Forwarding security related events from XP, Win2k3, Vista using WinRM (WSMan) event forwarding

Procedure for forwarding system and application logs from a given winrm endpoint can be found at 

In order to forward security events, the following needs to be done at the endpoint:

If endpoint is Vista, WS08: Add "Network Service" to the "Event Log Readers" group. This is because limited users have access to read events from the security log - "Event Log Readers" group being one of them.

If endpoint is Win2k3 R2: The following CustomSD key needs to be set within "HKLM/SYSTEM/CCS/Services/EventLog/Security" to "O:BAG:SYD:(A;;CC;;;NS)". This is because on Win2k3 there is no event log readers group. More info can be found at

If endpoint is XP SP2+: WinRM service needs to be running as LocalSystem



Comments (5)

  1. Nitin says:

    Is there any C++ sample code available for collecting windows events for W2K8 Server or Vista?

  2. azarro says:

    How can I get security logs from Win2K8 R2 endpoint? Adding "Network Service" to "Event Log Readers" doesn´t do the trick. Thanks.

  3. Bubba says:

    Domain Controllers don't have any local groups. How do I set this for Domain Controllers?


  4. Alpha says:

    Bubba did you ever figure this out ?

  5. DrV says:

    To the point of Bubba and Alpha's question:

    Rather than local Groups, DCs should be using AD Groups instead of the referenced local groups.

    e.g. <domain>BuiltinEvent Log Readers

Skip to main content