Writing to eventlog from iis7 web application fails


I am trying to deploy a .NET web application who's security is done using impersonation.

Writing to the eventlog works fine on my dev box (Win 2003 IIS6) but after putting the app on the live box (Win 2008 IIS7) i'm getting the following;

Access is denied [Win32Exception (0x80004005): Access is denied] [InvalidOperationException: Cannot open log for source 'MyApp'. You may not have write access.]
System.Diagnostics.EventLog.OpenForWrite(String currentMachineName) +1815151
System.Diagnostics.EventLog.InternalWriteEvent(UInt32 eventID, UInt16 category, EventLogEntryType type, String[] strings, Byte[] rawData, String currentMachineName) +452
System.Diagnostics.EventLog.WriteEntry(String message, EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData) +463
System.Diagnostics.EventLog.WriteEntry(String message, EventLogEntryType type) +30

The best help i've found on google has been; http://support.microsoft.com/default.aspx?scid=kb;en-us;323076 | http://msdn.microsoft.com/en-us/library/aa379570%28VS.85%29.aspx

The reference to; HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD confuses me as i don't have this in the registry key on the live box.

Litle help??

asked on Server Fault Dec 9, 2009 by GordonB

1 Answer


Even with impersonation it's possible that your app pool identity is used. Some apps RevertToSelf and don't honor the impersonation.

Process monitor from sysinternals will be your friend on this project. It's free and safe on a production server. Start it and reproduce the situation to get a capture. Then search for the word denied, or search for CustomSD or Eventlog. A pattern should emerge that will show which user is trying to gain access and how to grant that user access.

answered on Server Fault Dec 9, 2009 by Scott Forsyth - MVP • edited Nov 20, 2017 by Richard Lucas

User contributions licensed under CC BY-SA 3.0