> I'm sure that would be quite an undertaking!
Yes, it would. I'm already working on a limited form of that kind of tool…one that is similar to my current Offline Registry Parser, but is designed for specific hive (SAM, NTUSER, etc) files.
I've had a request from someone to write a tool to parse the change.log.x files into something readable, and I've located a reference for how to do this.
My question is…is anyone out there interested in this sort of thing?
I think it would be useful in limited cases. We can run SRDiag.exe and come up with some useful, albeit, esoteric log files. The change.log.# files could be useful to show the original path of a monitored file. As you no doubt know, it may put an interesting link file in a particular user's account. There may be other instances in which original path details are valuable. Beyond that, I'm not sure of the information that may be of value, but would welcome an education!
Okay, well, I wrote a script to parse these files, for someone who asked for it.
Just an update to my previous post…
The script I wrote parses the change.log.x file, found in the restore points. The output looks like
Sequence Number = 59665
Name = \Documents and Settings\Harlan\Local Settings\desktop.ini
Change Type = Modify File
Sequence Number = 59666
Name = \Documents and Settings\Harlan\Local Settings
Change Type = Update Attributes
Sequence Number = 59667
Name = \Documents and Settings\Harlan\Local Settings\Application Data
Change Type = Update Attributes
Sequence Number = 59668
Name = \WINDOWS\system32\DLA\DLA.INI
Change Type = Modify File
As you can see, there are files that are modified, and other events that are recorded in these log files. I was asked to write this tool for someone who'd found information relating to CD Burning in these files.
Harlan,
The script you wrote to parse the change.log, is that available on CD via your most recent book?
A very handy tool would be one that could go through the RPs and note changes to selected registry hives, perhaps even changes to selected keys, or log files. I'm sure that would be quite an undertaking! Just a thought.
I have written one - let me see if I can polish it up to make it release quality…
Du212,
Yes, it is. It's called "lscl.pl", and there's an .exe version, as well.
JimmyW,
Your request isn't difficult…it would be easier if you could specify what changes you're looking for, specifically.
H
H,
Can I perform a Vulcan Mind Meld on you?
Assuming I would not blow up as a result of it. -)
-ss 8)
???