Friday, May 23, 2014

Administrators failed to read the security log of Event Viewer on Windows Server 2008 R2 and later

Symptom
When administrators click the Security log of Event Viewer, it shows the following error message.

Event Viewer cannot open the event log or custom view. Verify that Event Log service is running or query is too long. Access is denied (5)


Cause
"NT Service\Eventlog" account is removed on permissions of "HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\eventlog\Security".


Resolution
By default,  "NT Service\Eventlog" is granted "Allow - Read" permission on Windows Server 2008 R2 and later operating systems. This account is removed because administrators might follow the Windows Security Hardening Guide before Windows Server 2008 R2 to configure the permissions of Security event logs. To solve this issue, administrators can do the following steps.

1. Log in as administrator.
2. Launch "Registry Editor".
3. Navigate to "HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\eventlog\Security".
4. Right-click "Security", select "Permissions".


5. On "Permissions for Security" window, click "Add".


6. On "Select Users, Computers, Service Accounts, or Groups" window, click "Locations".


7. On "Locations window, select "<Computer Name>".


8. Click "OK".
9. On "Select Users, Computers, Service Accounts, or Groups" window, enter "NT service\eventlog".


10. Click "OK".
11. Grant "Allow - Read" to "eventlog" account.


12. Click "OK".

This posting is provided “AS IS” with no warranties, and confers no rights!

3 comments: