Difference between pages "Windows Event Log (EVT)" and "Windows XML Event Log (EVTX)"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Tools)
 
(File Format)
 
Line 1: Line 1:
MS Windows 2000, XP and 2003 typically maintain three Event Log files: Application, System, and Security.  They are generally found in the C:\Windows\system32\config directory.  Server versions of the OS may maintain additional Event Logs (DNS Server.evt, Directory Service.evt, File Replication Service.evt) depending upon the functionality of the server.
+
{{expand}}
  
It should be noted that Vista, Windows 2008, and Windows 7 use a different Windows Event Log format.
+
The Windows XML Event Log (EVTX) format was introduces in [[Windows|Windows Vista]] as a replacement for the [[Windows Event Log (EVT)]] format.
  
Each log file consists of a Header record and the Body. The body again consists of Event records, the Cursor record and unused space. The body could form a ring buffer, where the cursor record will mark the border between the oldest and the newest event record. Unused space could be empty, slack and padding.
+
== Event Viewer ==
 +
On Windows the event logs can be managed with "Event Viewer" (eventvwr.msc) or "Windows Events Command Line Utility" (wevtutil.exe). Event Viewer can represent the EVTX files in both "general view" (or formatted view) and "details view" (which has both a "friendly view" and "XML view"). Note that the formatted view can hide significant event data that is stored in the event record and can be seen in the detailed view.
  
== Header Record ==
+
If you export an event log from Event Viewer additional "display information" can be exported. This display information is stored in a corresponding file named:
The Header Record defined as [http://msdn.microsoft.com/en-us/library/bb309024%28VS.85%29.aspx ELF_LOGFILE_HEADER] on MSDN consists of:
+
<pre>
# uint32 length of record in bytes, fixed 0x30
+
LocaleMetaData\%FILENAME%_%LCID%.MTA
# char magic[4], fixed 'LfLe' (for Event log file)
+
</pre>
# uint32 unknown, fixed 0x0100 0x0000, possibly indicates version
+
# uint32 unknown, fixed 0x0100 0x0000, possibly indicates version
+
# uint32 offset of first event record
+
# uint32 offset of next event record
+
# uint32 number of next event record
+
# uint32 number of first event record
+
# uint32 filesize (see below)
+
# uint32 flags (see below)
+
# uint32 retention period in seconds
+
# uint32 length of record in bytes (again), fixed 0x30
+
  
Offsets and record numbers are updated only during a file close operation, that is if the DIRTY flag (see below) is unset. Consult the cursor record in that case.
+
Where LCID is the "locale identifier" [http://msdn.microsoft.com/en-us/goglobal/bb964664.aspx].
 
+
Filesize is updated only during some recovery operations.
+
 
+
=== Flags ===
+
* 0x0001 DIRTY if set, flag is set after first first write after an open operation.
+
* 0x0002 WRAPPED is set, flag is set if the log wrapped around.
+
* 0x0004 FULL if set, flag is set if an event record could not be written because of size limitations and the retention policy in effect.
+
* 0x0008 PRIMARY if set, BACKUP if unset. This flag possibly depends on the origin of a log file, usage seems change between earlier (pre SP1) and later versions (SP4) of Windows 2000.
+
 
+
== Cursor Record ==
+
 
+
# uint32 length of record in bytes, fixed 0x28
+
# uint32 magic[4], fixed 0x11111111 0x22222222 0x33333333 0x44444444
+
# uint32 offset of first event record
+
# uint32 offset of next event record
+
# uint32 number of next event record
+
# uint32 number of first event record
+
# uint32 length of record in bytes, fixed 0x28
+
 
+
== Event Record ==
+
 
+
Details of the Event record can be found in Microsoft's MSDN library under [http://msdn.microsoft.com/library/default.asp?url=/library/en-us/eventlog/base/eventlogrecord_str.asp EVENTLOGRECORD].
+
 
+
== Padding ==
+
 
+
If
+
* a log file has reached its configured size limit
+
* and the retention policy allows wrapping
+
* and the remaining size is larger than 0x38 but smaller than the event record to be written,
+
then
+
* the event log service writes the first part of the event record (to record offset 0x38)
+
* fills the remaining space with a padding of 0x0027
+
* continues to write the second part of the event record (starting at record offset 0x38) at the top of the body (immediately after the header, that is at file offset 0x30).
+
 
+
== Message Templates ==
+
 
+
When written to disk, EVT log records contain very little human-readable context.  Log entries are made human-readable at analysis time through tools such as the event viewer, by combining pre-defined log templates (stored in system DLLs and EXEs) with variable data stored in the EVT file.  The templates and variable data are combined with a call to FormatMessage(), which means the templates look similar to printf()'s format strings.
+
 
+
When event viewer (or other log viewing tools) displays log records, it has to determine which DLLs store the message templates.  This linking information is stored in the registry, and is specific to each type of log (System, Security, Application, etc).  These entries ultimately point out a list of DLLs which contain the message templates.  Each log record contains a relative virtual address (RVA) to reference the associated message template.  The lower 16 bits of this RVA is typically displayed as the Message ID, but this alone generally isn't enough to uniquely reference a message template.
+
 
+
All of this means that EVT files aren't really complete on their own.  The files which store the core meaning of the log entry are separate from the logs themselves and this creates several analysis problems.  First of all, an attacker could modify DLLs or the registry in order to change the meaning of logs without having to touch the EVT file at all.  Secondly, when software is uninstalled in the future, it could cause some EVT records to lose their context.  Finally, EVT files aren't particularly portable to other systems, since some log records could rely on message templates which don't exist on other systems.  One must be careful to keep these issues in mind when analyzing EVT logs.
+
  
 
== See Also ==
 
== See Also ==
* [[Windows XML Event Log (EVTX)]]
+
* [[Windows Event Log (EVT)]]
 
* [[Windows]]
 
* [[Windows]]
  
 
== External Links ==
 
== External Links ==
 
=== File Format ===
 
=== File Format ===
* [http://code.google.com/p/libevt/downloads/detail?name=Windows%20Event%20Log%20%28EVT%29.pdf Windows Event Log (EVT) format], by the [[libevt|libevt project]]
+
* [http://msdn.microsoft.com/en-us/library/cc231282(v=prot.10).aspx EventLog Remoting Protocol Version 6.0 Specification], by [[Microsoft]]
 +
* [http://msdn.microsoft.com/en-us/library/cc231354.aspx Simple BinXml Example], by [[Microsoft]]
 +
* [http://computer.forensikblog.de/mt/mt-search.cgi?IncludeBlogs=3&tag=Evtx&limit=20 int for(ensic){blog;} - results tagged Evtx], by [[Andreas Schuster]]
 +
* [http://www.dfrws.org/2007/proceedings/p65-schuster_pres.pdf Introducing the Microsoft Vista Event Log File Format], by [[Andreas Schuster]] in 2007
 +
* [http://computer.forensikblog.de/en/2010/10/linking-event-messages-and-resource-dlls.html Linking Event Messages and Resource DLLs], by [[Andreas Schuster]] in 2010
 +
* [https://googledrive.com/host/0B3fBvzttpiiSRnQ0SExzX3JjdFE/Windows%20XML%20Event%20Log%20(EVTX).pdf Windows XML Event Log (EVTX) format], by the [[libevtx|libevtx project]]
  
=== Event identifiers ===
+
=== Event Identifiers ===
 
* [http://eventid.net/ EventID.net]
 
* [http://eventid.net/ EventID.net]
  
=== Windows 2000 ===
+
=== Windows Vista/2008 ===
* [http://www.eventreporter.com/common/en/securityreference/win-eventcorrelation-processtracking.php Correlation of Windows Process Tracking Events]
+
* [http://support.microsoft.com/kb/947226 Description of security events in Windows Vista and in Windows Server 2008]
 +
 
 +
=== Windows 7 ===
 +
* [http://msdn.microsoft.com/en-us/magazine/ee412263.aspx Core OS Events in Windows 7, Part 1]
 +
* [http://msdn.microsoft.com/en-us/magazine/ee358703.aspx Core Instrumentation Events in Windows 7, Part 2]
  
 
== Tools ==
 
== Tools ==
 
+
* [http://computer.forensikblog.de/files/evtx/Parse-Evtx-current.zip Evtx Parser]
* [http://projects.sentinelchicken.org/grokevt GrokEVT] is a set of forensics scripts designed to make sense of EVT logs for investigations. Along with RegLookup, it is able to combine registry information and event log templates to place EVT data in context.  (UN*X platforms only.)
+
* [[libevtx]]
* [http://www.cpan.org/modules/by-authors/id/H/HC/HCARVEY/ File::ReadEVT] is a Perl module that parses event log files for the purpose of forensics.
+
* [[log2timeline]]
* [http://www.tzworks.net/prototype_page.php?proto_id=4 Windows Eventlog Viewer] Free tool that can be run on Windows, Linux or Mac OS-X. Parses Windows XP, Vista and Windows 7 eventlogs.
+
* [http://technet.microsoft.com/en-us/library/cc749339.aspx wevtutil]
* [http://www.tzworks.net/prototype_page.php?proto_id=25 evtwalk] Command line tool to pull reports (password changes, logons, clock changes, system start/stop, and credential changes) from Windows event logs.
+
* [http://www.microsoft.com/en-us/download/details.aspx?id=24659 LogParser]
* [[libevt]]
+
* [http://www.williballenthin.com/evtx/ python-evtx]
* [https://github.com/williballenthin/LfLe lfle.py], by [[Willi Ballenthin]]
+
  
 
[[Category:File Formats]]
 
[[Category:File Formats]]

Revision as of 03:11, 12 July 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

The Windows XML Event Log (EVTX) format was introduces in Windows Vista as a replacement for the Windows Event Log (EVT) format.

Contents

Event Viewer

On Windows the event logs can be managed with "Event Viewer" (eventvwr.msc) or "Windows Events Command Line Utility" (wevtutil.exe). Event Viewer can represent the EVTX files in both "general view" (or formatted view) and "details view" (which has both a "friendly view" and "XML view"). Note that the formatted view can hide significant event data that is stored in the event record and can be seen in the detailed view.

If you export an event log from Event Viewer additional "display information" can be exported. This display information is stored in a corresponding file named:

LocaleMetaData\%FILENAME%_%LCID%.MTA

Where LCID is the "locale identifier" [1].

See Also

External Links

File Format

Event Identifiers

Windows Vista/2008

Windows 7

Tools