VB
An object-oriented programming language developed by Microsoft that is implemented on the .NET Framework. Previously known as Visual Basic .NET.
2,882 questions
How to write an entry to the Windows Security log shown by Event Viewer
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 70%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
dcoup
0
Reputation points
A customer has engaged us to write a piece of software for them that can post entries to the Windows Security log in the Event Viewer (as opposed to the Application log). They're mostly a VB shop. With VB writing to the Windows Application log is fairly straightforward (at least in the older .NET Framework) by using the EventLog class.
But writing to the Windows Security log doesn't seem nearly as straightforward. Our customer hasn't been able to find anything helpful, and Windows security isn't our area of expertise. They engaged us simply because we've done work for them before (not related to Windows security).
Most of my research seems to center around the C function AuthzReportSecurityEvent() as the mechanism to write to the Security log. The fact that it's C doesn't bother me, since there are ways for VB code to call C code.
I have written a C program that does post an entry into the Security log using a call to this function where I guessed at some of the arguments. I have some questions about the entry that gets logged. I expect I need to flesh out the function call.
- In the Keywords column, instead of just Audit Success, it says "Classic, Audit Success". Is there a way to eliminate the Classic keyword there?
- The text that is shown in Event Viewer says "The description for Event ID <n> from source <x> cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted." How can I eliminate this text?
- The text also says "The message resource is present but the message was not found in the message table". Again, how can I eliminate this text?
- The Task Category column has (3) as the value. Can I establish a better value for that?
- I passed two string optional arguments. In the XML rendering of the entry, these two arguments show up like this:
<EventData>
<Data>value 1</Data>
<Data>value 2</Data>
</EventData>
Is there a way to get more meaningful tags for those values? In particular, I'd like something like this that I've seen in other Security log entries:
<Data Name="TargetUserName">value 1</Data>
<Data Name="IpAddress">value 2</Data>
VB
{count} votes
-
Castorix31 90,191 Reputation points2025-06-03T06:46:10.37+00:00 There is this old article https://learn.microsoft.com/en-us/archive/msdn-magazine/2005/october/stay-alert-use-managed-code-to-generate-a-secure-audit-trail
(archived exe with source files : https://web.archive.org/web/20060203174939/https://download.microsoft.com/download/2/e/9/2e9bde04-3af1-4814-9f1e-733f732369a3/Auditing.exe)
-
RLWA32 49,301 Reputation points2025-06-03T14:39:57.9166667+00:00 @Castorix31 It seems like AuthzReportSecurityEvent always uses 3 for the Task Category. While its possible to provide text for this in the .mc file its not a very flexible solution.
I can reproduce the Questioner's observations about the presence of "Classic" in the keyword column and the absence of meaningful tags in the EventData section.
I have a feeling that one needs to create the resource dll using a manifest, but as far as I can see documentation on doing that for the Security event log isn't readily obvious.
-
RLWA32 49,301 Reputation points
2025-06-10T13:42:26.5533333+00:00 My latest test using AuthzReportSecurityEvent with a manifested provider to write an event to the Security event log did not result in any different results compared to previous tests. Apparently, this is a system default that is not subject to change by non-system users that write to the Security event log. Even calling the function when running as SYSTEM did not change the results.
Sign in to comment
Sign in to answer