wevtutil corrupts e...
 
Notifications
Clear all

wevtutil corrupts evt logs

2 Posts
2 Users
0 Likes
328 Views
(@infern0)
Posts: 54
Trusted Member
Topic starter
 

Anyone using a Windows 7 or similar machine to conduct their forensic analysis? More specifically, their event log analysis from an XP system?

I wanted to use log parser to convert the logs from EVT to CSV as I have done so many times on my XP analysis stations, however, that doesn't seem to be an option out of the gates when using the Windows 7 analysis station. The logs must first be converted to the evtx format using wevtutil.

wevtutil FROM.evt TO.evtx /lftrue

Logparser 2.2 does not have an input option of EVTX; so when using EVT the resulting CSV is populated with all events, though their descriptions read that "the local computer may not have the descriptions…"

Thoughts?

 
Posted : 05/08/2010 5:49 pm
(@athulin)
Posts: 1156
Noble Member
 

Logparser 2.2 does not have an input option of EVTX; so when using EVT the resulting CSV is populated with all events, though their descriptions read that "the local computer may not have the descriptions…"

Thoughts?

Logparser just calls the standard API for event logs … and on Windows 7 those happens to be targeted to the evtx format. LogParser does not (as far as I understand) have any knowledge about the event log file format on its own.

The message you mention is probably due to the message translation that is done. A message cataloge (in the form of a .dll file) is registered (one for each event log source, and language), and can be identified in the registry. The log parser system call use the event log type and contents to identify the corresponding .dll, and extracts the basic message from it.

If there is no such message catalog on your system, there seems to be no way (not even a default) to get at the message … and that's what the message signifies.

For this reason, LogParser doesn't really work perfectly well for event log files from cases where the even source is not one you have installed – you really need to get at the message catalogs from the case as well.

 
Posted : 05/08/2010 6:02 pm
Share: