Evtx File Header

This article documents the Evtx file header. The file header provides some overall information about a Vista event log file.

The file header is 4096 bytes in size, though only 128 bytes are in use by now. While this seems like a waste of resources, it makes sense. The file header is mapped into memory for faster access. Memory is allocated in units of 4096 bytes (called "a page"). So mapping only 128 bytes would occupy a whole page, too.

Evtx File Header
OffsetTypeMeaning
0x00char[8]Magic, const 'ElfFile', 0x00
0x08int64OldestChunk
0x10int64CurrentChunkNum
0x18int64NextRecordNum
0x20uint32HeaderPart1Len, const. 0x80
0x24uint16MinorVersion, const 1
0x26uint16MajorVersion, const 3
0x28uint16HeaderSize, const 0x1000
0x2auint16ChunkCount
0x2cchar[76]unknown, const 0x00
0x78uint32Flags
0x7cuint32Checksum

CurrentChunkNum and NextRecordNum are needed by the service to add any new records to the log.

ChunkCount states how many chunks are following the header. Chunks hold the event records. Each chunk is 64 kiB in size. So there's a simple equation for the minimum log file size in bytes:

smin = ChunkCount * 64 * 1024 + HeaderSize

The MajorVersion clearly identifies Windows Event Logging, as the Vista event log service is named. A MajorVersion of 2 was used in Crimson, the event logging service found in Vista beta versions. Finally, a MajorVersion of 1 was used in the old event logging service of NT, 2000, XP and Windows Server 2003.

The Checksum is a well-known CRC32. It is calculated over the first 0x78 bytes of the file header, thus leaving out the Flags and the Checksum itself.

Bit 0 of the Flags indicates a dirty log file, meaning that there are unsaved changes if the bit is set. So both, the file and chunk headers may not reflect the status of the file correctly. Also the checksums are likely to be wrong. If a dirty file is re-opened, the event logging service will scan the whole file and fix the headers accordingly.

Bit 1, if set, indicates a full log file. So some information of potential evidential value could not be recorded.

2011-06-09: Added OldestChunk member.

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.