TZWorks LLC
System Analysis and Programming
www.tzworks.com


TZWorks®
Windows Eventlog Parser - evtwalk

(Version 0.65)



Information about our End User's License Agreements (EULAs)
for software on TZWorks, LLC Website www.tzworks.com

User Agreement

TZWorks LLC software and related documentation ("Software") is governed by separate licenses issued from TZWorks LLC. The User Agreement, Disclaimer, and/or Software may change from time to time. By continuing to use the Software after those changes become effective, you agree to be bound by all such changes. Permission to use the Software is granted provided that (1) use of such Software is in accordance with the license issued to you and (2) the Software is not resold, transferred or distributed to any other person or entity. Refer to your specific EULA issued to for your specific the terms and conditions. There are 3 types of licenses available: (i) for educational purposes, (ii) for demonstration and testing purposes and (iii) business and/or commercial purposes. Contact TZWorks LLC (info@tzworks.com) for more information regarding licensing and/or to obtain a license. To redistribute the Software, prior approval in writing is required from TZWorks LLC. The terms in your specific EULA do not give the user any rights in intellectual property or technology, but only a limited right to use the Software in accordance with the license issued to you. TZWorks LLC retains all rights to ownership of this Software.

Export Regulation

The Software is subject to U.S. export control laws, including the U.S. Export Administration Act and its associated regulations. The Export Control Classification Number (ECCN) for the Software is 5D002, subparagraph C.1. The user shall not, directly or indirectly, export, re-export or release the Software to, or make the Software accessible from, any jurisdiction or country to which export, re-export or release is prohibited by law, rule or regulation. The user shall comply with all applicable U.S. federal laws, regulations and rules, and complete all required undertakings (including obtaining any necessary export license or other governmental approval), prior to exporting, re-exporting, releasing, or otherwise making the Software available outside the U.S.

Disclaimer

The user agrees that this Software made available by TZWorks LLC is experimental in nature and use of the Software is at user's sole risk. The Software could include technical inaccuracies or errors. Changes are periodically added to the information herein, and TZWorks LLC may make improvements and/or changes to Software and related documentation at any time. TZWorks LLC makes no representations about the accuracy or usability of the Software for any purpose.

ALL SOFTWARE ARE PROVIDED "AS IS" AND "WHERE IS" WITHOUT WARRANTY OF ANY KIND INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT SHALL TZWORKS LLC BE LIABLE FOR ANY KIND OF DAMAGE RESULTING FROM ANY CAUSE OR REASON, ARISING OUT OF IT IN CONNECTION WITH THE USE OR PERFORMANCE OF INFORMATION AVAILABLE FROM THIS SOFTWARE, INCLUDING BUT NOT LIMITED TO ANY DAMAGES FROM ANY INACCURACIES, ERRORS, OR VIRUSES, FROM OR DURING THE USE OF THE SOFTWARE.

Removal

The Software are the original works of TZWorks LLC. However, to be in compliance with the Digital Millennium Copyright Act of 1998 ("DMCA") we agree to investigate and disable any material for infringement of copyright. Contact TZWorks LLC at email address: info@tzworks.com, regarding any DMCA concerns.


About the evtwalk Tool (top)

evtwalk is a command line tool that can parse Windows event logs from all versions of Windows starting with Windows XP. This includes Vista, Windows 7, Windows 8 as well as the Windows server versions.

The output is presented with one event record per line and includes a couple of formatting options. Under the hood, evtwalk uses the same eventlog parsing engine as evtx_view. As a command line tool, evtwalk can easily be incorporated into any analysts' processing work-flow, by automating the execution of evtwalk via any scripting language.

evtwalk allows one to generate reports of specific event log artifacts, such as USB plug-n-play events, user credential changes, password changes, and logon/logoff events, among others. If one of the available report options does not address an analyst's needs, there is an option for the user to generate his/her own custom report to be used and processed.

There are 32 and 64 bit versions of evtwalk spanning Windows, Linux and Mac OS-X.

To use this tool, an authentication file is required to be in the same directory as the binary in order for the tool to run.


How to use evtwalk (top)

Event Log Locations/Names (background)

Windows event logs reside in different locations depending on whether one is on a Windows XP box, or later version, such as Windows 7 or 8. In addition to the location differences, there are also (a) naming differences in the event log file itself, and (b) significantly more event logs present starting with Vista and the later operating systems. For example, Windows 7 can have over 70 unique event logs versus the three present in Windows XP. Below are the locations for the event logs with the various Windows operating systems.

Windows XP and earlier:

    %windir%\system32\config\[AppEvent.Evt | SecEvent.Evt | SysEvent.Evt]

Windows Vista and later (Windows 7, Windows 8, ...):

    %windir%\system32\winevt\logs\[Application.evtx | Security.evtx | System.evtx | ...]

Starting evtwalk

While the evtwalk tool doesn't require one to run with administrator privileges, choosing not to do so may restrict one to only looking at separately extracted event logs, depending on the version of Windows and how the permissions are setup. Therefore, it is recommended to run evtwalk with admin privileges, if desiring to look at the event logs on a live host machine.

One can display the menu options by typing in the executable's name without parameters. Below is the menu with the various options; details of each option can be found here.

    Usage:

      evtwalk -log "log1 | log2 | .."   = pull data from extracted logs
      evtwalk -livesys                  = pull data from the running OS
      evtwalk -vss <num>                = pull data from Volume Shadow 
      evtwalk -partition <drive letter> = requires volume to be traversable
      dir c:\somedir\*.evtx /b /s | evtwalk -pipe
      evtwalk -enumdir <folder> -num_subdirs <#> [options]

     Report options
      -pw                    = pull password changes [security log]
      -time                  = pull clock changes or updates [security logs]
      -logon                 = pull logons [security log]
      -startstop             = pull system start/stop times [system log]
      -creds                 = pull credential changes [security log]
      -usb                   = pull usb events [various logs]
      -cmdfile <filename>    = custom report defined by cmd file

     Processing options
      -pipe                  = pipe files into evtwalk for processing
      -quiet                 = don't display status during run
      -filter <*partial*|*.ext> = filters stdin data from -pipe option

     Filter options
      -eventid "id1, id2, ."
      -string <substring>
      -start_time <time UTC> =  time in "MM/DD/YYYY HH:MM:SS" format
      -stop_time <time UTC>  =  time in "MM/DD/YYYY HH:MM:SS" format

     Basic options
      -csv                   = output in comma separated value format
      -csvl2t                = log2timeline output
      -bodyfile [-allparams] = sleuthkit output

     Additional options
      -dateformat mm/dd/yyyy = "yyyy-mm-dd" is the default
      -timeformat hh:mm:ss   = "hh:mm:ss.xxx" is the default
      -pair_datetime         = combine date/time into 1 field for csv
      -no_whitespace         = remove whitespace between csv delimiter
      -csv_separator "|"     = use a pipe char for csv separator
      -stats <file>          = generate summary statistics
      -inc_slack             = incl any records from slack as well

     Create subset evtx logs utility options [targeting certain entries ***]
      -createlog <result log> -log <srclog> -eventid "id1, id2, ..." 
      -createlog <result log> -log <srclog> -rec_id "rec1, rec2, ..."
      -createlog <result log> -log <srclog> -rec_start <rec1> -rec_stop <recN>

It is important to note, that there are some options that are only available with a commercial license. These are designated with a double asterisk. The basic options, however, are available for personal/non-commercial use.

For basic usage and to parse an individual event log file, use the following notation:

    evtwalk -log <event log file>  >  results.txt

Without specifying one of the format options, the output is rendered with a custom CSV format that uses the pipe character "|" as a delimiter instead of a comma. All similar event IDs will be grouped together. This allows each grouping to have their specific unique headers (if applicable), since different events have different metadata.

In the command used above, the output is redirected to a text file called results.txt. Like all artifacts that have many records and where each record has multiple fields, the output that is generated is usually very long and wide. Thus, it is recommended that one redirect the output of the command to a file.

One can also parse multiple event logs in one session. There are three ways to do this: (a) specifying individual event logs via multiple -log options, (b) using the -livesys option or (c) using the -pipe option.

When generating reports, starting with version 0.24, the fields are annotated with the position arguments. These are the arguments that are placed in the event log template message that gets displayed. The for the fields with position arguments are [xx:field_name], where xx is the argument number.


Specifying Multiple Individual Event Logs (top)

To use the -log <event log file> option to specify multiple event logs, use the pipe delimiter between each event log name, as shown below.

    evtwalk  -log "<event log1>|<event log2>|..." >  results.txt

This is useful when pulling a similar category of artifacts from multiple event logs. A good example of this is pulling USB events. The two logs needed for USB plug-n-play events are the System event log and DriverFrameworks-UserMode event log. If one extracts these two logs, one can invoke the following, rather lengthy, command to process all USB events from the two logs:

    evtwalk -usb -log "system.evtx | Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx" > results.txt

The results.txt file will contain a sorted set of groups of all "like USB" event IDs and will provide appropriate header fields that match the record metadata for each class of event.


Processing Volume Shadow Copies (top)

For starters, to access Volume Shadow copies, one needs to be running with administrator privileges. Also, it is important to note that, Volume Shadow copies as is discussed here, only applies to Windows Vista, Win7, Win8, and beyond. It does not apply to Windows XP.

To make it easier with the syntax, we've built in a shortcut syntax in order to more easily access a specific file in a specified Volume Shadow copy, via the %vss% keyword. This internally gets expanded into \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy. Thus, to access index 1 of the volume shadow copy, one would combine the keyword and index, index, (eg. %vss%1) in front of the normal path of the file. For example, to access the system event log from the HarddiskVolumeShadowCopy1, the following syntax can be used:

        evtwalk -log %vss%1\Windows\System32\winevt\logs\System.evtx > results.txt

In addition, one can process all the event logs using the command -vss <index of volume shadow>. This option will traverse the specified volume shadow copy and only looks in the normal event log directory to find which logs are available and then proceeds to process those event logs.

To determine which indexes are available from the various Volume Shadows, one can use the Windows built-in utility vssadmin, as follows:

    vssadmin list shadows

    -- or to filter out extraneous detail --
    
    vssadmin list shadows | find /i "volume"

While the amount of data can be voluminous from that above command, the keywords one needs to look for are names that look like this:


    Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
    Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
    ...

From the example above, notice the number after the word HarddiskvolumeShadowCopy. This would be the number that is passed as an argument to the previous options.


Processing all Event Logs in a Specified Partition (top)

One can process all the event logs on a specified volume using the -partition <drive letter> options. This command will look in the normal event log directory to find which logs are available and then proceed to process those logs. It is useful if mounting a collected image of a system volume as another drive letter.


Examining all the Event Logs on the Currently Running Machine (top)

For a live system, one can use the -livesys switch to examine all the event logs on a host machine. In this mode, evtwalk will determine the Windows version of the host machine, and will then scan the appropriate event log directory for that version of Windows. Below are some examples:

    evtwalk -livesys  >  results.txt
    evtwalk -livesys -string "tzworks"  >  results.txt

The first example will traverse all event log files found in the Windows event log directory and parse each record for each event log encountered. The second example adds the -string filter option. It will also examine all the same event logs in the first example, but will only output records that contain the string "tzworks" in the one of the record fields. More information about the various filter options is discussed below.

Note: the -livesys option only looks at the default location for the event logs. This location can be changed via modifying the registry at the location:

    System\CurrentControlSet\Services\EventLog\[Security|System|...]\File

For these cases, where the default location has been changed, one can either process the live eventlogs by either using the -log <eventlog location> or enumerate the path\folder containing the eventlogs with the dir option and using the -pipe switch. This is discussed in the next section.


Examining Multiple Event Logs in a Directory or Subdirectories (top)

If looking at a collection of event logs that are not part of the running operating system, but gathered as part of an investigation, one can invoke the -pipe switch to analyze all desired event logs in one session. The -pipe switch tells evtwalk to receive a separate path/filename per line as input and process each entry separately. By redirecting the output of the processed records to a file, one can generate a single report for all the event logs piped in.

The syntax is different during the piping operation depending on whether one is running on Windows or Linux (and Mac). For Windows, one can use the built-in dir command along with some of its companion switches to get the desired result. For Linux or Mac, one can use either the built-in ls or find command to get the desired result. For the ls command, the switch to use is -1 (the number 'one' versus the letter l). Whatever option is used, one must ensure the output of the command before the pipe character is: (a) is on its own line, and (b) contains only the absolute path with the filename. Below is an example of using this option:

    dir c:\testcases\*.evtx /b /s | evtwalk -pipe > results.txt
    ls -1 ~/testcases/*.evtx | ./evtwalk -pipe > results.txt

The above syntax will process all the event log files with the extension .evtx that are located anywhere in the c:\testcases directory.

One can modify the output by inserting a report option and/or modify the output by specifying another format to output. Below is an example of processing the logons/logoffs for security event logs in the c:\testcases directory and subdirectories, ands subsequently outputting the results in a log2timeline report:

    dir c:\testcases\*.evtx /b /s | evtwalk -pipe -logon -csvl2t > results.txt
    ls -1 ~/testcases/*.evtx | evtwalk -pipe -logon -csvl2t > results.txt

Generating Event Category Reports (top)

Instead of outputting all the records that are present in an event log, one may only be interested in a certain class of event data. Depending on how the host machine was configured, for event records to be present, one may need to enable the event logging for a class of events. Below are the report categories currently available for this tool:

Option Description
-pw Option to extract the appropriate event ID's for password changes.
-time Option to extract the appropriate event ID's for clock changes or updates.
-logon Option to extract the appropriate event ID's for user logon/logoff changes.
-startstop Option to extract the appropriate event ID's for system start/stop times.
-creds Option to extract the appropriate event ID's for user credential or permission changes.
-usb Option to extract the appropriate event ID's for USB insertions and removals.
-cmdfile Option that allows the user to customize which event ID's to extract as well as which fields within an event record to output. The syntax is cmdfile <filename>.

One can also have multiple report options. Below is an example of pulling the logon/logoff events as well as the USB events as a session.

    evtwalk -livesys -logon -usb > results.txt

If there are other reports' an analyst wants to use that are not in the above list, or if one wishes to make modifications to the reports above, one can define one's own report via the -cmdfile <path\file> switch. The argument passed in is a text file that identifies which events to pull and which fields in the event record to output. These 'cmdfiles' are called 'User Defined Templates'. More information about the format and rules to generate one of these files can be located here.


Converting Segmented CSV formats into Database Friendly Formats (top)

When running evtwalk to pull differing events from an event log into one results file, the CSV output will vary depending on the event ID that is processed. While the -bodyfile and -csvl2t formats will preserve the CSV structure, the default CSV output will show the results as segmented CSV sections. Each CSV section will represent a different event ID. This can create problems when trying to import the evtwalk results into other databases for analysis.

To solve this problem, one can use the csvdx tool to take the segmented CSV results (or any CSV results) and convert the artifact output it into either JSON or SQLite. See the csvdx webpage here and/or user guide.


Filtering Options (top)

When traversing an event log, or many event logs, and looking for a set of events, the filtering capability becomes an attractive option. Below are the available options:

Option Description
-eventid Filter out the specified event ID. If more than one ID is specified, one needs to delimit each ID with a comma. The syntax is eventid "id1, id2, ...".
-string Filter on the specified string. The string comparison engine is case insensitive. The syntax is string "substring to target".
-start_time Filter events occurring at the specified time or later. The syntax is -start_time "time in UTC". The time is specified in the following format: MM/DD/YYYY or "MM/DD/YYYY HH:MM:SS".
-stop_time Filter events occurring at the specified time or before. The syntax is stop_time "time in UTC". The time is specified in the following format: MM/DD/YYYY or "MM/DD/YYYY HH:MM:SS".

Various Options (top)

Option Description
-log Identify which event log(s) to operate on. The syntax is: log <eventlog to analyze>. To operate one more than one at a time, use: log "<eventlog1> | <eventlog2> | ..."
-livesys Option to examine all event logs from the running operating system.
-partition Extract artifacts from a specified mounted partition. The syntax is partition <drive letter>.
-vss Experimental. Extract artifacts from Volume Shadow. The syntax is vss <index number of shadow copy>. Only applies to Windows Vista, Win7, Win8 and beyond. Does not apply to Windows XP.
-stats Experimental. Extract statistics from the event log, including time range of the records in the log as well as a histogram of the event IDs in the log. The syntax is stats <file to store stats>.
-inc_slack Experimental. During normal parsing of log file, this option tells the tool to examine any slack space in the log sections for deleted records.
-hist Experimental. Extract statistics from certain events based on a set of specified fields. This option requires the use of the stats option. The syntax is; stats <file to store stats> -hist "field1|field2|..".
-csv Outputs the data fields delimited by commas. Since filenames can have commas, to ensure the fields are uniquely separated, any commas in the filenames get converted to spaces.
-csvl2t Outputs the data fields in accordance with the log2timeline format.
-bodyfile Outputs the data fields in accordance with the 'body-file' version3 specified in the SleuthKit. The date/timestamp outputted to the body-file is in terms of UTC. So if using the body-file in conjunction with the mactime.pl utility, one needs to set the environment variable TZ=UTC. The allparams option can be used in conjunction with the bodyfile and tells evtwalk to output all the fields in each record.
-pipe Used to pipe files into the tool via STDIN (standard input). Each file passed in is parsed in sequence.
-enumdir Experimental. Used to process files within a folder and/or subfolders. Each file is parsed in sequence. The syntax is -enumdir <"folder"> -num_subdirs <#>.
-filter Filters data passed in via stdin via the -pipe option. The syntax is filter <"*.ext | *partialname* | ...">. The wildcard character '*' is restricted to either before the name or after the name. An example of using the filter to screen out certain log files could be: dir C:\Windows\System32\winevt\Logs /b /s | evtwalk -pipe -filter "system.evtx|security.evtx|*driverframeworks*" . The first 2 filter terms are explicit files, while the last filter term looks for a partial name that contains driverframeworks.
-no_whitespace Used in conjunction with csv option to remove any whitespace between the field value and the CSV separator.
-csv_separator Used in conjunction with the csv option to change the CSV separator from the default comma to something else. Syntax is csv_separator "|" to change the CSV separator to the pipe character. To use the tab as a separator, one can use the csv_separator "tab" OR csv_separator "\t" options.
-dateformat Output the date using the specified format. Default behavior is -dateformat "yyyy-mm-dd". Using this option allows one to adjust the format to mm/dd/yy, dd/mm/yy, etc. The restriction with this option is the forward slash (/) or dash (-) symbol needs to separate month, day and year and the month is in digit (1-12) form versus abbreviated name form.
-timeformat Output the time using the specified format. Default behavior is timeformat "hh:mm:ss.xxx" One can adjust the format to microseconds, via "hh:mm:ss.xxxxxx" or nanoseconds, via "hh:mm:ss.xxxxxxxxx", or no fractional seconds, via "hh:mm:ss". The restrictions with this option is that a colon (:) symbol needs to separate hours, minutes and seconds, a period (.) symbol needs to separate the seconds and fractional seconds, and the repeating symbol 'x' is used to represent number of fractional seconds. (Note: the fractional seconds applies only to those time formats that have the appropriate precision available. The Windows internal filetime has, for example, 100 nsec unit precision available. The DOS time format and the UNIX 'time_t' format, however, have no fractional seconds). Some of the times represented by this tool may use a time format without fractional seconds and therefore will not show a greater precision beyond seconds when using this option.
-pair_datetime Output the date/time as 1 field versus 2 for csv option
-quiet This option suppresses any intermediate progress during a session run
-utf8_bom All output is in Unicode UTF-8 format. If desired, one can prefix an UTF-8 byte order mark to the CSV output using this option.

User Defined Templates (eg. cmdfiles) (top)

For those cases, where one would like to extract a certain group of event ID's, templates can be useful. Once a template is defined, it can be used to ensure repeatable parsing of the same event ID's for each session run.

The templates are just text files, so they can be generated with any text editor. Care must be taken to ensure that extra control characters are not inserted into the text files. Having extra control characters will negatively affect the template parsing engine. For this reason, it is recommended that a simple text editor be used.

The parsing rules for these templates are as follows:

General Rules

  1. Each line is parsed separately.
  2. A line that starts with a double forward slash (eg //) is ignored and used for comments
  3. A blank line is ignored.
  4. Any line not satisfying Rule 2 & 3 above is assumed to be a command.
  5. All command lines are in CSV format, where the separator is a comma.

Command lines

  1. Must start with the sequence: !cmd
  2. and contain the following options, using comma delimiters (in any order):
       -enum_evtxlog   or  -enum_evtlog  depending on whether targeting a Win7 box or WinXP box
       -id, <event id to extract>
       -name, <event name to use for output>
       -conditions, <parameter name|value name>
       -pull, <parameter data to extract>
       -type, [system | security | application | etc]
        

Template Examples:

    !cmd, -enum_evtxlog, -type, security, -id, 4624, -name, logon, -pull, TargetUserSid, -pull, SubjectUserSid, -pull, TargetUserName, -pull, LogonProcessName
    !cmd, -enum_evtxlog, -type, system, -id, 1074, -name, reboot or shutdown, -conditions, Data|winlogon.exe

    // for pre-vista (eg. xp) use the following:
    //
    !cmd, -enum_evtlog, -type, system, -id, 528, -name, reboot or shutdown, -conditions, string|winlogon.exe

The above are examples you would put into a template file (a separate txt file with command syntax described above). To invoke a template file from the command line, one would issue the following command (assuming the cmdfile was named sample_cmds[1|2].txt). The first example below is for pulling out data from the security log, while the second is for the system log:

    evtwalk -cmdfile sample_cmds1.txt -log c:\windows\system32\winevt\logs\Security.evtx
    evtwalk -cmdfile sample_cmds2.txt -log c:\windows\system32\winevt\logs\System.evtx

Caution about using Templates

When using templates to parse event logs, one needs to be careful to use the appropriate template for the desired type of log file. One cannot blindly use a template for uncommon types of log files, unless you are aware each event ID in your template is unique to that event log. For example, if targeting the event ID# 4625 for the security log, this would translate to a logon/failed event. However, if looking at the application log, event ID# 4625 is the suppression of duplicate log entries. To help avoid this issue, the -type, [system, security, application] option guides evtwalk to match the proper log file with the event ID specified.

Using the built-in 'category' reports, avoids the above problem, since they have the necessary logic to point to the proper type log for the event IDs used. Therefore, they can be safely thrown at many disparate log files (that may contain duplicate event ID numbers with differing meanings) and the results should be accurate.


Creating Subset Logs (Windows version only) (top)

Separate and independent of the other options is the ability to create subset EVTX logs from a source log. This was added to facilitate debugging problem logs, and to allow clients to extract just a portion of the records from a large log into a separate smaller EVTX log to send for analysis. This option is invoked with createlog. With this option, one can either filter on Event ID(s) or record number(s). The syntax is shown below for the various cases:

  -createlog <result log> -log <srclog> -eventid "id1, id2, ..."
  -createlog <result log> -log <srclog> -rec_id "rec1, rec2, ..."
  -createlog <result log> -log <srclog> -rec_start <rec1> -rec_stop <recN>

The first case, pull any events from the source log, and the second two examples are different cases on the same theme of just pulling certain records from the source log. In all the cases, a resulting log is created with just the specified event IDs or record numbers.


Known Issues (top)

  1. If running on a Windows operating system post XP and running under admin permissions, any network shares established prior as a regular (non-admin) user, will be isolated from other accounts (including the admin account). This problem occurs because User Account Control (UAC) treats members of the Administrators group as standard users. Therefore, network shares that are mapped by logon scripts are shared with the standard user access token instead of with the full administrator access token.

Authentication and License File (top)

This tool has authentication built into the binary. The primary authentication mechanism is the digital X509 code signing certificate embedded into the binary (Windows and macOS).

The other mechanism is the runtime authentication, which applies to all the versions of the tools (Windows, Linux and macOS). The runtime authentication ensures that the tool has a valid license. The license needs to be in the same directory of the tool for it to authenticate. Furthermore, any modification to the license, either to its name or contents, will invalidate the license.

Limited versus Demo versus Full in the tool's output banner

The tools from TZWorks will output header information about the tool's version and whether it is running in limited, demo or full mode. This is directly related to what version of a license the tool authenticates with. The limited and demo keywords indicates some functionality of the tool is not available, and the full keyword indicates all the functionality is available. The lacking functionality in the limited or demo versions may mean one or all of the following: (a) certain options may not be available, (b) certain data may not be outputted in the parsed results, and (c) the license has a finite lifetime before expiring.


Version history (top)


References (top)

  1. Introducing the Microsoft Vista event log format, by Andreas Schuster, 2007
  2. Wikipedia, the free encyclopedia. Event Viewer topic
  3. TechNet, New Tools for Event Management in Windows Vista
  4. Randy Franklin Smith's online encyclopedia.
  5. Windows Event Log Viewer, evtx_view, https://tzworks.com/prototype_page.php?proto_id=4
  6. SleuthKit Body-file format, http://wki.sleuthkit.org/
  7. Log2timeline CSV format, http://log2timeline.net/