Evtx File Header

This article documents the Evtx file header. The file header provides some overall information about a Vista event log file.

The file header is 4096 bytes in size, though only 128 bytes are in use by now. While this seems like a waste of resources, it makes sense. The file header is mapped into memory for faster access. Memory is allocated in units of 4096 bytes (called "a page"). So mapping only 128 bytes would occupy a whole page, too.

0x00char[8]Magic, const 'ElfFile', 0x00
0x20uint32HeaderPart1Len, const. 0x80
0x24uint16MinorVersion, const 1
0x26uint16MajorVersion, const 3
0x28uint16HeaderSize, const 0x1000
0x2cchar[76]unknown, const 0x00

CurrentChunkNum and NextRecordNum are needed by the service to add any new records to the log.

ChunkCount states how many chunks are following the header. Chunks hold the event records. Each chunk is 64 kiB in size. So there's a simple equation for the minimum log file size in bytes:

smin = ChunkCount * 64 * 1024 + HeaderSize

The MajorVersion clearly identifies Windows Event Logging, as the Vista event log service is named. A MajorVersion of 2 was used in Crimson, the event logging service found in Vista beta versions. Finally, a MajorVersion of 1 was used in the old event logging service of NT, 2000, XP and Windows Server 2003.

The Checksum is a well-known CRC32. It is calculated over the first 0x78 bytes of the file header, thus leaving out the Flags and the Checksum itself.

Bit 0 of the Flags indicates a dirty log file, meaning that there are unsaved changes if the bit is set. So both, the file and chunk headers may not reflect the status of the file correctly. Also the checksums are likely to be wrong. If a dirty file is re-opened, the event logging service will scan the whole file and fix the headers accordingly.

Bit 1, if set, indicates a full log file. So some information of potential evidential value could not be recorded.

2011-06-09: Added OldestChunk member.



