Missing Microsoft-Windows-Security-Auditing registry key on Windows 2008 (not R2)

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Run on cleanly installed Windows 2008 host.
2. See that registry keys are clearly missing on Windows 2008.

What is the expected output? 
$thedate $host Microsoft-Windows-Security-Auditing: xxxx: An account was 
successfully logged on. Subject: Security ID: S-x-x-x Account Name: - Account 
Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security etc etc.

What do you see instead?
 "Cannot find message file key for "SYSTEM\CurrentControlSet\Services\Eventlog\Security\Microsoft-Windows-Security-Auditing""

What version of the product are you using? On what operating system?
v4.4: 64bit on Windows 2008 (not R2)

Please provide any additional information below.
This is only an issue on Windows 2008. Windows 2008 R2 doesn't have this 
problem.

Original issue reported on code.google.com by karlsson...@gmail.com on 13 Dec 2010 at 9:59

[GoogleCodeExporter]

It also seems to be missing the: Service Control Manager key.
Cannot find key value "EventMessageFile": 
"SYSTEM\CurrentControlSet\Services\Eventlog\System\Service Control Manager": 
The operation completed successfully.#015
Service_Control_Manager: xxxx: (Facility: 0, Status: Success)

Original comment by karlsson...@gmail.com on 13 Dec 2010 at 12:30

[GoogleCodeExporter]

I seem to have found the error. In windows 2008 R2 there is a REG_SZ pointing 
to the ProviderGuid.

But in Windows 2008 (not R2) there's a REG_EXPAND_SZ instead, which seem to be 
causing this error.

Original comment by karlsson...@gmail.com on 13 Dec 2010 at 1:39

[GoogleCodeExporter]

Patric, could you please check your servers -a Std and an R2- for this registry 
key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\ForwardedEvents

Let me know what you find

-Sherwin

Original comment by sherwin....@gmail.com on 14 Dec 2010 at 7:41

[GoogleCodeExporter]

The keys under 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\ForwardedEvents 
are identical on both systems as far as I can see.

Original comment by karlsson...@gmail.com on 15 Dec 2010 at 9:25

[GoogleCodeExporter]

I replied to this issue before via email, but apparently that post never made 
it to the list.
Could you please verify that you are using the correct version for your 
operating environment? If its a 32-Bit server make sure you're using the 32-Bit 
version. If it's a 64-Bit server make you use the 64-Bit version. To find out 
the version just run "evtsys.exe /?". The version and architecture will be 
printed at the top of the output.

Thanks,

Sherwin

Original comment by sherwin....@gmail.com on 15 Dec 2010 at 8:54

[GoogleCodeExporter]

I am running the correct version. The 32bit version will install and so on, but 
won't run as a service from my experience.
I have since that also built my own version using visual studio 2010, (had to 
remove the /PDBPATH:none or it wouldn't compile) that supports longer syslog 
messages (4k, instead of 1k). This version exhibits the same problem as it 
can't find the paths specified above.
So yes, I am sure that I'm am running the 64 bit binary on a 64 bit system, I 
even ran the VS .bat file to switch over my build environment to a 64 bit one 
when I built it.

- Patric

Original comment by karlsson...@gmail.com on 15 Dec 2010 at 9:03

[GoogleCodeExporter]

The reason I ask is because those keys are only used by the utility in Pre2k8 
boxes. Server 2008 and onward presented new API's that handle all of that. If 
you are seeing those error messages the utility is running as though the old 
log service is in effect. The only reason it should do this is if the 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\ForwardedEvents 
key is not found, or is not accessible to the utility. Are you running the 
service under the SYSTEM account and does it have access to that key?

-Sherwin

Original comment by sherwin....@gmail.com on 17 Dec 2010 at 5:02

[GoogleCodeExporter]

Yes, I am running the utility under the SYSTEM account. And since the key is 
actually there, it should use the new API.
The only difference I found is that the the key ProviderGuid is a REG_EXPAND_SZ 
in 
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Service 
Control Manager" under vanilla 2008, and is a REG_SZ in R2. 
Changing it to a REG_SZ in 2008 makes everything work.
So I'm wondering if the utility is parsing it correctly and not finding the 
ProviderGuid as expected.
The same thing occurs in 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\Microsoft
-Windows-Security-Auditing as well.

- Patric

Original comment by karlsson...@gmail.com on 17 Dec 2010 at 8:06

[GoogleCodeExporter]

The utility never touches that key itself in 2008 mode. For some reason your 
install is reverting to 2003 mode which is strange. FYI my vanilla 2008 install 
also has 
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Service 
Control Manager" as REG_EXPAND_SZ and everything works fine. I will try to send 
you a build that can be used to debug this. Or if you would like, can you add 
the following line to loop.c before line 87 "/*Open all eventlogs */":
printf("%s\n",winEvents == 0 ? "False" : "True");

For 2008 and up it should be True. For Pre2008 it should be false.

Original comment by sherwin....@gmail.com on 20 Dec 2010 at 3:29

[GoogleCodeExporter]

Where does the debug info end up? There's no stdout for windows services is 
there? Or does it get sent to the syslog server?.

Original comment by karlsson...@gmail.com on 21 Dec 2010 at 2:40

[GoogleCodeExporter]

Debug info gets sent to the commandline when you run the utility in debug mode. 
Fire up a command prompt and switch to the path the utility resides in. Run 
"evtsys.exe -d"

Original comment by sherwin....@gmail.com on 27 Dec 2010 at 7:42

[GoogleCodeExporter]

Alright I just checked, and on my Windows 2008 Machines it's coming back as 
False.
I guess that's not supposed to happen.

Original comment by karlsson...@gmail.com on 5 Jan 2011 at 1:36

[GoogleCodeExporter]

Ok I noticed something tonight that may explain this fiasco. Could you please 
delete line 72 from loop.c
It says "BOOL winEvents = FALSE;" Just delete that.

Let me know if this fixes the problem.

Original comment by sherwin....@gmail.com on 10 Jan 2011 at 4:17

[GoogleCodeExporter]

Yes this does indeed look like it has fixed the issue. 
The debug info now shows True instead of False, and I'm no longer getting the 
error message.
Thank You!

Original comment by karlsson...@gmail.com on 10 Jan 2011 at 1:17

[GoogleCodeExporter]

Ok great! It was a bug, but apparently VS2008 fixed it in compile whereas 2010 
does not. I'm surprised there is no compiler warning at all though. I will fix 
this for the future as there is no longer a need to use an external variable.

Thanks for your assistance,

Sherwin

Original comment by sherwin....@gmail.com on 10 Jan 2011 at 3:25

• Changed state: Fixed

[GoogleCodeExporter]

Could you please provide a new Eventlog-to-syslog zip with the fix of Issue 20?
BTW, this tool has been extremely useful.
Thank you very much.

Original comment by bhagyakn...@gmail.com on 9 Feb 2011 at 3:55

[GoogleCodeExporter]

I will update the trunk and try to push the executables tomorrow.

Original comment by sherwin....@gmail.com on 9 Feb 2011 at 4:45

[GoogleCodeExporter]

I Install Eventlog-to-syslog 32 bits under win2008 R2 has same message "cannot 
find key value "EventMessageFile": 
"SYSTEM\CurrentControlSet\Services\Eventlog\System\Service Control Manager", Do 
you release the new trunk.

Thank you very mach.

Original comment by chiwen.h...@gmail.com on 8 Mar 2011 at 10:23

[GoogleCodeExporter]

Sorry Chiwen, I did not release executables, but I did update the trunk. The 
executables in the downloads section should not exhibit this problem though. I 
will update the files this evening to be sure.

Thanks

Original comment by sherwin....@gmail.com on 8 Mar 2011 at 3:41