How to? EVENTLOG Command with simple User Rights not functional

[GermanDirk]

Hello JPSoft Team,

Before,
Thank Your for a great Product on long Time.

Here my Problem.
I use for Take Command Scriptings most a simple User Account from local Windows Group User.
From Time to Time i must use any Funtion wich more Rights required. This can be funtional when im Set more Rights.
For use Write in a Windows-Application-Eventlog i have Set the Write Rights for User per follow Command

(show setting per "wevtutil get-log application", i have added (A;;0x3;;;S-1-5-32-545) Especialy the SID S-1-5-32-545 is for User)

wevtutil sl application /ca:O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0x2;;;S-1-15-3-1024-3153509613-960666767-3724611135-2725662640-12138253-543910227-1950414635-4190290187)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)(A;;0x3;;;S-1-5-32-545)

After this Setting the Script under this Account cannt Write a Event with internal Command "EVENTLOG", but when use CMD Command EVENTCREATE in the same Script is this now funtional. Where is the Problem ?

(PS: in the same Context i have Problem on Reading Windows Service Status Function, only by use the internal Function is it not funtional)

 

[rconn]

EVENTCREATE is not a CMD internal command, it's an external Windows app. Why can't you run EVENTCREATE from TCC?

Or, run TCC elevated.

 

[GermanDirk]

Hello,

Im Starting both Commands in the same TCC Shell and have differencial (Access-) Results. For me ist always better use the TCC internal Functions and Commands as the extenal Commands. Checking the Results ist internal always better.

 

[vefatica]

Hmmm! Unelevated, this failed (access denied) the first time I tried it.

v:\> eventcreate /L Application /SO TCC /ID 666 /T INFORMATION /D "My dog has fleas."

After (only once) specifying /S <the local machine> and /U <me, an admin>, again unelevated, this now works in unelevated instances, even newly started ones.

v:\> eventcreate /L Application /SO TCC /ID 666 /T INFORMATION /D "My dog has fleas."

SUCCESS: An event of type 'INFORMATION' was created in the 'Application' log with 'TCC' as the source.

 

[GermanDirk]

Hallo,
Using the external App EVENTCREATE is only a Workaround while the TCC internal Command EVENTLOG not become the same Access Rights to the Window Application Event Log. In my Environment is UAC disabled and the TCC running under a normal User Account. He become the Rights to make his Work. So from the same TCC Shell, the one (EVENTCREATE) can Write to the Application Event Log and the internal Command (EVENTLOG) cannot.

Im use this to Start (TCC) Scheduler Tasks per Event (and not per Timer) in Windows Application Eventlog.

So to Test this Situation, you must use a normal User Account. Give him Rights (wevtutil) to Write in Application Eventlog. Test this per CMD EVENTCREATE und than in TCC per EVENTLOG.