Get started for free
Visual Studio Developer Center >
"Attempted to perform an unauthorized operation" when reading a remote event log using on a Windows 7 machine

Answered "Attempted to perform an unauthorized operation" when reading a remote event log using on a Windows 7 machine

  • Saturday, June 02, 2012 3:40 PM
     
      Has Code
    Sign In to Vote
    0

    Hi, 

    I'm attempting to read an event log on a remote machine and it dies with a message "Attempted to perform an unauthorized operation"

    The code I am posting below is just part of the class. It does work if i am reading a local log. At runtime, I'm passing setting the user to a local admin and I'm passing the correct password. 

            /// <summary>
        /// Returns a datatable of results from the event log
        /// </summary>
        /// <param name="dtItemsToCheck"></param>
        /// <param name="dtEventLog"></param>
        /// <returns></returns>
        public dsChecklist.dtEventLogDataTable ReadEventLog(
            string DomainName, string UserName, string MachineNameToQuery, string Password,
            dsChecklist.dtEventLogItemsToCheckDataTable dtItemsToCheck, 
            dsChecklist.dtEventLogDataTable dtEventLog)
        {
            try
            {

                foreach (DataRow dr in dtItemsToCheck.Rows)
                {
                    string strQuery = "*[System/EventID=" + dr["InstanceID"].ToString() + "]";
                    var elQuery = new EventLogQuery(dr["LogType"].ToString(), PathType.LogName, strQuery);

                    //Remote machine query assignment
                    System.Security.SecureString pw = new System.Security.SecureString();
                    
                    //Set the secure string
                    char[] passwordChars = Password.ToCharArray();
                    foreach (char c in passwordChars)
                    {
                        pw.AppendChar(c);
                    }

                    
                    //Build the info for the remote query session
                    EventLogSession session = new EventLogSession(
                        MachineNameToQuery,
                        DomainName,
                        UserName,
                        pw,
                        SessionAuthentication.Default);

                                        
                    //Assign session to current query
                    elQuery.Session = session;                   
                    
                    var elReader = new EventLogReader(elQuery);

    The line that it throws the error on is:

    var elReader = new EventLogReader(elQuery);

    Does anyone know

    1. If there is a way to elevate the permissions programatically, and if so, how do you do that?

    2. Is there a workaround by providing some advanced security setting through the local security policy?

    Thanks!

    Bob


    • Edited by Delamater Saturday, June 02, 2012 3:41 PM
    •  
     

All Replies

  • Saturday, June 02, 2012 4:04 PM
     
     
    Sign In to Vote
    0
    On 6/2/2012 11:40 AM, Delamater wrote:
    > Attempted to perform an unauthorized operation
     
    Vista and Win 7 are closed by default O/S(s) not like XP and the
    previous versions.
     
    I suspect that the user credentials you logged into on the machine you
    are executing the program on is unknown to the remote machine. You see
    the program runs under the context of the user account that is running
    the program and those credentials are presented.
     
    So Delamater is logged in on the machine and Delamater is admin on the
    machine. The machine tries to access the remote machine's resources
    presenting Delamater user credentials.
     
    So the remote machine said this. Who is Delamater?  I don't know about
    some Delamater. Delamater is not in my user accounts. You are
    unauthorized Delamater.
     
     
  • Saturday, June 02, 2012 4:38 PM
     
      Has Code
    Sign In to Vote
    0

    I thought that might be the case too. This particular machine I'm testing on is in a workgroup. So, in the code below, I've tested setting the Domain Name to Workgroup. I've also left it blank. I've set it to a value of period ".", and also to the IP address of the machine just for good measure.  The user name is set to a user name on that operating system, and the password is set correctly. 

                        //Build the info for the remote query session
                    EventLogSession session = new EventLogSession(
                        MachineNameToQuery,
                        DomainName,
                        UserName,
                        pw,
                        SessionAuthentication.Default);

    So, let's say that the remote login failed, I should see an entry in the security event log of Windows on the remote machine right? I'm not seeing anything within the remote computer's security log. 

    Also, I've shut off the firewall and the UAC to troubleshoot. Still the same results. 

    • Edited by Delamater Saturday, June 02, 2012 4:38 PM
    •  
     
  • Saturday, June 02, 2012 4:44 PM
     
     
    Sign In to Vote
    0

    Is the EventLogPermission class needed? And if so, is it meant to be used in remote scenarios, or just local scenarios? I've not used this class before, so I'm pretty green to it. 

    http://msdn.microsoft.com/en-us/library/system.diagnostics.eventlogpermission.aspx

    I ask because the last sentence in this line they state that you run the program as administrator, which would assume local to the PC:

    "Starting with Windows Vista, User Account Control (UAC) determines the privileges of a user. If you are a member of the Built-in Administrators group, you are assigned two run-time access tokens: a standard user access token and an administrator access token. By default, you are in the standard user role. To execute the code that accesses the security log, you must first elevate your privileges from standard user to administrator. You can do this when you start an application by right-clicking the application icon and indicating that you want to run as an administrator."

     
  • Saturday, June 02, 2012 5:20 PM
     
     
    Sign In to Vote
    0
     
    The easy fix for this is to have the Delamater account  on both machines
    with the same privileges. The remote machine should let you have access
    then. You should use admin accounts on both machine.
     
     
     
  • Saturday, June 02, 2012 9:07 PM
     
      Has Code
    Sign In to Vote
    0

    Hi, and thanks for taking the time again to respond! It is much appreciated.

    In this situation, I'm leveraging the EventLogSession so that I can impersonate accounts, so that I don't have to add accounts. Am I misunderstanding the purpose of this class?

    http://msdn.microsoft.com/en-us/library/system.diagnostics.eventing.reader.eventlogsession.aspx

    It says, "Used to access the Event Log service on the local computer or a remote computer so you can manage and gather information about the event logs and event providers on the computer."

    So my code sets the EventLogSession:

                        EventLogSession session = new EventLogSession(
                        MachineNameToQuery,
                        DomainName,
                        UserName,
                        pw,
                        SessionAuthentication.Default);

    And next, I set the query to query object's session property to my EventLogSession:

                        //Assign session to current query
                    elQuery.Session = session;

    And finally, I new up an event log reader, which is where the error occurs:

                        var elReader = new EventLogReader(elQuery);

    If I pass the user name of something not delamater, but rather "Administrator", or "Bill", etc... then it should authenticate according to the credentials I pass in. In my case, I'm passing a user account called Bob. It should authenticate with Bob, right?

    This is the example that Microsoft gives on this link and I think my code is pretty close to that example:

    http://msdn.microsoft.com/en-us/library/bb671200.aspx

            public void QueryRemoteComputer()
        {
            string queryString = "*[System/Level=2]"; // XPATH Query
            SecureString pw = GetPassword();

            EventLogSession session = new EventLogSession(
                "RemoteComputerName",                               // Remote Computer
                "Domain",                                  // Domain
                "Username",                                // Username
                pw,
                SessionAuthentication.Default);

            pw.Dispose();

            // Query the Application log on the remote computer.
            EventLogQuery query = new EventLogQuery("Application", PathType.LogName, queryString);
            query.Session = session;

            try
            {
                EventLogReader logReader = new EventLogReader(query);

                // Display event info
                DisplayEventAndLogInformation(logReader);
            }
            catch (EventLogException e)
            {
                Console.WriteLine("Could not query the remote computer! " + e.Message);
                return;
            }
        }


    • Edited by Delamater Saturday, June 02, 2012 9:20 PM
    •  
     
  • Sunday, June 03, 2012 12:04 AM
     
     
    Sign In to Vote
    0
     
    >
    >
    > If I pass the user name of something not delamater, but rather
    > "Administrator", or "Bill", etc... then it should authenticate according
    > to the credentials I pass in. In my case, I'm passing a user account
    > called Bob. It should authenticate with Bob, right?
     
    Well Bill or Administrator needs to be an account that has been setup on
    the remote machine through the O/S on the remote machine with the
    privileges needed, otherwise, they are going to be rejected.
     
     
  • Sunday, June 03, 2012 4:04 AM
     
     
    Sign In to Vote
    0
    In this case, the user exists on the remote machine, within the local administrators group. 
     
  • Sunday, June 03, 2012 8:24 AM
     
     
    Sign In to Vote
    0
    On 6/3/2012 12:04 AM, Delamater wrote:
    > In this case, the user exists on the remote machine, within the local
    > administrators group.
     Then I suggest that you make a user account called Delamater on the
    client machine that has admin privileges, make the same account on the
    remote machine with admin rights using the same psw too that Delamater
    has on the client machine. You login to the client machine using
    Delamater and try to access the remote machine with the program.
     
    I don't think using impersonation is going to work for you when
    accessing O/S resources in this situation.
     
     
  • Monday, June 04, 2012 6:17 AM
    Moderator
     
     Answered
    Sign In to Vote
    0

    After tested, I found that once we want remote read the event, we do not need to config our machine, what I did just create a new user on the remote Windows 7, and then add this user to the "Event Log Readers" group, there's no need a same account locally.

    Then everything will be OK.

    Best wishes,

    Mike Zhang[MSFT]
    MSDN Community Support | Feedback to us

    • Marked As Answer by Delamater Monday, June 04, 2012 3:46 PM
    • Unmarked As Answer by Delamater Monday, June 04, 2012 3:47 PM
    • Marked As Answer by Delamater Monday, June 04, 2012 3:48 PM
    •  
     
  • Monday, June 04, 2012 3:48 PM
     
     
    Sign In to Vote
    0

    Thanks to you both for your help. I'm able to successfully impersonate using any account, so long as the user belongs in the group you mentioned Mike. This is a big help. 

    Thanks!

    Bob

     
  • Tuesday, June 05, 2012 6:47 AM
    Moderator
     
     
    Sign In to Vote
    0

    You're welcome!

    Mike Zhang[MSFT]
    MSDN Community Support | Feedback to us