Comments (5)
joachimmetz
commented on August 19, 2024
Is this supposed to be working in Windows (sorry, no testing win environment)?
Should work in both Windows and Linux
I guess one way is to add option to replace envvars like %SystemRoot%
Not sure why you guess that but %SystemRoot% should b expanded by evtxexport:
libevtx/evtxtools/message_handle.c
Line 967 in 9bd9432
Also see: https://github.com/libyal/libevtx/wiki/Tools
from libevtx.
joachimmetz
commented on August 19, 2024
Any indication to why Unable to export record: 0. is reported?
from libevtx.
thinrope
commented on August 19, 2024
OK, I did some more testing, and managed to make it work better. I recompiled libevtx with verbose/debug messages and here is (the non-verbose) STDERR for the above command:
resource_file_get_provider: invalid resource file.
message_handle_get_resource_file_by_provider_identifier: unable to retrieve provider.
export_handle_export_record_event_message: unable to retrieve resource file.
export_handle_export_record_text: unable to export event message.
export_handle_export_record: unable to export record in text.
export_handle_export_records: unable to export record: 0.
I later fixed the value for search PATH to point to the C-root -p "mnt/host/C" and I got better result:
Event number : 1
Written time : MASKED
Event level : Information (4)
User security identifier : S-1-5-18
Computer name : MASKED
Provider identifier : {EEF54E71-0661-422D-9A98-82FD4940B820}
Source name : Microsoft-Windows-Application-Experience
Event identifier : 0x000002bd (701)
Resource filename : %SystemRoot%\system32\aeevts.dll
Message filename : %SystemRoot%\system32\aeevts.dll
Message identifier : 0xb00002bd
Number of strings : 0
Event number : 2
....
That Number of strings: 0 bothers me... looking at the -f xml output it is just <EventData/>. Looking back I might have selected a bad (edge case) candidate evtx file for testing...
Or may be I still don't understand the usage, sorry. Is there a way to include the parsed/substituted message string, e.g. https://github.com/libyal/libevtx/blame/master/documentation/Windows%20XML%20Event%20Log%20%28EVTX%29.asciidoc#L1414 in the fml output?
from libevtx.
joachimmetz
commented on August 19, 2024
in the fml output?
If by fml you mean XML, no.
Number of strings
I need to double check but the message string should be still printed if there are no strings.
from libevtx.
thinrope
commented on August 19, 2024
Yes, sorry for the typo :-|
I was hoping for something along <message_string>bla bla</message/string> in the XML, but I should be able to parse the -f text output and add to -f xml when that is needed.
I confirmed that -f text prints correctly the expanded Message string when parsing Security.evtx even when Numebr of strings:0 (e.g. for eventID: 408).
Same command, same server does not print any Message string for the Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx when there are strings (eventID: 500) or there are zero strings (eventID: 701), for example:
....
Event number : 9
Written time : MASKED
Event level : Information (4)
User security identifier : S-1-5-18
Computer name : MASKED
Provider identifier : {EEF54E71-0661-422D-9A98-82FD4940B820}
Source name : Microsoft-Windows-Application-Experience
Event identifier : 0x000002bd (701)
Resource filename : %SystemRoot%\system32\aeevts.dll
Message filename : %SystemRoot%\system32\aeevts.dll
Message identifier : 0xb00002bd
Number of strings : 0
Event number : 10
Written time : MASKED
Event level : Information (4)
User security identifier : MASKED
Computer name : MASKED
Provider identifier : {EEF54E71-0661-422D-9A98-82FD4940B820}
Source name : Microsoft-Windows-Application-Experience
Event identifier : 0x000001f4 (500)
Resource filename : %SystemRoot%\system32\aeevts.dll
Message filename : %SystemRoot%\system32\aeevts.dll
Message identifier : 0xb00001f4
Number of strings : 6
String: 1 : 60
String: 2 : MASKED
String: 3 : MASKED
String: 4 : 0x00010101
String: 5 : MASKED-fullfile-ja-jp.exe
String: 6 : Service Pack
Event number : 11
....
from libevtx.
Related Issues (20)
- for your information: other uses of binary xml HOT 2
- Please provide API functions to retrieve "string_identifiers_array" values, too HOT 9
- possibility of recovering records that were effectively "cleared."? HOT 5
- Unable to make due to changes in libfvalue HOT 3
- Issues using libevtx as a library HOT 3
- Get complete message HOT 4
- Feature Request: "relaxed" mode parsing for use on files recovered from memory HOT 1
- have evtexport handle CRLF platform dependent in embedded in strings HOT 1
- Invalid XML character HOT 5
- add (content) creation time to evtxexport output HOT 1
- CMake HOT 4
- make sure libfvalue was built with libfdatetime and libfwnt support HOT 1
- libfwevt_xml_document_substitute_template_value: unable to retrieve template value: 4 from array. HOT 1
- Link to Token types does not work on Github? HOT 2
- Should the number of chunks be 32-bit? HOT 6
- Should the checksum of chunk be 64-bit? HOT 10
- Please add data types to the information tables HOT 4
- unable to build with visual studio HOT 1
- Unescaped ampersand character in EventXML attribute value output? HOT 11
- libfwevt_xml_document_read_element: invalid template value size value out of bounds. HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from libevtx.