EventAccessControl function (evntcons.h)
Adds or modifies the permissions of the specified provider or session.
ULONG EVNTAPI EventAccessControl( LPGUID Guid, ULONG Operation, PSID Sid, ULONG Rights, BOOLEAN AllowOrDeny );
GUID that uniquely identifies the provider or session whose permissions you want to add or modify.
Type of operation to perform, for example, add a DACL to the session's GUID or provider's GUID. For possible values, see the EVENTSECURITYOPERATION enumeration.
The security identifier (SID) of the user or group to whom you want to grant or deny permissions.
You can specify one or more of the following permissions:
If TRUE, grant the user permissions to the session or provider; otherwise, deny permissions. This value is ignored if the value of Operation is EventSecuritySetSACL or EventSecurityAddSACL.
Returns ERROR_SUCCESS if successful.
By default, only the administrator of the computer, users in the Performance Log Users group, and services running as LocalSystem, LocalService, NetworkService can control trace sessions and provide and consume event data. Only users with administrative privileges and services running as LocalSystem can start and control an NT Kernel Logger session.
Windows Server 2003: Only users with administrator privileges can control trace sessions and consume event data; any user can provide event data.
Windows XP and Windows 2000: Any user can control trace sessions and provide and consume event data.
Users with administrator privileges can control trace sessions if the tool that they use to control the session is started from a Command Prompt window that is opened with Run as administrator....
To grant a restricted user the ability to control trace sessions, you can add them to the Performance Log Users group or call this function to grant them permission. For example, you can grant user A permission to start and stop a trace session and grant user B permission to only query the session.
To restrict who can log events to the session, see the TRACELOG_LOG_EVENT permission.
The ACL on the log file determines who can consume event data from the log file. To consume events from a session in real-time, you must grant the user TRACELOG_ACCESS_REALTIME permission or the user must be a member of the Performance Log Users group.
You can also specify the provider's GUID to restrict who can register the provider and who can enable the provider.
|Minimum supported client||Windows Vista [desktop apps only]|
|Minimum supported server||Windows Server 2008 [desktop apps only]|
|Library||Sechost.lib on Windows 8.1 and Windows Server 2012; Sechost.lib on Windows 8.1 and Windows Server 2012 R2; Advapi32.lib on Windows 8, Windows Server 2012, Windows 7, Windows Server 2008 R2, Windows Server 2008 and Windows Vista|
|DLL||Sechost.dll on Windows 8.1 and Windows Server 2012; Advapi32.dll on Windows 8, Windows Server 2012, Windows 7, Windows Server 2008 R2, Windows Server 2008 and Windows Vista|