`evtx`¶

$ target-query <path/to/target> -f evtx

Details¶
Module	`dissect.target.plugins.os.windows.log.evtx.EvtxPlugin`
Output	`records`

Module documentation

Plugin for fetching and parsing Windows Eventlog Files (*.evtx).

Function documentation

Return entries from Windows Event log files (*.evtx).

Windows Event log is a detailed record of system, security and application notifications. It can be used to diagnose a system or find future issues. Up until Windows XP the extension .evt was used, hereafter .evtx became the new standard.

References:

https://www.techtarget.com/searchwindowsserver/definition/Windows-event-log
https://serverfault.com/questions/441050/what-are-the-differences-between-windows-evt-and-evtx-log-files

Yields dynamically created records based on the fields in the event. At least contains the following fields:

hostname (string): The target hostname.
domain (string): The target domain.
ts (datetime): The TimeCreated_SystemTime field of the event.
Provider_Name (string): The Provider_Name field of the event.
EventID (int): The EventID of the event.

evtx¶

`evtx`¶