IBM Support

WinCollect error code: 0x0005 Access denied

Troubleshooting


Problem

My WinCollect agents are generating error codes for 0x0005 access denied. Why am I seeing error code 0x0005 from my WinCollect agents?

Symptom

If the user specified in the log source cannot read the registry of the remote system, then the agent generates access denied messages either in the device log messages or through syslog events. The location of the error message is provided in both the WinCollect agent logs and as a Syslog status event from the agent to QRadar. Administrators without access to the Windows hosts can use the Log Activity tab to locate access denied errors.

  1. Click the Admin tab.
  2. Click the WinCollect icon.
  3. Select an agent from the list.
  4. Click Show Events.

    The Log Activity tab is displayed and filtered by the log sources associated with the agent you selected. The following are sample syslog events that can be displayed or are associated with the Access Denied error:
    1. LEEF:1.0|IBM|WinCollect|7.2|4|src=Hostname dst=IP address sev=3 log=Code.RegistryCacheInfo.\\IPaddress.InitializeRegistryInfo msg=Failed to query installation language on \\ IP address (Error: Error code 0x0005: Access is denied.). Defaulting to US English.
    2. LEEF:1.0|IBM|WinCollect|7.2|4|src=Hostname dst=IP address sev=4 log=Device.WindowsLog.RegistryCacheInfo.\\IPaddress.InitializeEnvironmentInfo msg=Couldn't retrieve environment on machine \\IP address
    3. LEEF:1.0|IBM|WinCollect|7.2|4|src=Hostname dst=IP address sev=4 log=Device.WindowsLog.RemoteMessageFormatter::GetMessageA.IPaddress msg=We can retrieve logs for this machine (\\IP address) but we can't seem to access the machine's registry.

      NOTE: The 'Message=' portion of the payload will contain only the insertion values (no formatting will be present). This could adversely affect the parsing of the log by the receiver.

Cause

The error code 0x0005 Access denied can be caused by the following:

  1. The user configured in the log source does not have the permissions required to read the remote registry for the system it is trying to poll for events.
  2. The Remote Registry service is disabled on the Windows host you are polling.
     

Environment

WinCollect agents at version 7.2.0 and later.

Diagnosing The Problem

WinCollect agents that remotely poll other systems for events use the remote registry to determine the operating system of the remote event source. This agent reads the remote registry to collect information on how to properly format events in to name=value pairs as event formats have changed between Windows operating system versions over the years. When a WinCollect agent cannot retrieve this information, then error code 0x0005: Access denied can be displayed.

Test that the user you configured in your log source can remotely read the registry without an error.

If you are remotely polling another Windows host for events, you can try to remotely open the event viewer from the system running the WinCollect agent.

Procedure

  1. Log on to the Windows host that has the WinCollect agent locally installed.
  2. Select Start > Programs > Administrative Tools, and then click Event Viewer.
  3. Click Action > Connect to another computer.
  4. Select the Another computer option and type the IP address or host name of the server you want to remotely poll for events.
  5. Click the Connect as another user check box.
  6. Click Set User.
  7. In the User name field, type the domain\username for the user you specified in your log source configuration. For example, test.qradar.com\JonathanP.
  8. Type the password for the user and click OK.

This test can be used to detemermine if your log source user can display the remote registry of another Windows host. If this test fails, then the administrator can review permissions or verify that the remote registry permission and services are enabled.

Resolving The Problem

Administrators should review the troubleshooting sections to assist with access denied error messages.

Verify that the remote registry service are enabled on the remote system


If the remote registry service is disabled, then the access denied error can generate as the 0x0005 error messages.

Procedure

  1. Log in to the remote system.
  2. Select Start > Programs > Administrative Tools, and then click Services.
  3. In the Status column, the Remote Registry service must display Started.

Verify the user in your log source includes the correct user right assignment


The user defined in your log source must include the ability to read the remote registry of the Windows host that you are polling for events.

IMPORTANT: Most administrators can resolve domain-related permission issues by assigning the log source user to the "Remote Event Log Readers" group. This group typically includes permissions required to read events from remote systems.

The access denied error message is common when administrators create a specific user to remotely poll for events, but do not give the user permissions to read the remote registry. This issue can be resolved by updating the Group Policy Object or local policy on the remote system to give the user the proper permission level to read the remote registry.

For additional information on managing remote access to the registry on Windows systems, see http://support.microsoft.com/kb/314837.

Group policy and registry keys


If the group policy object is updated for the domain account by granting "Manage auditing and security log" permission, then the administrator should verify that access to the account can read the HKEY_LOCAL_MACHINE registry hive.

The goal of this procedure is to verify if you can open the remote Windows registry as the domain user specified in the WinCollect log source. If successful, then that user should have no issues attempting to remote poll for events.

How to verify a user can poll the remote server for events

  1. Log in to the Windows system that is hosting the WinCollect agent.
  2. Click Start and in the search window, type regedit.
  3. Press Shift + Right-click, and select Run as different user.
  4. Type the username and password for your log source user.
    The Registry Editor is started with the credentials specified in the log source.
  5. From the registry, select File > Connect Network Registry.
  6. In the Enter the object name to select, type the hostname of the remote Windows system and click Check Names.
  7. Click OK.
    If the remote registry opens successfully, then you have validated that your log source user can remotely poll for events.

Related Information

Manage Remote Registry Access

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"WinCollect","Platform":[{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
26 October 2020

UID

swg21668526

Page Feedback