0

I am having a bit of a strange error, seems like it's permissions related, though I have done a fair amount of searching and none of the suggestions have worked.

I have a powershell script, running directly on an Windows2012 DC. It attempts to get information from the EventViewer logs, specifically "Security", but all of a sudden the server is now (as of a few days ago) saying that "Get-EventLog: Requested access is not allowed".

It's a very simple command as well:

Get-Eventlog -Logname Security -Newest 1

But the result is the following:

Get-EventLog : Requested registry access is not allowed. At line:1 char:1 + Get-EventLog -Newest 1 + ~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-EventLog], SecurityException + FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.GetEventLogCommand

What I have attempted:

  • Gave myself permission (made sure admins/server operators have full access), also added "Everyone" temporarily. This was done in RegEdit: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog
  • Cleared Logs for Security in EventViewer
  • Attempted to run same script with same permissions on secondary DC, and it works there. Also works if I specify -Computername SecondDC.mydomain.ads, but not if I don't specify it or specify FirstDc.mydomain.ads.

I have a feeling something could be corrupt? I have no idea where to look at this point. I should be able to pull Event Logs from powershell as an admin.

Improve this question
3
  • 1
    Use Get-Eventlog -Logname Security -Newest 1 from powershell elevated (run as administrator). Commented Mar 23, 2016 at 0:40
  • Sorry, should have made it clear I ran things in elevated mode, as admin. Commented Mar 23, 2016 at 14:42
  • 1
    Did you run it as admin user, or did you run it with Right click -> "Run as administrator"? Even if your user is admin, a powershell does not automaticaly open with elevated rights. Commented Mar 23, 2016 at 15:27

1 Answer 1

Reset to default
1

This feels like a workaround, its too complicated for a simple and obvious security monitoring request but it works on w2012:

  • as an admin run regedit
  • nav to KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog
  • right click on 'Security'
  • click Permissions
  • add a group (like 'Event Log Readers')
  • select the group you added
  • check Read under Allow
  • exit regedit and add this group to users who need access
  • these users will need to log out and back in to activate

Yes others have found this before me http://powerkb.se/?p=614

Improve this answer
1
  • I have the same issue, I have set the permission like you have commented above. But it's still not working :(. Do you have any ideas ? Commented Nov 20, 2017 at 14:43

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.