Microsoft says that apps may have trouble accessing event logs on remote Windows 10 devices unless KB5003637 or later updates are installed on both systems.
“Event logs may not be accessible from remote devices unless both devices have updates released on June 8, 2021 or later,” Microsoft state in the Windows 10 status panel.
“This issue is resolved if the local and remote devices have KB5003637 installed.”
This known Windows 10 issue affects only apps that use Legacy Event Log Specific APIs. Event Viewer and other applications that use current non-legacy APIs to access Windows event logs remotely are not affected.
When trying to connect to or from a Windows 10 device on which cumulative update KB5003637 has not yet been installed, you may see one of the following errors:
- error 5: access denied
- Error 1764: The requested operation is not supported.
- System.InvalidOperationException, Microsoft.PowerShell.Commands.GetEventLogCommand
- Windows has not provided an error code.
The affected platforms include both the client and server version of Windows 10:
- Client: Windows 10 21H1; Windows 10 20H2; Windows 10 2004; Windows 10 1909; Windows 10 1809; Windows 10 Enterprise LTSC 2019; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise 2015 LTSB; Windows 8.1; Windows 7 SP1
- Server: Windows Server 20H2; Windows Server 2004; Windows Server 1909; Windows Server 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Known issue caused by changes to security hardening
According to Microsoft, this is an expected result after Event Tracking for Windows (ETW) Security Hardening Changes Addressing Windows NTLM Elevation of Privilege Vulnerability CVE-2021-31958.
Microsoft released security updates CVE-2021-31958 during June Patch Tuesday to address the flaw discovered by Gal Levy and Yuval Sarel of Armis Security.
KB5003637 It comes with security updates for Microsoft Scripting Engine, Windows App Platform and Frameworks, Windows Input and Composition, Windows Management, Windows Cloud Infrastructure, Windows Authentication, Windows Fundamentals, Windows Virtualization, Windows Kernel, Windows HTML Platform, and Windows Storage and Filesystems.
This cumulative update for Windows 10 also improves the security of Windows OLE (compound documents) and when Windows performs basic operations.
“This vulnerability requires a user with an affected version of Windows to access a malicious server. An attacker would have to host a specially crafted website or server share,” Redmond explains in the security notice.
“An attacker would have no way of forcing users to visit this specially crafted website or server share, but would have to convince them to visit the server’s website or share, usually by temptation in a message email or chat “.