Windows XML Event Log (EVTX)

The Windows XML Event Log (EVTX) format was introduces in Windows Vista as a replacement for the Windows Event Log (EVT) format.

Windows EventViewer can represent the EVTX files in both "formatted view" and "XML view". Note that the formatted view can hide significant event data that is stored in the event and can be seen in the XML view.

Event Viewer

On Windows the event logs can be managed with "Event Viewer" (eventvwr.msc) or "Windows Events Command Line Utility" (wevtutil.exe).

If you export an event log from Event Viewer additional "display information" can be exported. This "display information" is stored in a corresponding "%FILENAME%_%LCID%.MTA", where LCID is the "locale identifier" [1].

Application_1033.MTA

See Also

• Windows Event Log (EVT)
• Windows

External Links

File Format

• EventLog Remoting Protocol Version 6.0 Specification, by Microsoft
• Simple BinXml Example, by Microsoft
• int for(ensic){blog;} - results tagged Evtx, by Andreas Schuster
• Introducing the Microsoft Vista Event Log File Format, by Andreas Schuster in 2007
• Linking Event Messages and Resource DLLs, by Andreas Schuster in 2010
• Windows XML Event Log (EVTX) format, by the libevtx project

Event Identifiers

• EventID.net

Windows Vista/2008

• Description of security events in Windows Vista and in Windows Server 2008

Windows 7

• Core OS Events in Windows 7, Part 1
• Core Instrumentation Events in Windows 7, Part 2

Tools

• Evtx Parser
• libevtx
• log2timeline
• wevtutil
• LogParser