Understanding windows event log and the evtx file format

Pdf File 259.96 KByte, 40 Pages

Understanding Windows Event Log and the EVTX file format

Andreas Schuster

1

Understanding Windows Event Log Agenda

1. Introduction 2. The Outer Structure 3. The Inner Structure ? Binary XML 4. Data Recovery 5. Conclusion 6. Questions & Answers

Introduction Purpose of a System Logging Service

Purpose of system logging service: Applications may need to log events for auditing, diagnostics, etc. Implement as a system service in order to avoid having redundant code Forwarding facilitates site-wide logging architectures Filtering eases system administration

Examples: UNIX syslog (developed in the 1980s as part of sendmail) Windows NT Event Logging (around 1993) Crimson (2005, Vista beta only) Windows Event Log

Introduction Three Reasons to Upgrade

1. Reduced memory consumption

NT: whole file mapped into shared memory Vista: only file header and one chunk mapped into memory

2. Logging architectures

NT: stand-alone / third-party software required Vista: message forwarding

3. Rich data

NT: supports only "string" and "binary" Vista: 24 documented data types, arrays, power of XML

File Header Chunk Chunk

The Outer Structure Overview

Chunk Header Record Record Record unused or slack

The Outer Structure File

File header is always mapped into memory Size 4096 bytes (= 1 physical memory page) Only 128 Bytes are in use Magic string "ElfFile", 0x00 Version 3.1 (NT Event Log uses 1.1, Crimson 2.1) Count of chunks, number of current chunk Flags (DIRTY, FULL) Integrity protected by CRC32 check sum