Video Screencast Help

SSIM Windows vista collector command run error comes on exchange

Created: 05 Jan 2012 | 7 comments
amits@jainamtech.com's picture

I have a 1 Windows 2k8 R2 server with exchange. I was run SSIM vista collector on this machine for collect OS logs. So i was run these command on window 2008server:

winrm quickconfig

winrm set winrm/config/service @{AllowUnencrypted="true"}

winrm set winrm/config/service/Auth @{Basic="true"}

winrm set winrm/config/Winrs @{AllowRemoteShellAccess="false"}

wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)

wevtutil sl system /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)

wevtutil sl application /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)

winrm get winrm/config

After some i need to restart the server i founded my Exchange service are not restarting due to these command.

 

wevtutil sl system /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)

wevtutil sl application /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)

How we can roll out these command on server.

Comments 7 CommentsJump to latest comment

antilles's picture

Every one of those three basic windows event logs has different SDDL by default, so when you modified Channel Access by overwriting it with the same SDDL string for every event log then probably you caused your problems.

Did you displayed Channel Access before changing them?
You should use 'wevtutil gl system' command for System event log, and add user and/or group SID to existing SDDL instead of overwriting it.

Try to delete CustomSD REG_SZ value from following keys in registry:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\System

Regards.

amits@jainamtech.com's picture

hi,

 

I was already delete CustomSD REG_SZ value from following keys in registry:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\System

 

after delete Exchange services start.

but i wand to my last CustomSD REG_SZ value from following keys in registry.

olaf's picture

You shouldn't run the following commands:

 

wevtutil sl system /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)

wevtutil sl application /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20) 

 

By running the 2 commands you are restricting the access to the Application and Security Log.

No where in our documentation we are recommending to do that.

http://support.microsoft.com/kb/323076

 

For example Application log has the following right set by default:

O:BAG:SYD:(D;; 0xf0007;;;AN)(D;; 0xf0007;;;BG)(A;; 0xf0007;;;SY)(A;; 0x5;;;BA)(A;; 0x7;;;SO)(A;; 0x3;;;IU)(A;; 0x2;;;BA)(A;; 0x2;;;LS)(A;; 0x2;;;NS)
 
By runnining the  command  wevtutil sl application /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20), you are removing access for most of the objects.
 
Don't try to do this if you don't know the exact impact! A lot of applications won't be able to write to the application log anymore and might not work anymore!
Same for the System Log.
 
We just recomend to do this for the Security Log as the default permissions for the Security Log doesn't allow read access for the Network Service.
amits@jainamtech.com's picture

hi,

I was already run these command . how can i roll out these registry value.

olaf's picture

You should NOT run these commands.

olaf's picture

To revert to the default settings please run the 2 commands you find in the attached .txt file.

AttachmentSize
log-ca.txt 359 bytes
Musa Timur Sarigul's picture

 

 
 
 
If you modify Exchange server SD values incorretly, Exchange may fail to start. 
 
 

Please enter following values ;

 

 

call wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)

call wevtutil sl system /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)

call wevtutil sl application /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)

 
 

DO NOT!!!

 

wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)

wevtutil sl system /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)

wevtutil sl application /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)