Accessing the Event Logs

Article ID: Q108230

The information in this article applies to: Microsoft Win32 Application Programming Interface (API) included with:

    - Microsoft Windows NT versions 3.1 and 3.5

SUMMARY

Event logs are used to store significant events, such as warnings, errors, or information. There are five operations that can be performed on event logs through the event logging application programming interface (API): backup, clear, query, read, and write.

The default event logs are the Application event log, the Security event log, and the System event log. Access to these event logs is determined by which account the application is running under.

MORE INFORMATION

The following table shows which accounts are granted access to which logs and what type of access is granted under Windows NT 3.1:

   Log           Account     Access Granted
   -------------------------------------------
   Application   LocalSys    read write clear
                 Admins      read write clear
                 ServerOp    read write clear
                 World       read write

   Security      LocalSys    read write clear
                 Admins      read       clear

   System        LocalSys    read write clear
                 Admins      read       clear
                 ServerOp    read       clear
                 World       read
   -------------------------------------------
   Table 1 - access granted in Windows NT 3.1

The Local System account (LocalSys) is a special account that may be used by Windows NT services. The Administrator account (Admins) consists of the administrators for the system. The Server Operator account (ServerOp) consists of the administrators of the domain server. The World account includes all users on all systems. Changes made were for Windows NT 3.5:

   Log           Account     Access Granted
   -------------------------------------------
   Application   LocalSys    read write clear
                 Admins      read write clear
                 ServerOp    read write clear
                 World       read write

   Security      LocalSys    read write clear
                 Admins      read       clear
                 World       read       clear *

   System        LocalSys    read write clear
                 Admins      read write clear **
                 ServerOp    read       clear
                 World       read
   -------------------------------------------
   Table 2 - access granted under Windows NT 3.5

    * Users that have been granted manage auditing and security log rights
      can read and clear the Security log.

   ** Admins can write to the System log.

The following table shows which types of access are required for the corresponding event logging API:

   Event Logging API         Access Required
   -------------------------------------------
   OpenEventLog()            read
   OpenBackupEventLog()      read
   RegisterEventSource()     write
   ClearEventLog()           clear
   -------------------------------------------
   Table 3 - access required for event logging APIs

As an example, OpenEventLog() requires read access (see Table 2). A member of the ServerOp account can call OpenEventLog() for the Application event log and the System event log, because ServerOp has read access for both of these logs (see Table 1). However, a member of the ServerOp account cannot call OpenEventLog() for the Security log, because it does not have read access for this log (see Table 1). Additional reference words: 3.10 3.50 KBCategory: kbprg KBSubcategory: BseMisc

Last Reviewed: November 2, 1995
© 1999 Microsoft Corporation. All rights reserved. Terms of Use.