dissect.etl.headers.logfile#

Module Contents#

Classes#

ReservedFlags

Enum where members are also (and must be) ints

LogfileHeader

The logfile header.

Attributes#

dissect.etl.headers.logfile.logfile_def = Multiline-String#
Show Value
"""
struct SYSTEMTIME {
    WORD    wYear;
    WORD    wMonth;
    WORD    wDayOfWeek;
    WORD    wDay;
    WORD    wHour;
    WORD    wMinute;
    WORD    wSecond;
    WORD    wMilliseconds;
};

struct TZInfo {
    LONG        Bias;
    wchar       StandardName[32];
    SYSTEMTIME  StandardDate;
    LONG        StandardBias;
    wchar       DaylightName[32];
    SYSTEMTIME  DaylightDate;
    LONG        DaylightBias;
};

struct TraceLogfileHeader {
    uint32  BufferSize;
    union   version_information {
        uint32 Version;
        struct VersionDetail {
            uchar MajorVersion;
            uchar MinorVersion;
            uchar SubVersion;
            uchar SubMinorVersion;
        };
    };
    uint32  ProviderVersion;
    uint32  NumberOfProcessors;
    uint64  EndTime;
    uint32  TimerResolution;
    uint32  MaximumFileSize;
    uint32  LogFileMode;
    uint32  BuffersWritten;
    union {
        char LogInstanceGuid[16];
        struct {
            uint32  StartBuffers;
            uint32  PointerSize;
            uint32  EventsLost;
            uint32  CpuSpeedInMHz;
        };
    };
    PWSTR   LoggerName;
    PWSTR   LogFileName;
    TZInfo  TimeZone;
    uint32  padding; /* The timezone info is said to be 0xB0 bytes... no clue why */
    uint64  BootTime;
    uint64  PerfFreq;
    uint64  StartTime;
    uint32  ReservedFlags;
    uint32  BufferLost;
};

struct LogFileNames {
    wchar LoggerName[];
    wchar LogFileName[];
};
"""
class dissect.etl.headers.logfile.ReservedFlags#

Bases: enum.IntEnum

Enum where members are also (and must be) ints

PERFORMANCE_FREQ = 1#
FILETIME = 2#
CPU_FREQ = 3#
class dissect.etl.headers.logfile.LogfileHeader(calling_header: dissect.etl.headers.system.SystemHeader)#

The logfile header.

It is the payload of the first event in an ETL file.

There is also a manifest file that parses this specific header. However, as it is a standard event that is inside every ETL file (and it requires some special handling for timestamp calculation) there is a dedicated parser for it.

property header: dissect.cstruct.Structure#

The parsed header of the event.

property payload: memoryview#

The payload data for the event.

property is_64bit: bool#
property minimal_size: int#

Minimum header size.

property cpu_speed_in_MHz: int#

The CPU speed that was recorded inside the logfile header.

property perf_freq: int#

The performance frequency used to record the etl file.

property start_time: int#

When the etl file started to record.

property pointer_size: int#

The size of stringpointers.

property end_time: int#

The time the last event was written to the ETL file.

property buffers_written: int#

The number of buffers written to the file.