dissect.target.plugins.os.windows.log.etl#

Module Contents#

Classes#

EtlRecordBuilder

EtlPlugin

Plugin for fetching and parsing Windows ETL Files (*.etl)

class dissect.target.plugins.os.windows.log.etl.EtlRecordBuilder#
RECORD_NAME = 'filesystem/windows/etl'#
read_etl_records(etl_file_stream, etl_path, target)#
class dissect.target.plugins.os.windows.log.etl.EtlPlugin(target)#

Bases: dissect.target.plugin.Plugin

Plugin for fetching and parsing Windows ETL Files (*.etl)

__namespace__ = 'etl'#
PATHS#
check_compatible() None#

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

read_etl_files(etl_paths: list[str])#

Read ETL files using an EtlReader.

etl()#

Return the contents of the ETL files generated at last boot and last shutdown.

An event trace log (.etl) file, also known as a trace log, stores the trace messages generated during one or more trace sessions. A trace session is period in which a trace provider (a component of a user-mode application or kernel-mode driver that uses Event Tracing for Windows (ETW) technology to generate trace messages or trace events) is generating trace messages.

References

Yields dynamically created records based on the fields inside an ETL event. At least contains the following fields:

hostname (string): The target hostname. domain (string): The target domain. ts (datetime): The TimeCreated_SystemTime field of the event. Provider_Name (string): The Provider_Name field of the event. EventType (string): The type of the event defined by the manifest file.

shutdown()#

Return the contents of the ETL files created at last shutdown.

The plugin reads the content from the ShutdownCKCL.etl file or the ShutdownPerfDiagLogger.etl file (depending on the Windows version).

Yields dynamically created records based on the fields inside an ETL event. At least contains the following fields:

hostname (string): The target hostname. domain (string): The target domain. ts (datetime): The TimeCreated_SystemTime field of the event. Provider_Name (string): The Provider_Name field of the event. EventType (string): The type of the event defined by the manifest file.

boot()#

Return the contents of the ETL files created at last boot.

The plugin reads the content from the BootCKCL.etl file or the BootPerfDiagLogger.etl file (depending on the Windows version).

Yields dynamically created records based on the fields inside an ETL event. At least contains the following fields:

hostname (string): The target hostname. domain (string): The target domain. ts (datetime): The TimeCreated_SystemTime field of the event. Provider_Name (string): The Provider_Name field of the event. EventType (string): The type of the event defined by the manifest file.