TZWorks LLC
System Analysis and Programming
www.tzworks.com


TZWorks®
Windows Event Log Viewer - evtx_view

(Version 1.22)



Information about our End User's License Agreements (EULAs)
for software on TZWorks, LLC Website www.tzworks.com

User Agreement

TZWorks LLC software and related documentation ("Software") is governed by separate licenses issued from TZWorks LLC. The User Agreement, Disclaimer, and/or Software may change from time to time. By continuing to use the Software after those changes become effective, you agree to be bound by all such changes. Permission to use the Software is granted provided that (1) use of such Software is in accordance with the license issued to you and (2) the Software is not resold, transferred or distributed to any other person or entity. Refer to your specific EULA issued to for your specific the terms and conditions. There are 3 types of licenses available: (i) for educational purposes, (ii) for demonstration and testing purposes and (iii) business and/or commercial purposes. Contact TZWorks LLC (info@tzworks.com) for more information regarding licensing and/or to obtain a license. To redistribute the Software, prior approval in writing is required from TZWorks LLC. The terms in your specific EULA do not give the user any rights in intellectual property or technology, but only a limited right to use the Software in accordance with the license issued to you. TZWorks LLC retains all rights to ownership of this Software.

Export Regulation

The Software is subject to U.S. export control laws, including the U.S. Export Administration Act and its associated regulations. The Export Control Classification Number (ECCN) for the Software is 5D002, subparagraph C.1. The user shall not, directly or indirectly, export, re-export or release the Software to, or make the Software accessible from, any jurisdiction or country to which export, re-export or release is prohibited by law, rule or regulation. The user shall comply with all applicable U.S. federal laws, regulations and rules, and complete all required undertakings (including obtaining any necessary export license or other governmental approval), prior to exporting, re-exporting, releasing, or otherwise making the Software available outside the U.S.

Disclaimer

The user agrees that this Software made available by TZWorks LLC is experimental in nature and use of the Software is at user's sole risk. The Software could include technical inaccuracies or errors. Changes are periodically added to the information herein, and TZWorks LLC may make improvements and/or changes to Software and related documentation at any time. TZWorks LLC makes no representations about the accuracy or usability of the Software for any purpose.

ALL SOFTWARE ARE PROVIDED "AS IS" AND "WHERE IS" WITHOUT WARRANTY OF ANY KIND INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT SHALL TZWORKS LLC BE LIABLE FOR ANY KIND OF DAMAGE RESULTING FROM ANY CAUSE OR REASON, ARISING OUT OF IT IN CONNECTION WITH THE USE OR PERFORMANCE OF INFORMATION AVAILABLE FROM THIS SOFTWARE, INCLUDING BUT NOT LIMITED TO ANY DAMAGES FROM ANY INACCURACIES, ERRORS, OR VIRUSES, FROM OR DURING THE USE OF THE SOFTWARE.

Removal

The Software are the original works of TZWorks LLC. However, to be in compliance with the Digital Millennium Copyright Act of 1998 ("DMCA") we agree to investigate and disable any material for infringement of copyright. Contact TZWorks LLC at email address: info@tzworks.com, regarding any DMCA concerns.


About the evtx_view Tool (top)

evtx_view is a GUI version of an event log viewer that can parse Windows event logs from all versions of Windows starting with Windows XP. This includes Vista, Windows 7 and 8 as well as the Windows server versions. Originally inspired by the paper written by Andreas Schuster on 'Introducing the Microsoft Vista event log format', evtx_view was an attempt to take the concepts introduced in the paper and implement a Windows API independent parsing engine. Written entirely in C++, the evtx_view parse engine has been ported over to Windows, Linux and Mac OS-X.

While Schuster's paper described the key elements of the new Microsoft event log file format in Vista and Windows 7, it also included notes on the proprietary binary encoding of XML. Further research was necessary, however, in order to fully breakout the binary XML structures used in the Windows Vista and beyond. evtx_view is a culmination of this research. Under the hood, evtx_view uses the same event log parsing engine as evtwalk.

evtx_view also makes use of the FOX-toolkit . FOX is a C++ based Toolkit for developing GUI applications that can easily run across various platforms by compiling the source for the appropriate OS. FOX is distributed under the GNU Lesser General Public License (LGPL), with a FOX Library License addendum.

To use this tool, an authentication file is required to be in the same directory as the binary in order for the tool to run.


How to use this Tool (top)

From the File->Open menu, select a WinXP, Vista or Windows 7 event log file and the structure of the event log will be displayed.

The WinXP eventlogs reside at:

        %windir%\system32\config\[AppEvent.Evt | SecEvent.Evt | SysEvent.Evt]

The Vista/Win7 eventlogs reside at:

        %windir%\system32\winevt\logs\[Application.evtx | Security.evtx | System.evtx | ...]

The display is broken up into two panes. Located on the left is a tree view directory structure that contains all the records of the selected eventlog. On the right, the output of selected records as well as any results of reports/filters will be displayed.

Geared towards examining the eventlog internals, the tree view is broken into chunks (for evtx logs) and the encapsulation of each chunk as it is stored within the actual log. Expanding these folders one can see the collection of strings, templates, and records. For the evt logs (or WinXP), the internal structure of the logs is much simpler allowing it to be displayed just by record.

Incorporated in version 0.62 and beyond is the ability to filter the log data by event ID, date, and/or strings that are contained in the events. This filtering is available in the 'Filters menu'.

When generating reports, version 0.24 annotates the field name with position arguments. These are the arguments that are placed in the event log template message that gets displayed. The for the fields with position arguments are [xx:field_name], where xx is the argument number.

Parsing Custom Scripts

While evtx_view is a GUI based tool, it can parse custom scripts to parse any desired combination of eventlogs. This is located in the 'Reports Menu'. The syntax for the custom scripts are described under 'user defined templates'.

Handling Volume Shadow Copies

Verion 0.77 incorporates the capability of enumerating and parsing event logs from Volume Shadow Copies. This feature is only applicable to Vista, Win7, Win8 and beyond. It does not apply to Windows XP.

To access the Volume Shadow, one needs to select the File -> "Open Volume Shadow" in the File menu. The next popup dialog will be populated with the available snapshots on the system. After selecting the index, evtx_view will traverse the volume shadow and display another dialog box with all event logs that have a least one record. One then selects which event log to analyze and it will be loaded and parsed into evtx_view.


User Defined Templates (top)

These are text files that allow one to automate eventlog extraction. The parsing rules for these templates are as follows:

General Rules.

  1. Each line is parsed separately
  2. A line that starts w/ a double forward slash (eg //) is ignored and used for comments
  3. A blank line is ignored
  4. Any line not satisfying Rule 2 & 3 above is assumed to be a command.
  5. All command lines are in CSV (comma separated value) format

Commands lines

  1. Must start with the sequence: !cmd
  2. and contain the following options, CSV delimited (in any order):
        -enum_evtxlog
        -log, <evtx path>
        -id, <event id to extract>
        -name, <event name to use for output>
        -conditions, <parameter name|value name>
        -pull, <parameter data to extract>
        

Template examples:

        !cmd, -enum_evtxlog, -log, c:\windows\system32\winevt\logs\security.evtx, -id, 4624, -name, logon, -pull, TargetUserSid, -pull, SubjectUserSid, -pull, TargetUserName, -pull, LogonProcessName
        !cmd, -enum_evtxlog, -log, c:\windows\system32\winevt\logs\system.evtx, -id, 1074, -name, reboot or shutdown, -conditions, Data|winlogon.exe

    // for pre-vista (eg. xp) use the following:
    //  for the -pull, use the key word strings to pull all the string data out
    //
        !cmd, -enum_evtlog, -log, c:\windows\system32\config\system.evt, -id, 1074, -name, reboot or shutdown, -conditions, string|winlogon.exe, -all_data

FAQs (top)

Network shares and issues w/ running under the admin account.

Some artifacts, when running under Vista or Windows 7 are the network shares established prior as a regular (non-admin) user, will be isolated from other accounts (including the admin account). This problem occurs because User Account Control (UAC) treats members of the Administrators group as standard users. Therefore, network shares that are mapped by logon scripts are shared with the standard user access token instead of with the full administrator access token.

(ref: Microsoft - http://support.microsoft.com/kb/937624) To work around this problem, configure the EnableLinkedConnections registry value. This value enables Windows Vista to share network connections between the filtered access token and the full administrator access token for a member of the Administrators group. After you configure this registry value, LSA checks whether there is another access token that is associated with the current user session if a network resource is mapped to an access token. If LSA determines that there is a linked access token, it adds the network share to the linked location.

To configure the EnableLinkedConnections registry value, follow these steps:

Warning: Microsoft does not support this workaround. They state that this workaround may make your system unsafe and should only be done at your own risk


X Window Dependencies (top)

For this tool to work, the X Window System libraries are required for both Linux and macOS (they are not required for Windows). These libraries use the X11 protocol and graphics primitives to render the graphical user interface components. These libraries are common on Unix-like OS's.

If one is unfamiliar with X Windows or the libraries associated with it, one can download an installer package from XQuartz.org, which is an open-source effort to develop a version of the X Windows System that runs on Linux and macOS.

After the X11 libraries are installed, one needs to ensure they are running prior to running this tool.


Authentication and License File (top)

This tool has authentication built into the binary. The primary authentication mechanism is the digital X509 code signing certificate embedded into the binary (Windows and macOS).

The other mechanism is the runtime authentication, which applies to all the versions of the tools (Windows, Linux and macOS). The runtime authentication ensures that the tool has a valid license. The license needs to be in the same directory of the tool for it to authenticate. Furthermore, any modification to the license, either to its name or contents, will invalidate the license.

Limited versus Demo versus Full in the tool's output banner

The tools from TZWorks will output header information about the tool's version and whether it is running in limited, demo or full mode. This is directly related to what version of a license the tool authenticates with. The limited and demo keywords indicates some functionality of the tool is not available, and the full keyword indicates all the functionality is available. The lacking functionality in the limited or demo versions may mean one or all of the following: (a) certain options may not be available, (b) certain data may not be outputted in the parsed results, and (c) the license has a finite lifetime before expiring.


Version history (top)


References (top)

  1. Introducing the Microsoft Vista event log format, by Andreas Schuster, 2007
  2. Wikipedia, the free encyclopedia. Event Viewer topic.
  3. TechNet, New Tools for Event Management in Windows Vista
  4. Randy Franklin Smith's online encyclopedia.
  5. Windows Event Log Viewer, evtx_view
  6. Windows Event Log Parser, evtwalk
  7. FOX-toolkit version 1.6.43
  8. X Window System Libraries by XQuartz.org.