dissect.eventlog.evt

Module Contents

Classes

Record

Evt

Windows Event files for WinOS up until Windows XP

Functions

find_needle

parse_record

reprsid

is_eof_record

is_header_record

parse_chunk

Requires a chunk that starts with EVENTLOGRECORD header

Attributes

evt_def

c_evt

EVENTLOGRECORD_SIZE

BLOCK_SIZE

DIRTY_NEEDLE

dissect.eventlog.evt.evt_def = Multiline-String
Show Value
"""
#define ELF_LOGFILE_HEADER_DIRTY    0x0001
#define ELF_LOGFILE_HEADER_WRAP     0x0002
#define ELF_LOGFILE_LOGFULL_WRITTEN 0x0004
#define ELF_LOGFILE_ARCHIVE_SET     0x0008

typedef struct _EVENTLOGHEADER {
    ULONG   HeaderSize;
    char    Signature[4];
    ULONG   MajorVersion;
    ULONG   MinorVersion;
    ULONG   StartOffset;
    ULONG   EndOffset;
    ULONG   CurrentRecordNumber;
    ULONG   OldestRecordNumber;
    ULONG   MaxSize;
    ULONG   Flags;
    ULONG   Retention;
    ULONG   EndHeaderSize;
} EVENTLOGHEADER;

typedef struct _EVENTLOGRECORD {
    DWORD   Length;
    DWORD   Reserved;
    DWORD   RecordNumber;
    DWORD   TimeGenerated;
    DWORD   TimeWritten;
    DWORD   EventID;
    WORD    EventType;
    WORD    NumStrings;
    WORD    EventCategory;
    WORD    ReservedFlags;
    DWORD   ClosingRecordNumber;
    DWORD   StringOffset;
    DWORD   UserSidLength;
    DWORD   UserSidOffset;
    DWORD   DataLength;
    DWORD   DataOffset;
} EVENTLOGRECORD;

typedef struct _EVENTLOGEOF {
    ULONG   RecordSizeBeginning;
    ULONG   One;
    ULONG   Two;
    ULONG   Three;
    ULONG   Four;
    ULONG   BeginRecord;
    ULONG   EndRecord;
    ULONG   CurrentRecordNumber;
    ULONG   OldestRecordNumber;
    ULONG   RecordSizeEnd;
} EVENTLOGEOF;
"""
dissect.eventlog.evt.c_evt
dissect.eventlog.evt.EVENTLOGRECORD_SIZE
class dissect.eventlog.evt.Record

Bases: tuple

RecordNumber
TimeGenerated
TimeWritten
EventID
EventCode
EventFacility
EventCustomerFlag
EventSeverity
EventType
EventCategory
SourceName
Computername
UserSid
Strings
Data
record
dissect.eventlog.evt.BLOCK_SIZE = 4096
dissect.eventlog.evt.DIRTY_NEEDLE = b'(\x00\x00\x00\x11\x11\x11\x11""""3333DDDD'
class dissect.eventlog.evt.Evt(fh)

Windows Event files for WinOS up until Windows XP

fh
header
start_offset
end_offset
current_record_number
oldest_record_number
flags
__iter__()
dissect.eventlog.evt.find_needle(fh, needle)
dissect.eventlog.evt.parse_record(record, buf)
dissect.eventlog.evt.reprsid(s)
dissect.eventlog.evt.is_eof_record(record)
dissect.eventlog.evt.is_header_record(record)
dissect.eventlog.evt.parse_chunk(chunk)

Requires a chunk that starts with EVENTLOGRECORD header