View on GitHub

A Dissect module implementing a parser for the CLFS (Common Log File System) file system of Windows. Currently only supports the persistent variant.


dissect.clfs is available on PyPI.

$ pip install dissect.clfs

This module is also automatically installed if you install the dissect package.


This package is a library with no CLI tools, so you can only interact with it from Python. For example, to print the logblock headers and associated containers of a given .blf file:

from dissect.clfs import blf

with open("windows/config/DRIVERS{1c2b59ad-c5f5-11eb-bacb-000d3a96488e}.TM.blf", "rb") as fh:
    blf_instance = blf.BLF(fh)

    for base_record in blf_instance.base_records():
        # Parse the base records and print the logblock record headers

        for stream in base_record.streams:
            # Print the associated container names
            for blf_container in base_record.containers:

                # Check if the stream ID is matching the container ID
                if blf_container.id != stream.lsn_base.Offset.ContainerId:

                # We can encounter the same container ID for the shadow blocks
                if blf_container.type != stream.type:

                # Invalid LSN (-1)
                if stream.lsn_base.PhysicalOffset <= 0:

                # Strip the prepended directory to accommodate for dissect FS
                # %BLF%\DRIVERS{1c2b59ad-c5f5-11eb-bacb-000d3a96488e}.TMContainer00000000000000000001.regtrans-ms
                print(f"Associated container: {blf_container.name}")


For more details, please refer to the API documentation of dissect.clfs.