0

I am having a bit of a strange error, seems like it's permissions related, though I have done a fair amount of searching and none of the suggestions have worked.

I have a powershell script, running directly on an Windows2012 DC. It attempts to get information from the EventViewer logs, specifically "Security", but all of a sudden the server is now (as of a few days ago) saying that "Get-EventLog: Requested access is not allowed".

It's a very simple command as well:

Get-Eventlog -Logname Security -Newest 1

But the result is the following:

Get-EventLog : Requested registry access is not allowed.
At line:1 char:1
+ Get-EventLog -Newest 1
+ ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-EventLog], SecurityException
    + FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.GetEventLogCommand

What I have attempted:

  • Gave myself permission (made sure admins/server operators have full access), also added "Everyone" temporarily. This was done in RegEdit: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog
  • Cleared Logs for Security in EventViewer
  • Attempted to run same script with same permissions on secondary DC, and it works there. Also works if I specify -Computername SecondDC.mydomain.ads, but not if I don't specify it or specify FirstDc.mydomain.ads.

I have a feeling something could be corrupt? I have no idea where to look at this point. I should be able to pull Event Logs from powershell as an admin.

RSLAV
  • 1
  • 1
  • 1
  • 1
    Use `Get-Eventlog -Logname Security -Newest 1` from powershell elevated (_run as administrator_). – JosefZ Mar 23 '16 at 00:40
  • Sorry, should have made it clear I ran things in elevated mode, as admin. – RSLAV Mar 23 '16 at 14:42
  • 1
    Did you run it as admin user, or did you run it with Right click -> "Run as administrator"? Even if your user is admin, a powershell does not automaticaly open with elevated rights. – Tobias Mar 23 '16 at 15:27

1 Answers1

1

This feels like a workaround, its too complicated for a simple and obvious security monitoring request but it works on w2012:

  • as an admin run regedit
  • nav to KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog
  • right click on 'Security'
  • click Permissions
  • add a group (like 'Event Log Readers')
  • select the group you added
  • check Read under Allow
  • exit regedit and add this group to users who need access
  • these users will need to log out and back in to activate

Yes others have found this before me http://powerkb.se/?p=614

duanev
  • 111
  • 2
  • I have the same issue, I have set the permission like you have commented above. But it's still not working :(. Do you have any ideas ? – Ender Nov 20 '17 at 14:43