EventLogSession/EventLogReader error remotely accessing Windows XP/W2K3 machines

Posted on May 8th, 2012

Sometimes, when searching Google it takes all of 30 seconds to find an answer to a question. Other times, it can take minutes, or even hours. I’m writing this blog post, because I was just researching an issue that took me hours to figure out– and in the end, it was so simple, yet disappointing at the same time…

For the new version of Overseer, the network monitoring software I write, I was adding support for extended event logs– these are the “Applications and Services Logs” event logs below the regular ones in W2K8′s event viewer. I found I had to use the new EventLogSession/EventLogReader API. I found it required .NET 3.5, so I upgraded my software to require .NET 3.5(it was v2 compatible up to this point).

I got things working, and I was able to monitor event logs(new and old style) using the code remotely accessing Windows 2008 and Windows 7 computers. I got an error when accessing Windows XP machines(and I’m sure W2K3 machines, but I didn’t have any to test with at the time). The error was “UnauthorizedAccessException - Attempted to perform an unauthorized operation.”  To most, including myself, this seems like a permissions issue– so I looked into all sorts of potential impersonation problems, etc. I scoured the web looking for anyone even having the same problem, but didn’t find it.

Eventually, I found a reference buried in some forum reply, that one of the API calls that the new EventLogSession/EventLogReader calls is Vista/W2K8+ only. That’s just great– the whole API is now Vista/W2K8+ only… Why Microsoft wouldn’t add a compatibility layer for Windows XP and Windows 2003 is beyond me… But once I found this, I at least was able to move on, realizing that I had to detect the version of Windows running on the remote machine and use the different API’s accordingly… If only Microsoft had included proper documentation clearly specifying this new API was Vista/W2K8+ only, had an error message indicating something of that sorts, or actually did the right thing and wrote a compatibility layer into it, I wouldn’t have wasted so much time on such an unproductive search.