`evtx`#

$ target-query <path/to/target> -f evtx

Details#
Module	`os.windows.log.evtx.EvtxPlugin`
Output	`records`

Module documentation

Plugin for fetching and parsing Windows Eventlog Files (*.evtx)

Function documentation

Return entries from Windows Event log files (*.evtx).

Windows Event log is a detailed record of system, security and application notifications. It can be used to diagnose a system or find future issues. Up until Windows XP the extension .evt was used, hereafter .evtx became the new standard.

References:

https://www.techtarget.com/searchwindowsserver/definition/Windows-event-log
https://serverfault.com/questions/441050/what-are-the-differences-between-windows-evt-and-evtx-log-files

Yields dynamically created records based on the fields in the event. At least contains the following fields:

hostname (string): The target hostname. domain (string): The target domain. ts (datetime): The TimeCreated_SystemTime field of the event. Provider_Name (string): The Provider_Name field of the event. EventID (int): The EventID of the event.

evtx#

`evtx`#