Frequently Asked Questions

There are a number of platform-specific "gotchas" that can lead to access denied and other errors when gathering events for computers running Vista, Windows 7, 8, 10, Windows Server 2008 (original and/or R2), Server 2012 and Server 2016. They are as follows - in no particular order:

Firewall blocking communications
Microsoft's own software firewall comes with pre-built exceptions designed specifically to allow remote management of event logs. They are of course disabled by default, but they are easy to enable. Obviously you can do this through the control panel applet for the Windows Advanced Firewall (just enable all inbound exceptions relating to remote management of event logs) but the fastest and least error-prone method is via command line:

• Open an administrator-level command shell (either regular command prompt or Powershell)
• Issue the following command:
  Netsh advfirewall firewall set rule group="Windows Firewall Remote Management" new enable = yes
  
  TIP#1: If the above command gives you an obscure error related to inappropriate use of "group", please check the quote characters and try again. Some browsers don't display straight double quotes verbatim, which can cause trouble if you've copied and pasted the line into your command prompt.
  
  TIP#2: On older operating systems, this alternative command may be required: netsh firewall set service RemoteAdmin
  
  TIP#3: Please also note that port 135 is required for event log management traffic. If you have sealed off this port, event log gathering will not be possible. Port 445 may also be necessary if you're using WMI.

If you're not using Microsoft's own firewall, or if another breed of firewall also stands between you and the target machine, you'll have to open ports manually. This is not entirely straightforward as Windows uses dynamic port allocation for the underlying communication protocol (DCOM); however a small registry edit can be used to constrain DCOM to a manageable range of ports. Please consult the following Microsoft article: https://support.microsoft.com/en-us/kb/154596

Remote Registry service not running
In many installations the Remote Registry service is set to "manual" startup, which typically means it is not running. Start the service via the services cpl and also ensure that it is set to start automatically so the problem does not recur at the next reboot.

UAC preventing assignment of necessary permissions
The default configuration for User Account Control strips a remote login of the privileges required to access event logs, even when correct administrative credentials have been supplied. The Microsoft-recommended solution to this is to make a small registry edit that modifies UAC behavior just enough to allow remote access to the event logs via an appropriate account.

Caution: only proceed with this if you are fully aware of the dangers of careless registry modification. If you're not keen on doing this yourself, or if you'd like to read more about this before proceeding, please read the following Microsoft Knowledgebase article (it even contains links which will safely apply the registry modification for you): http://support.microsoft.com/kb/951016

In brief, the modification is as follows:

• Open Regedit
• Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
• Add a DWORD value with the name LocalAccountTokenFilterPolicy to the above key, and set its value to 1.

Incorrect Registry permissions
Note: only proceed with this if you are fully aware of the dangers of careless registry modification.

• Navigate to HKLM\System\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths and verify that the following appears within the list of path strings (it should NOT be in quotes): System\CurrentControlSet\Services\Eventlog
• Also check the permissions for the enclosing key HKLM\System\CurrentControlSet\Control\SecurePipeServers\winreg. It is essential that "LOCAL SERVICE" have READ permission for this key.