. Net EventLog: you are not allowed to write logs if the name is not good!

EventLog, whether for the administrator orProgramAlthough it is not a nightmare, it is still a very troublesome thing. Without looking at the tedious format of EVT files and directly operating the registry, unexpected problems will occur when you use. Net silly EventLog class.

Scenario:
In Windows, due to security issues, many times our programs cannot run with administrator privileges. However, as we all know, when the program runs with the default normal user permission, Event Log and source cannot be created. In this regard, the general solution is to use the Administrator to log on and install the program during installation (including Event Log and Source Creation and configuration ), after the installation is complete, go to the normal user to run.

The program I wrote is like this:

① The installation is performed under the Administrator's permission.EventLog. createeventsource (sourcename, LOGNAME );Create a log, a source, and bind it.

② Run the command with the permissions of normal users (default users without any permission changes) and write the following statement to log:
EventLog. writeentry (sourcename, eventmessage );

It is such a simple structure that I did not expect any problems.

The source name I used during the test is "mysource" and the created log is "mylog". Everything works normally;
However, when the client is actually running, the log name is set to "toollog" due to the customer's requirements. As a result, an exception is thrown when the log is written in step 2:

system. security. securityexception: Requested registry access is not allowed.
at Microsoft. win32.registrykey. opensubkey (string name, Boolean writable)
at system. diagnostics. eventLog. findsourceregistration (string source, string machinename, Boolean readonly)
at system. diagnostics. eventLog. sourceexists (string source, string machinename)
at system. diagnostics. eventLog. writeentry (stri Ng message, eventlogentrytype type, int32 eventid, int16 category, byte [] rawdata)
at system. diagnostics. eventLog. writeentry (string source, string message, eventlogentrytype type, int32 eventid, int16 category, byte [] rawdata)
at system. diagnostics. eventLog. writeentry (string source, string message, eventlogentrytype type, int32 eventid, int16 category)
at system. diagnostics. eventLog. WR Iteentry (string source, string message, eventlogentrytype, int32 eventid)
at myprogram. myform. button#click (Object sender, eventargs e)
...... The following is omitted ......

From the call chain, we can see that when calling writeentry to write logs,. Net first calls sourceexist to determine whether the source exists.
Is it true that the source requires more permissions? However, there is no exception when mylog is used as the log name. Why is there a problem when the log name is changed to toollog?
Further analysis shows the cause. Sourceexist calls findsourceregistration, and the core of findsourceregistrationCodeIt is written in this way (for ease of understanding, it is different from the actual situation ):

// Enable EventLog primary key
Registrykey kevent = Registry. localmachine. opensubkey ( @" System \ CurrentControlSet \ Services \ EventLog " , False );

// Traverse each log under EventLog
Foreach ( String K In Kevent. getsubkeynames ())
{
Registrykey klog=Kevent. opensubkey (K,False);
If (Klog ! =   Null )
{
// Check whether any source is to be found in this log.
Registrykey ksource = Klog. opensubkey (source, False );

// If yes, the current log is returned.
If (Ksource ! =   Null )
{
Kevent. Close ();
Ksource. Close ();
Return Klog;
}
Klog. Close ();
}
}

This code is no problem, but in all event logs, security logs cannot be written or read by common users! Therefore, if the statement marked in yellow goes through the "Security" log, the program tries to open the "Security" subkey and throws an exception because it does not have the permission.
All Event Logs are alphabetically arranged. Therefore, if the log name is earlier than "security" (for example, "mylog", m <s ), the findsourceregistration method will find your source and return; but if your log name is unfortunately placed after "security" (such as "toollog", T> S ), therefore, if you do not find your source when traversing the security log, an error will occur. Therefore, the log name is different, and sometimes errors are normal.

Solution:
This problem is not a. net bug, but it is indeed a major risk, because it may cause users with permissions to be unable to read and write their own logs.
At present, my program has to use a log name before "security" to ensure normal operation, but to be honest, it is still quite disgusting, because we also need to remind users, do not name the log as a string after "security.
In my opinion, the writeentry method does not require the function of automatically creating the source and log (if you do not need this function, you do not need to call sourceexist at writeentry ), the writeentry calls the registereventsource function in winapi to obtain handle, and then writes it to the log using reportevent. If the registereventsource function does not find the specified source, it will be automatically replaced by the application, it does not cause errors.

In addition to this issue, EventLog also has a number of issues that are not bugs, but are very difficult to use. In the future, I will try again to complain.

Because it is not in. NET 2.0 tests. I don't know if this problem has been fixed in 2.0. I am in a hurry and don't know if I have already discussed this issue on the Internet. Please let me know.
Please let us know if there is a perfect solution.