Evtx Chunk Header

Each event log file contains one or many so-called "chunks", which store the event records. During operation, only the current chunk of an event log file is mapped into memory.

Each chunk is 64 kiB in size. The first 0x200 bytes contain the chunk header, a string table and a template table:

Evtx Chunk Header
OffsetTypeMeaning
0x000char[8]Magic, const 'ElfChnk', 0x00
0x008int64NumLogRecFirst
0x010int64NumLogRecLast
0x018int64NumFileRecFirst
0x020int64NumFileRecLast
0x028uint32OfsTables, const 0x080
0x02cuint32OfsRecLast
0x030uint32OfsRecNext
0x034uint32DataCRC
0x038char[68]unknown
0x07cuint32HeaderCRC
0x080uint32[64]StringTable
0x180uint32[32]TemplateTable

The chunk header provides two sets of first/last record numbers. One refers to the log as a whole, which could consist of multiple log files, while the other refers to the actual log file. This difference will be made clear in a subsequent post, which will take a look at some special log files. In empty log files a value of -1 can be found for all the counters with the exception of NumLogRecFirst, which is set to 1.

The HeaderCRC is a 32 bit CRC. It is calculated over the first 0x200 bytes of the chunk, with the exception of 8 bytes starting from offset 0x78 (so the check sum and the preceding DWORD are excluded, similar to the calculation of the check sum in the file header).

Another check sum, DataCRC covers the data area from 0x200 up to the end of the last event entry.

The StringTable and TemplateTable provide 64 and 32 hash buckets respectively. The event log service uses these tables to avoid the redundant declaration of certain strings and XML structures within the same chunk. Both tables are not required to transform an event log file into a human-readable form.

2010-08-29: edit to add DataCRC.

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.