Requested registry access is not allowed.

[Web Developer]

When errors occur in my ASP.Net apps, I write them to the application event
log. However, I can't write to the log if my web app isn't registered as a
valid EventLog source (as designated by the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\
registry key). If my app tries to create the key on-the-fly, I get a
"Requested registry access is not allowed." exception.

I tried creating a custom CASPOL permission set called LocalIntranetExtended
that inherited from LocalIntranet and added a Registry permission with write
and create options for the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\
key. Then I set the CASPOL LocalIntranet_Zone's permission set to
LocalIntranetExtended, but it din't resolve the issue.

How can I create a CASPOL policy to allow the W3WP.exe process to create
registry entries under the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\?
I don't want to create .reg files for each new web app to create the keys
manually. I'd rather give permissions to the worker process to create them
on the fly.

Thank you!

 

[Dominick Baier [DevelopMentor]]

Hello Web,

you need admin privileges to create event sources.

simply call CreateEventSource from a console app that runs as admin.

 

[Web Developer]

Thanks for your reply.

As I mentioned, I want to have the sources created automatically. My team
builds tons of web apps, and I don't want to go through a manual registration
process for each one.

How can I provide registry privilages to the ASP.Net worker process
(W3WP.exe)?

Thanks again.

 

[Dominick Baier [DevelopMentor]]

Hello Web,

ok - what's wrong with running a exe on app installation time??

anyway -

Creating Event Sources
If your application needs to create event sources, you need to ensure that
the application's identity has the relevant permissions on the following
registry key.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog

At minimum, your Web application process identity, which defaults to Network
Service on Windows Server 2003, must have the following permissions on this
registry key:

Query key value
Set key value
Create subkey
Enumerate subkeys
Notify
Read

 

[Web Developer]

Because I'm lazy .. that what.

Your suggestion worked. Thank you!

Do you know of a way to accomplish the same thing using a CASPOL policy?

Thanks again!

 

[Dominick Baier [DevelopMentor]]

Hello Web,

what do you want to do with CASPOL?

 

[Joe Kaplan \(MVP - ADSI\)]

Even though a SecurityException is thrown, the issue is not a CAS issue.
CASPOL cannot help you here. It is a Windows security issue.

Joe K.