By far the largest part of an event record consists of a complex binary XML structure. I'm going to explain its internals in a series of postings. I'm starting with an overview of the XML schema.
Continue reading The Inner Structure.
Category "Vista event log"
I'm excited to release the first version of a template for the 010 Editor which parses the outer structure of a Vista event log file. By "outer structure" I refer to the structures described earlier in this blog, from the file level down to the single record. However, the template can not yet decode the binary XML inside of an event record - and provably never will. For this task I will provide a more complex tool in a few weeks.
Continue reading 010 Template to Parse an Evtx File.
This article documents the structure of a single event record within a Vista Event Log (.evtx) file. The event records go one by one, following the chunk header.
Continue reading Evtx Event Record.
Each event log file contains one or many so-called "chunks", which store the event records. During operation, only the current chunk of an event log file is mapped into memory.
Continue reading Evtx Chunk Header.
This article documents the Evtx file header. The file header provides some overall information about a Vista event log file.
Continue reading Evtx File Header.
In this article I provide a spell of magic(5) which allows file(1) to identify Vista event log files in their native form (.evtx).
Continue reading Evtx Magic.
My paper Introducing the Microsoft Vista Event Log File Format has been accepted for presentation at DFRWS 2007. See you in Pittsburgh!
Continue reading DFRWS 2007 Paper.
Microsoft pushed out Release Candidate 2 of Vista. Among the host of new features in Vista there is a new file format for event logs. This article is the first in a series which shall help you to accustom yourself to the new format.
Continue reading Why is there a new Event Log Format?.
