Cannot disable read access the Windows 7 security log

So we have some Windows 7 systems with some security requirements. I am trying to disable read access the security log. The command “wevtutil gl security” shows a result of the following:

channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x7;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x1;;;S-1-5-32-573)

Open in new window

From what little I know of these things, I am thinking that the “(A;;0x3;;;IU)” is giving interactive users read and write of the log (they cannot clear it)

What puzzles me is that the command

wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x7;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x1;;;S-1-5-32-573)

Open in new window

shows immediate results on our normal windows 7 PC’s, but it does NOTHING on the machines in question. The command runs, gives no error, but “wevtutil gl security” still shows the “(A;;0x3;;;IU)” in the channelAccess string.

What am I doing wrong?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

By default, without any action, users cannot read the security protocol. Only admins allowed in there, so no need for action since you'll not be able to limit admins in any way.
mtz987Author Commented:
Somehow the default was lost and cannot set it not allow limited rights users to view it.
Adam BrownSenior Systems AdminCommented:
You can make the security changes you need with group policy (which might be how they were changed in the first place), but it may take a few modifications to some system files for the settings you need to be visible. The file you'll want to modify is SCEREGVL.INF, which is what defines the settings available in the Security Options section of a GPO. describes how to add the options necessary to modify the Event Log security in group policy. If you only want to handle this on a single computer, you can just make the registry modifications at the top of the article. Otherwise, follow the instructions for Group Policy.

That article is written for Windows 2003, but the file exists in later versions of windows server and does the same thing. The only difference is that later versions have more security on that file, which requires you to take ownership, grant permissions, modify it, then restore the permissions to normal. has instructions for accomplishing this.
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

First, one will have to look at the group "event log readers" look at its members. By default, it's empty.
mtz987Author Commented:
Some of the PC’s are not in a domain, and the local gpo does not show those settings.
Adam BrownSenior Systems AdminCommented:
Modifying sceregvl.inf will allow those settings to appear. Alternatively, there are some registry modifications you can make on the systems themselves that will allow you to change the security settings. The link I gave has instructions in it as well.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.