Windows Server configuration

To display Passwork events in the Event Viewer, it is necessary to additionally configure access rights. To do this, you need to:

Using the Start context menu

1. Right-click on the Start icon in the lower-left corner of the screen.
2. Select "Windows PowerShell (Administrator)" from the context menu.

Using the Start menu

1. Left-click on the Start icon in the lower-left corner of the screen.
2. Type powershell
3. Open PowerShell as "Administrator" using the combination — Ctrl + Shift + Enter

• Obtain security identifiers (SID) for accounts:

PowerShell

$objUser = New-Object System.Security.Principal.NTAccount("group_name")
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$strSID.Value

Standard accounts

• IUSR (SID: S-1-5-17);

• IIS_IUSRS (SID: S-1-5-32-568);

• NETWORK SERVICE (SID: S-1-5-20).

• Get access rights settings using CMD:

CMD

wevtutil gl application > temp.txt

info

A temp.txt file will be created in the current directory.

• In the temp.txt file, edit the channelAccess line:
  • Remove elements starting with (D;; and containing one of the obtained SID;
  • Insert each obtained SID as an element in the format (A;;0x3;;;SID);
• Example for standard SIDs appended at the end of the channelAccess line:

SID

(A;;0x3;;;S-1-5-17)(A;;0x3;;;S-1-5-32-568)(A;;0x3;;;S-1-5-20)

• Full line with standard security identifiers (SID):

channelAccess

channelAccess: O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)(A;;0x3;;;S-1-5-17)(A;;0x3;;;S-1-5-32-568)(A;;0x3;;;S-1-5-20)

• Change access rights settings using CMD:

CMD

wevtutil sl application /ca:O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)(A;;0x3;;;S-1-5-17)(A;;0x3;;;S-1-5-32-568)(A;;0x3;;;S-1-5-20)

info

After /ca: insert the value of the channelAccess parameter from temp.txt

• Run the following script in PowerShell for correct display of PHP events:

danger

Note:

• In the $EventSource variable, specify PHP-version_number; to get the PHP version, run — php -v in PowerShell
• In the $PHPEventMessageFile variable, specify the location of the php8.dll extension located in the root directory of the installed PHP

PowerShell

# Define variables
$EventSource = "PHP-8.3.19"
$PHPEventMessageFile = "C:\Program Files\php8.3\php8.dll"
$EventLogPath = "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Application\$EventSource"
$TypesSupported = 7

# Check and create key for event source
if (-not (Test-Path $EventLogPath)) {
    New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Application" -Name $EventSource -Force
}

# Configure parameters for event source
Set-ItemProperty -Path $EventLogPath -Name "EventMessageFile" -Value $PHPEventMessageFile -Type ExpandString
Set-ItemProperty -Path $EventLogPath -Name "TypesSupported" -Value $TypesSupported -Type DWord

After completing these steps, Passwork events will be displayed in Event Viewer — Windows Logs → Application: