Configuring the Event Viewer

9min
To display Passwork events in the Event Viewer, you must additionally configure access rights. To do this, you need to:
Open PowerShell as "Administrator":
Right-click on the Start icon in the lower left corner of the screen.
Select "Windows PowerShell (Administrator)" from the context menu.
Left-click on the Start icon in the lower left corner of the screen.
Write powershell
Open PowerShell as "Administrator" with the combination — Ctrl + Shift + Enter
Get security identifiers (SIDs) for accounts:
PowerShell
$objUser = New-Object System.Security.Principal.NTAccount("имя_группы")
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$strSID.Value
$objUser = New-Object System.Security.Principal.NTAccount("имя_группы")
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$strSID.Value
﻿
IUSR (SID: S-1-5-17);
IIS_IUSRS (SID: S-1-5-32-568);
NETWORK SERVICE (SID: S-1-5-20).
Get access rights configured using CMD:
CMD
wevtutil gl application > temp.txt
wevtutil gl application > temp.txt
﻿
A temp.txt file will be created in the directory to be executed.
In the temp.txt file, edit the channelAccess line:
Remove items beginning with (D;;; and containing one of the received SID;
Each received SID is inserted by an element in the format (A;;0x3;;;SID);
Example for standard SIDs written at the end of the channelAccess string:
SID
(A;;0x3;;;S-1-5-17)(A;;0x3;;;S-1-5-32-568)(A;;0x3;;;S-1-5-20)
(A;;0x3;;;S-1-5-17)(A;;0x3;;;S-1-5-32-568)(A;;0x3;;;S-1-5-20)
﻿
Full string with standard security identifiers (SID):
channelAccess
channelAccess: O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)(A;;0x3;;;S-1-5-17)(A;;0x3;;;S-1-5-32-568)(A;;0x3;;;S-1-5-20)
channelAccess: O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)(A;;0x3;;;S-1-5-17)(A;;0x3;;;S-1-5-32-568)(A;;0x3;;;S-1-5-20)
﻿
Change the permissions settings using CMD:
CMD
wevtutil sl application /ca:O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)(A;;0x3;;;S-1-5-17)(A;;0x3;;;S-1-5-32-568)(A;;0x3;;;S-1-5-20)
wevtutil sl application /ca:O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)(A;;0x3;;;S-1-5-17)(A;;0x3;;;S-1-5-32-568)(A;;0x3;;;S-1-5-20)
﻿
After /ca: substitute the value of the channelAccess parameter from temp.txt
In PowerShell, execute the following script to display PHP events correctly:
Note to self:
In the variable $EventSource write PHP-number_version, to get the PHP version, you need to execute — php -v in PowerShell.
In the variable $PHPEventMessageFile write the location of php8.dll extension, located in the root directory of the PHP obtained during installation.
PowerShell
# Variable definition
$EventSource = "PHP-8.3.19"
$PHPEventMessageFile = "C:\Program Files\php8.3\php8.dll"
$EventLogPath = "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Application\$EventSource"
$TypesSupported = 7

# Checking and creating a key for the event source
if (-not (Test-Path $EventLogPath)) {
    New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Application" -Name $EventSource -Force
}

# Configuring parameters for the event source
Set-ItemProperty -Path $EventLogPath -Name "EventMessageFile" -Value $PHPEventMessageFile -Type ExpandString
Set-ItemProperty -Path $EventLogPath -Name "TypesSupported" -Value $TypesSupported -Type DWord
# Variable definition
$EventSource = "PHP-8.3.19"
$PHPEventMessageFile = "C:\Program Files\php8.3\php8.dll"
$EventLogPath = "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Application\$EventSource"
$TypesSupported = 7

# Checking and creating a key for the event source
if (-not (Test-Path $EventLogPath)) {
    New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Application" -Name $EventSource -Force
}

# Configuring parameters for the event source
Set-ItemProperty -Path $EventLogPath -Name "EventMessageFile" -Value $PHPEventMessageFile -Type ExpandString
Set-ItemProperty -Path $EventLogPath -Name "TypesSupported" -Value $TypesSupported -Type DWord
﻿
After the steps are completed, Passwork events will be displayed in Event View — Windows Logs → Application:
﻿
﻿
Recording Activity log to Syslog or Event Viewer
Events list from the Activity Log