Difference between revisions of "Talk:Windows Event Log (EVT)"

From ForensicsWiki
Jump to: navigation, search
Line 4: Line 4:
  
 
Well then thank you for your efforts.  I've just been ignoring the header/cursor as an invalid EVENTLOGRECORD and reading all of the rest of the records out. --MKucenski
 
Well then thank you for your efforts.  I've just been ignoring the header/cursor as an invalid EVENTLOGRECORD and reading all of the rest of the records out. --MKucenski
 +
 +
Does your tool parse a split event record properly? Think of a record in a wrapped log file that starts at the (physical) end and continues near the top (right after the header). There might be even some padding in between of the two fragments. --ASchuster
  
 
== WikiMarkup for tables? ==
 
== WikiMarkup for tables? ==
  
 
Is it possible to typeset tables in MediaWiki? I'm only used to DokuWiki and didn't find any information in the help. --ASchuster
 
Is it possible to typeset tables in MediaWiki? I'm only used to DokuWiki and didn't find any information in the help. --ASchuster

Revision as of 16:21, 15 March 2006

ASchuster: Can you provide the source of your information on the header, cursor, retention, etc? If MSDN has this information, a link to it should be included in this page.

This information was obtained through extensive testing. As fas as I know the only information available on MSDN is the declaration of the event record. --ASchuster

Well then thank you for your efforts. I've just been ignoring the header/cursor as an invalid EVENTLOGRECORD and reading all of the rest of the records out. --MKucenski

Does your tool parse a split event record properly? Think of a record in a wrapped log file that starts at the (physical) end and continues near the top (right after the header). There might be even some padding in between of the two fragments. --ASchuster

WikiMarkup for tables?

Is it possible to typeset tables in MediaWiki? I'm only used to DokuWiki and didn't find any information in the help. --ASchuster