Evtx Event Record

This article documents the structure of a single event record within a Vista Event Log (.evtx) file. The event records go one by one, following the chunk header.

Evtx Event Record Structure
OffsetTypeMeaning
0x00char[4]Magic, const 0x2a, 0x2a, 0x00, 0x00
0x04uint32Length1
0x08int64NumLogRecord
0x10FILETIMETimeCreated
var.char[]BinXmlStream
var.uint32Length2

The event record starts with a magic string, two asterisks followed by two null bytes. It is framed by matching length indications. They state the whole record's size, from the magic string to the trailing length indicator. This is similar to the record structure of the old NT event logging service. The length indications at the beginning and at the end of an event record allow the logging service to traverse the chain of records efficiently in both directions.

NumLogRecord states the record number, relative to the log channel. The log channel may consist of several log files which are consecutively written to.

TimeCreated tells the date and time when the record was created. The timestamp is given as a FILETIME, that is in units of 100 nanoseconds since 1601-01-01T00:00:00.

The following BinXmlStream contains the logged information. This is a complex stream, consisting of XML data, which has been encoded in a proprietary binary format. The encoding scheme will be the subject of several subsequent postings.

Both, the record number and the timestamp, are also given within the binary XML stream. Seemingly they are repeated outside of the complex binary XML stream in order to allow the event logging service to sort and filter records by number or time efficiently.

2011-03-21: Corrected magic, thanks to Andrew Bontoft for reporting the typo.

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.