access granted in Windows NT 3.1 The Local System account (LocalSys) is a special account that may be used by Windows NT services. The Administrator account (Admins) consists of the administrators for the system. The Server Operator account (ServerOp) consists of the administrators of the domain server. The World account includes all users on all systems. Changes made were for Windows NT 3.5:

Log          Account     Access Granted ---  Application   LocalSys    read write clear Admins     read write clear ServerOp   read write clear World      read write

Security     LocalSys    read write clear Admins     read       clear World      read       clear *

System       LocalSys    read write clear Admins     read write clear ** ServerOp   read       clear World      read ---  Table 2 - access granted under Windows NT 3.5

* Users that have been granted manage auditing and security log rights can read and clear the Security log.

** Admins can write to the System log. The following table shows which types of access are required for the corresponding event logging API: Event Logging API        Access Required ---  OpenEventLog            read OpenBackupEventLog     read RegisterEventSource    write ClearEventLog          clear ---  Table 3 - access required for event logging APIs As an example, OpenEventLog requires read access (see Table 2). A member of the ServerOp account can call OpenEventLog for the Application event log and the System event log, because ServerOp has read access for both of these logs (see Table 1). However, a member of the ServerOp account cannot call OpenEventLog for the Security log, because it does not have read access for this log (see Table 1). Additional reference words: 3.10 3.50 KBCategory: kbprg KBSubcategory: BseMisc
 * }