Windows XML Event Log (EVTX)
Microsoft Windows에서 시스템 로그 정보를 저장하는 데 사용
기본 경로: C:\Windows\System32\winevt\Logs\
헤더 구조
| Offset | Size | Value | Description |
|---|---|---|---|
| 0 | 8 | "ElfFile\x00" | Signature |
| 8 | 8 | First chunk number | |
| 16 | 8 | Last chunk number | |
| 24 | 8 | Next record identifier | |
| 32 | 4 | 128 | Header size |
| 36 | 2 | Minor format version See section: Format versions |
|
| 38 | 2 | Major format version See section: Format versions |
|
| 40 | 2 | 4096 | Header block size (or chunk data offset) |
| 42 | 2 | Number of chunks | |
| 44 | 76 | Unknown (Empty values) | |
| 120 | 4 | File flags See section: File flags |
|
| 124 | 4 | Checksum CRC32 of the first 120 bytes of the file header |
|
| 128 | 3968 | Unknown (Empty values) |
포맷 버전
| Version (Major.Minor) |
Description |
|---|---|
| 3.1 | Seen on Windows Vista and later |
| 3.2 | Seen on Windows 10 (2004) and later |
플래그
| Value | Identifier | Description |
|---|---|---|
| 0x0001 | Is dirty | |
| 0x0002 | Is full |
청크
65536 바이트 청크 헤더 +
청크 헤더
| Offset | Size | Value | Description |
|---|---|---|---|
| 0 | 8 | "ElfChnk\x00" | Signature |
| 8 | 8 | First event record number | |
| 16 | 8 | Last event record number | |
| 24 | 8 | First event record identifier | |
| 32 | 8 | Last event record identifier | |
| 40 | 4 | 128 | Header size (or offset to pointer data) |
| 44 | 4 | Last event record data offset Offset to the data of the last event record. The offset is relative to the start of the chunk header. |
|
| 48 | 4 | Free space offset Offset to free space in the chunk. The offset is relative to the start of the chunk header. |
|
| 52 | 4 | Event records checksum CRC32 of the events records data |
|
| 56 | 64 | Unknown (Empty values) | |
| 120 | 4 | Unknown (flags?) | |
| 124 | 4 | Checksum CRC32 of the first 120 bytes and bytes 128 to 512 of the chunk. |
--- todo
WinAPI
| Operation | Function |
|---|---|
| Backup | BackupEventLog |
| Clear | ClearEventLog |
| Monitor | NotifyChangeEventLog |
| Query | GetOldestEventLogRecord, GetNumberOfEventLogRecords |
| Read | ReadEventLog |
| Write | ReportEvent |
Powershell Command
`Get-WinEvent` is designed to replace the `Get-EventLog` cmdlet on computers running Windows Vista and later versions of Windows. `Get-EventLog` gets events only in classic event logs. `Get-EventLog` is retained for backward compatibility.
The `Get-WinEvent` and `Get-EventLog` cmdlets are not supported in Windows Pre-installation Environment (Windows PE).
References
- https://github.com/libyal/libevtx/blob/main/documentation/Windows%20XML%20Event%20Log%20(EVTX).asciidoc