KB961099

Assume that you have an application that uses Microsoft Windows NT event log APIs. However, on a computer that is running Windows Vista or Windows Server 2008, the application cannot read the description of an event log message.

For example, in a network environment, you run Microsoft Operations Manager (MOM) 2005. When the MOM agent is running on a client that is running Windows Vista or Windows Server 2008, the MOM agent cannot read the descriptions of the events in the Windows NT event log. For example, the MOM agent cannot read the following messages.

Example 1

Type: Audit Success
Time: Time
Domain: Domain
Computer: Computer
Description: Unable to find Security source Microsoft-Windows-Security-Auditing message …
Source: Microsoft-Windows-Security-Auditing
Category: Event
Number: Event Number
User: N/A
Event Id: Event ID
Provider Type: Event Log Provider
Name: Security Source
Domain: Domain
Source Computer: Domain
Consolidated: False Raises Alert: False

Example 2

Type: Audit Success Time: Time
Domain: Domain
Computer: Computer
Description: Unable to find Security source Microsoft-Windows-Eventlog message 1102 [1102] SID Computer Domain Logon ID
Source: Microsoft-Windows-Eventlog
Category: Event
Number: 1102
User: N/A
Event Id: 9afd9646-3599-4da6-a065-5fe0bd51bb6d
Provider Type: Event Log Provider
Name: Security Source
Domain: Domain
Source Computer: Computer
Consolidated: False
Raises Alert: False

In these examples, the Description section is not displayed correctly.

Note: When the MOM agent runs under the Network Service Account, you must grant the Read permission to the following registry entry on the client computer to make sure that MOM agent has permission to read the registry key for the Security log:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security

However, even if you grant the Read permission to the MOM agent for the entry, the description is not displayed correctly.

Leave a Reply