4

I have also asked this question in a Microsoft Forum, but no answers there yet.

I am in the process of building out a Windows 2012 server to replace a legacy Windows 2008 server. I am testing a legacy batch script that logs informational or system events under different circumstances. However, the script is failing with the error "Access is denied".

I did some debugging and discovered the failure is with the EVENTCREATE line. Below is an example of the command and it's failure:

C:\SCRIPTS>EVENTCREATE /t WARNING /d "testing" /id 411
ERROR: Access is denied.

If I execute this command as myself (administrator) it works fine. But if one of the users executes it, it fails.

I did google around as well as check stackoverflow and it's sibling sites, and observed that this sort of behavior was reported when the /so parameter is used. However, I am not using the /so parameter.

I've confirmed that the user has access to the EVENTCREATE command. If they invoke it with /? they see the help contents for it.

Is there some sort of group policy permission setting I need to adjust? Something else?

Thanks in advance for your help.

John Rocha
  • 205
  • 3
  • 8
  • Well.. I learned the ANSWER to my problem, but it's not really a solution. I learned that the user in question WAS in the admin group on the old server but wasn't added to the admin group in the new server. So my starting premise that it used to work for a normal user on the old 2008 server was incorrect. – John Rocha Mar 16 '17 at 22:09

2 Answers2

0

I suspect that the issue here is that you are not using the /so switch which would normally let you specify an event source.

Since you are not using that parameter, the utility defaults to "EventCreate" as the event source. This means that the utility will need to register the "EventCreate" source in the registry, something that would require elevated permissions. A user running eventcreate likely won't have those necessary permissions.

Have you tried running it on the same machine as an admin, and then running it again as a user? I would think that this would work.

Alternatively I would also try to specify an event source, e.g. "Your Application" and stick with that. The event source "EventCreate" is very generic, and I wouldn't use it.

Finally, I'd recommend these blog articles to understand how logging to the event log works:

https://www.eventsentry.com/blog/2008/04/event-log-message-files-the-de.html https://www.eventsentry.com/blog/2010/11/creating-your-very-own-event-m.html

Lucky Luke
  • 1,555
  • 1
  • 9
  • 12
  • It fails even if the regular user runs after and admin user. It doesn't matter if we include or exclude the /so switch. I have confirmed that the registry has the source. I'm trying WITHOUT the /so switch because it was first failing with the /so switch, and trying with the least number of required parameters. – John Rocha Mar 16 '17 at 21:46
-1

I had the same and solved it by opening the command window AS administrator. Just being an administrator was not enough to execute the command. Right-click the icon and chose "Run as administrator"