Module Contents



Plugin for fetching and parsing Windows Eventlog Files (*.evtx)



dissect.target.plugins.os.windows.log.evtx.EVTX_GLOB = '*.evtx'
class dissect.target.plugins.os.windows.log.evtx.EvtxPlugin(target)

Bases: dissect.target.plugins.os.windows.log.evt.WindowsEventlogsMixin, dissect.target.plugin.Plugin

Plugin for fetching and parsing Windows Eventlog Files (*.evtx)

RECORD_NAME = 'filesystem/windows/evtx'
LOGS_DIR_PATH = 'sysvol/windows/system32/winevt/logs'
NEEDLE = b'ElfChnk\x00'
CHUNK_SIZE = 65536
evtx(log_file_glob: str = EVTX_GLOB, logs_dir: str | None = None) Generator[flow.record.Record, None, None]

Return entries from Windows Event log files (*.evtx).

Windows Event log is a detailed record of system, security and application notifications. It can be used to diagnose a system or find future issues. Up until Windows XP the extension .evt was used, hereafter .evtx became the new standard.


Yields dynamically created records based on the fields in the event. At least contains the following fields:

hostname (string): The target hostname. domain (string): The target domain. ts (datetime): The TimeCreated_SystemTime field of the event. Provider_Name (string): The Provider_Name field of the event. EventID (int): The EventID of the event.

scraped_evtx() Generator[flow.record.Record, None, None]

Return EVTX log file records scraped from target disks

dissect.target.plugins.os.windows.log.evtx.format_value(value: Any) Any