SKETCH OF HOW RESEARCH MIGHT CONTINUE AND RESULTS BE PRESENTED

This old page from 2008 is now retired. Back then, this website had no place for it except among these miscellaneous Notes. I anyway meant it only as a quick write-up to stake an interest in a topic even if I never found cause to return to it. As it happens, I have returned to this topic many times since but left this page here, neglected. Now it is redone as ETW Security in the site’s extensive notes on kernel-mode Windows programming.

Event Trace Security

Event providers and loggers are securable WmiGuid objects. Access rights specific to WMI security are defined symbolically in WMISTR.H from the Windows SDK. Microsoft even describes some of them in documentation of the EventAccessControl function.

Constant Symbolic Name Generic Mapping (ETW) Generic Mapping (WMI)
0x0001 WMIGUID_QUERY read read
0x0002 WMIGUID_SET write write
0x0004 WMIGUID_NOTIFICATION   read  
0x0008 WMIGUID_READ_DESCRIPTION read  
0x0010 WMIGUID_EXECUTE execute execute
0x0020 TRACELOG_CREATE_REALTIME write  
0x0040 TRACELOG_CREATE_ONDISK write  
0x0080 TRACELOG_GUID_ENABLE execute  
0x0100 TRACELOG_ACCESS_KERNEL_LOGGER    
0x0200 TRACELOG_LOG_EVENT execute  
0x0400 TRACELOG_ACCESS_REALTIME execute  
0x0800 TRACELOG_REGISTER_GUIDS execute  

With one exception, each permission is also implied by one of GENERIC_READ, GENERIC_WRITE and GENERIC_EXECUTE. Even GENERIC_ALL just combines the generic read, write and execute permissions, and does not grant access to the NT Kernel Logger.

Registry Configuration

Permissions for particular loggers and providers are stored in the registry:

Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WMI\Security
Value: guid
Type: REG_BINARY

where guid is the string form (without braces) of a GUID that represents the provider or logger. The binary data is expected to be a self-relative security descriptor. Let it be stressed that this means a SECURITY_DESCRIPTOR_RELATIVE structure followed by all the SIDs and ACLs that it refers to, not a string in the Security Descriptor Definition Language (SDDL) such as used below.

Default Permissions

The special value 0811c1af-7a07-4a06-82ed-869455cdf713 represents all objects that do not have their own permissions. It is defined symbolically as DefaultTraceSecurityGuid in EVNTRACE.H from the Windows SDK, but seems to be otherwise undocumented. Windows Vista is installed with the following security descriptor as this default:

O:BAG:BA:(A;;0x0800;;;WD)(A;;0x00120FFF;;;SY)(A;;0x00120FFF;;;LS)(A;;0x00120FFF;;;NS)(A;;0x00120FFF;;;BA)(A;;0x0EE5;;;S-1-5-559)

It may help to have the corresponding access rights described in terms of symbolic constants from the Windows SDK:

User or Group Rights
SYSTEM
LOCAL SERVICE
NETWORK SERVICE
Administrators
WMIGUID_ALL_ACCESS
Performance Log Users WMIGUID_QUERY
WMIGUID_NOTIFICATION
TRACELOG_CREATE_REALTIME
TRACELOG_CREATE_ONDISK
TRACELOG_GUID_ENABLE
TRACELOG_LOG_EVENT
TRACELOG_ACCESS_REALTIME
TRACELOG_REGISTER_GUIDS
Everyone TRACELOG_REGISTER_GUIDS

These default permissions are presumably what Microsoft’s documentation has in mind when talking of Performance Log Users being able to control sessions. Note that although members of the Performance Log Users group have most of the defined permissions, they lack WMIGUID_SET, WMIGUID_READ_DESCRIPTION, WMIGUID_EXECUTE and TRACELOG_ACCESS_KERNEL_LOGGER.

WMI Default

If a valid security descriptor is not set for the 0811c1af-7a07-4a06-82ed-869455cdf713 value, the kernel falls back to the built-in WMI default:

O:BAG:BAD:(A;;0x001FFFFF;;;SY)(A;;0x0800;;;BU)(A;;0x011FFFFF;;;BA)(A;;0x001FFFFF;;;LS)(A;;0x001FFFFF;;;NS)

Note that this provides no middle ground between having all access and nearly none:

User or Group Rights
Administrators SPECIFIC_RIGHTS_ALL
STANDARD_RIGHTS_ALL
ACCESS_SYSTEM_SECURITY
SYSTEM
LOCAL SERVICE
NETWORK SERVICE
SPECIFIC_RIGHTS_ALL
STANDARD_RIGHTS_ALL
Users TRACELOG_REGISTER_GUIDS

Both the installed default and the built-in default extend full control not just to the SYSTEM account and to Administrators but also to the LOCAL SERVICE and NETWORK SERVICE accounts. The security descriptors installed for some providers do not permit any access to anyone other than Administrators and the SYSTEM account. This shuts out the Eventlog service, which runs as LOCAL SERVICE in Windows Vista. A consequence in practice is that even a user with administrative privilege will encounter an error if trying to enable these providers through either the Event Viewer or the WEVTUTIL command-line tool, or through any tool that uses the Windows Event Log functions (such as EvtSaveChannelConfig). Whether this is intended is not known. A ready example is the Microsoft Windows Services Performance Diagnostic Provider.

Programmatic Support

WMI security can be managed programmatically through ADVAPI32 functions EventAccessControl, EventAccessQuery and EventAccessRemove, which are all documented. The last two operate directly on the relevant registry value, but the first works through the lower-level functions GetNamedSecurityInfo and SetNamedSecurityInfo.

A quirk should be noted. For a GUID that is registered, EventAccessQuery and GetNamedSecurityInfo produce the same security descriptor. If a GUID happens not to be registered, then EventAccessQuery fails (returning ERROR_FILE_NOT_FOUND) but GetNamedSecurityInfo produces the WMI default. This will typically not be the security descriptor that the kernel will apply if the GUID is used for Event Tracing. For that, ask EventAccessQuery about the DefaultTraceSecurityGuid.

User-Interface Support

The Reliability and Performance Monitor has a user interface for viewing and changing the security settings for providers and loggers. This tool is typically run as a Microsoft Management Console snap-in from the Administrative Tools menu. Among its Data Collector Sets are two sets of trace sessions. The Event Trace Sessions are all the loggers that are already started (well, all that are reported by the QueryAllTraces function). The folder named Startup Event Trace Sessions lists the loggers that are configured as AutoLoggers. The Properties dialog for any of these loggers lists the relevant providers and lets you manage security for each provider (via a Security button on the Trace Providers tab) and for the logger itself (via the Security tab).

This user interface is all I have found in the standard Windows package but surely cannot be all that Microsoft has coded. It has two significant defects.

First, it is not general. It does not let you browse the installed providers for their security settings before they are assigned to a logger. Neither does it let you browse the known loggers, such as shown in the Event Viewer. Though you can define a logger and assign providers to it, and set security for this logger and its providers, only by careful contrivance will your logger match one whose output you expect to see through the Event Viewer. There is perhaps an opportunity here for some third-party manufacturer of low-level maintenance gadgets.

Second, and this really is a coding error that may even make the interface unsafe to use, it misses two of the applicable permissions, namely WMIGUID_QUERY and TRACELOG_REGISTER_GUIDS. Where WDC.DLL tells ACLUI.DLL about the specific access rights that are available for these securable objects, its tables simply omit these two. This oversight persists at least to Windows Vista SP1. Where Windows Vista is reported to have problems of mass-market acceptance because of its focus on security, it ought at least be observed that some of what Microsoft has done about security is only half-baked.