Skip to main content
Version: 7.0

Windows Server configuration

To display Passwork events in the Event Viewer, it is necessary to additionally configure access rights. To do this, you need to:

Using the Start context menu
  1. Right-click on the Start icon in the lower-left corner of the screen.
  2. Select "Windows PowerShell (Administrator)" from the context menu.
Using the Start menu
  1. Left-click on the Start icon in the lower-left corner of the screen.
  2. Type powershell
  3. Open PowerShell as "Administrator" using the combination — Ctrl + Shift + Enter
  • Obtain security identifiers (SID) for accounts:
$objUser = New-Object System.Security.Principal.NTAccount("group_name")
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$strSID.Value

Standard accounts

  • IUSR (SID: S-1-5-17);

  • IIS_IUSRS (SID: S-1-5-32-568);

  • NETWORK SERVICE (SID: S-1-5-20).

  • Get access rights settings using CMD:

wevtutil gl application > temp.txt
info

A temp.txt file will be created in the current directory.

  • In the temp.txt file, edit the channelAccess line:
    • Remove elements starting with (D;; and containing one of the obtained SID;
    • Insert each obtained SID as an element in the format (A;;0x3;;;SID);
  • Example for standard SIDs appended at the end of the channelAccess line:
(A;;0x3;;;S-1-5-17)(A;;0x3;;;S-1-5-32-568)(A;;0x3;;;S-1-5-20)
  • Full line with standard security identifiers (SID):
channelAccess: O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)(A;;0x3;;;S-1-5-17)(A;;0x3;;;S-1-5-32-568)(A;;0x3;;;S-1-5-20)
  • Change access rights settings using CMD:
wevtutil sl application /ca:O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)(A;;0x3;;;S-1-5-17)(A;;0x3;;;S-1-5-32-568)(A;;0x3;;;S-1-5-20)
info

After /ca: insert the value of the channelAccess parameter from temp.txt

  • Run the following script in PowerShell for correct display of PHP events:
danger

Note:

  • In the $EventSource variable, specify PHP-version_number; to get the PHP version, run — php -v in PowerShell
  • In the $PHPEventMessageFile variable, specify the location of the php8.dll extension located in the root directory of the installed PHP
# Define variables
$EventSource = "PHP-8.3.19"
$PHPEventMessageFile = "C:\Program Files\php8.3\php8.dll"
$EventLogPath = "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Application\$EventSource"
$TypesSupported = 7

# Check and create key for event source
if (-not (Test-Path $EventLogPath)) {
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Application" -Name $EventSource -Force
}

# Configure parameters for event source
Set-ItemProperty -Path $EventLogPath -Name "EventMessageFile" -Value $PHPEventMessageFile -Type ExpandString
Set-ItemProperty -Path $EventLogPath -Name "TypesSupported" -Value $TypesSupported -Type DWord

After completing these steps, Passwork events will be displayed in Event ViewerWindows LogsApplication:

Passwork Event Viewer