EventAccessControl function (evntcons.h)
Adds or modifies the permissions of the specified provider or session.
Syntax
ULONG EVNTAPI EventAccessControl(
[in] LPGUID Guid,
[in] ULONG Operation,
[in] PSID Sid,
[in] ULONG Rights,
[in] BOOLEAN AllowOrDeny
);
Parameters
[in] Guid
GUID that uniquely identifies the provider or session whose permissions you want to add or modify.
[in] Operation
Type of operation to perform, for example, add a DACL to the session's GUID or provider's GUID. For possible values, see the EVENTSECURITYOPERATION enumeration.
[in] Sid
The security identifier (SID) of the user or group to whom you want to grant or deny permissions.
[in] Rights
You can specify one or more of the following permissions:
[in] AllowOrDeny
If TRUE, grant the user permissions to the session or provider; otherwise, deny permissions. This value is ignored if the value of Operation is EventSecuritySetSACL or EventSecurityAddSACL.
Return value
Returns ERROR_SUCCESS if successful.
Remarks
By default, only the administrator of the computer, users in the Performance Log Users group, and services running as LocalSystem, LocalService, NetworkService can control trace sessions and provide and consume event data. Only users with administrative privileges and services running as LocalSystem can start and control an NT Kernel Logger session.
Windows Server 2003: Only users with administrator privileges can control trace sessions and consume event data; any user can provide event data.
Windows XP and Windows 2000: Any user can control trace sessions and provide and consume event data.
Users with administrator privileges can control trace sessions if the tool that they use to control the session is started from a Command Prompt window that is opened with Run as administrator....
To grant a restricted user the ability to control trace sessions, you can add them to the Performance Log Users group or call this function to grant them permission. For example, you can grant user A permission to start and stop a trace session and grant user B permission to only query the session.
To restrict who can log events to the session, see the TRACELOG_LOG_EVENT permission.
The ACL on the log file determines who can consume event data from the log file. To consume events from a session in real-time, you must grant the user TRACELOG_ACCESS_REALTIME permission or the user must be a member of the Performance Log Users group.
You can also specify the provider's GUID to restrict who can register the provider and who can enable the provider.
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client | Windows Vista [desktop apps only] |
| Minimum supported server | Windows Server 2008 [desktop apps only] |
| Target Platform | Windows |
| Header | evntcons.h |
| Library | Sechost.lib on Windows 8.1 and Windows Server 2012; Sechost.lib on Windows 8.1 and Windows Server 2012 R2; Advapi32.lib on Windows 8, Windows Server 2012, Windows 7, Windows Server 2008 R2, Windows Server 2008 and Windows Vista |
| DLL | Sechost.dll on Windows 8.1 and Windows Server 2012; Advapi32.dll on Windows 8, Windows Server 2012, Windows 7, Windows Server 2008 R2, Windows Server 2008 and Windows Vista |
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for