Unable to open this log or view. Access is denied (5)

[Guest]

Hopefully someone can help. I can open the event viewer but when I try to
open a catagory like Application or Security, etc. I get a red M&M icon with
an X in it and it says:

Unable to open this log or view. Access is denied (5)

I get this with all the catagories.

Ive gone to Windows\System32\Logfiles\WMI\RtBackup and the files in there
wont let me take ownership or anything. I figure these might be related but
not sure. They are:
EtwRTDiagLog.etl
EtwRTEventLog-Application.etl
EtwRTEventLog-ForwardedEvents.etl
EtwRTEventlog-Security.etl
EtwRTEventLog-System.etl

The only reason that I noticed these at all was that theyre the only files
in the sytem32 folder that I couldnt take ownership of. Actually there was
one other but cant remember which one. Didnt seem related though.

Ive tried using an elevated cmd prompt and doing some things described
elsewhere to get a more full control but theses particular files and the
Event Viewer itself seem to be totally locked.

On the Owner tab of these files it says You do not have permission to view
this objects owner etc. The permissions tab as well as all the other tabs say
something similar. They dont even let me see the permissions for the various
accounts or the different potential owners either. Ive never seen this before.

I have Full Control of the eventvwr.msc and eventvwr.exe. Or so it says. Ive
switched the owner around but it still wont let me see events. Run as
administrator doesnt do it either. Is ther a more,sort of, brute force way to
get control of these files and/or the Event Viewer? Or some kind of God
command to giveth dominion over absolutely everything.

--


(¯`·._.·Ecat·._.·´¯)
HP a1230n
Athlon 64 Processor 3800+
1 Gig RAM
Radeon X700

 

[Jimmy Brush]

Are you trying to modify permissions on those files using a windows explorer
window that you have ran as administrator?

- JB

 

[Guest]

Yea. Even that doesnt work. Its like they are owned by some totally other
entity than any account on my computer.

Its weird, I could probably delete all sorts of critical files and totally
pooch Vista if I wanted to but I cant view my events. lol.

I was involved about a week ago in trying to get Diskeeper installed and it
wasnt allowing the dkservice to start because it said it I didnt have
sufficiant privelages. So I wnt through all sorts of hoops to try and get it
to allow me. Im starting to suspect that at some point during that, I must
have put some things in limbo or something.
Heres some of the things I tried
http://windowshelp.microsoft.com/co...0E65F352DD13&lang=en&cr=US&sloc=en-us&m=1&p=1

Should I have been able to see events right out of the box? I mean without
haveing done anything with permissions and such? Because I dont think I ever
looked at the Event Viewer before I tried to get Diskeeper running. So I dont
know if I ever was really able to view it.
--


(¯`·._.·Ecat·._.·´¯)
HP a1230n
Athlon 64 Processor 3800+
1 Gig RAM
Radeon X700

 

[Jimmy Brush]

This should work, regardless of what permissions are set on the file.

1) Make sure admins can bypass ntfs security and take ownership

- Click start
- Click Control Panel
- Go to System and Maintenance -> Administrative Tools
- Double-click Local Security Policy
- Expand Local Policies, and click User Rights Assignments
- Go down to the very bottom
- Make sure "Take ownership of files or other objects" is set to
Administrators
- If not, double-click the item, click add user or group, type
Administrators, press enter, click OK

2) Open an administrator explorer

- Click Start
- Type: explorer
- Right-click Windows Explorer when it appears
- Click Run As Administrator

3) Change ownership

- In the admin explorer, browse to the file you are having a problem with
- Right-click it, click properties
- Click Security Tab
- Click Edit...
- Click Advanced
- Click Owner
- Select Administrators from the list under "Change owner to"
- Click OK
- Click OK
- Click OK

4) Change Permissions

- Right-click the file again, click properties
- Click Edit...
- Click Add
- Type: Administrators
- Press enter
- Click the checkbox under Allow next to Full Control
- Click OK
- Click OK

Repeat 3+4 for every file you need access to. Usually, you would just have
to change security for the folder the files are in, but windows has a nasty
way of making you do it for each file, if it was the one who created the
file.

- JB

Vista FAQ
http://www.jimmah.com/vista/

 

[Guest]

Take ownership of files or other objects was allready set to Administrators.
Then Opening Explorer with Run as administrator still doesnt work.

When I select the Security tab I dont have an Edit button like I do
everywhere else. With these files I only have an Advanced button. From there,
Permissions and Owner tabs dont have any choices. Same with the other tabs
under Advanced.

Heres a pic


Really weird.
--


(¯`·._.·Ecat·._.·´¯)
HP a1230n
Athlon 64 Processor 3800+
1 Gig RAM
Radeon X700

 

[Guest]

Oops. Try this link for the pic
http://img128.imagevenue.com/img.php?image=12308_Event_Viewer_Permissions_Problem_347lo.jpg
--


(¯`·._.·Ecat·._.·´¯)
HP a1230n
Athlon 64 Processor 3800+
1 Gig RAM
Radeon X700

 

[Jimmy Brush]

Hmm ... Ok ...

I guess the system logs are somehow protected, as this is the behavior on my
system as well. Doh!

So I guess the problem isn't that you have no access to the event log files
themselves (as this seems to be by design), but rather the event viewer is
saying you don't have permission to view the logs, which is controlled
elsewhere.

Try this first:

- Go back to the Local Security Policy -> User Rights Assignment, as in my
first instructions
- Make sure "Managing auditing and security log" has given Administrators
permission
- If you have to make a change, restart your computer

If that doesn't work, we're going to use the steps outlined in
http://support.microsoft.com/default.aspx?scid=kb;en-us;323076 to try and
reset permissions on the logs via group policy.

- Open up the registry editor
- Browse to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog
- In the left pane, Click on the name of one of the logs you can't access
- In the right pane, right-click, click new, click String Value
- Name the value: CustomSD
- Double-click it
- Set the value to the propper value listed below

Values
-------

For application:
O:BAG:SYD:*(D;;0xf0007;;;AN)*(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)

For system:
O:BAG:SYD:*(D;;0xf0007;;;AN)*(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)

For security:
O:BAG:SYD:*(D;;0xf0007;;;AN)*(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)

Restart your computer.

- JB

Vista FAQ
http://www.jimmah.com/vista/

 

[Jimmy Brush]

Sorry, there should be no Astericks in the values I gave you. Here are the
correct values:

For application:
O:BAG:SYDD;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)

For system:
O:BAG:SYDD;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)

For security:
O:BAG:SYDD;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)

- JB

Vista FAQ
http://www.jimmah.com/vista/

 

[Guest]

Well thanks for your help Jimmy but that didnt do it either. At least not by
itself.

I did manage to get it working finally though. I went to
Windows\System32\winevt\Logs
and took ownership and set permissions on all the .elf files in there.
Actually I did it with one and it seemed to do it to all of them. Then for
good measure, I backed out to Windows\System32\winevt and took ownership of
that folder and all its containers & objects.

Maybe the reg edits were involved in being able to do this. I dont know. I
had to give ownership to Users (MYNAME-PC\Users). It was allready set to
Administrators (MYNAME-PC\Administrators). So I dont know why it didnt work
then. Even when doing different variations of Run as administrator.

So thanks a bunch for your help and attention. I probably wouldnt have
stumbled upon the winevt folder without it. ( :
--


(¯`·._.·Ecat·._.·´¯)
HP a1230n
Athlon 64 Processor 3800+
1 Gig RAM
Radeon X700

 

[Jimmy Brush]

Well, I'm glad you got it working. Changing file permissions on system files
is a real pain - I doubt even most Microsoft engineers know the full
ramifications of doing so

- JB

Vista FAQ
http://www.jimmah.com/vista/