none
Windows event logs(evtx)parsing RRS feed

  • Question

  • I am doing a project in C# wherein I need to develop a forensic tool that can parse all the forensically relevant events from the different event logs.

    I would like to know whether it is possible to read the event information from an exported event log(not the live event log) using event log reader? Also, how can we extract details from the Xml details to be displayed in the GUI tool in the datagrid format?

    Expecting your resonses as soon as possible. Thanks in advance.

    Sunday, March 17, 2019 2:42 AM

All replies

  • Have you tried it?  The standard Event Viewer can read evtx files.

    Some of the format is discussed here:

    https://github.com/libyal/libevtx/blob/master/documentation/Windows%20XML%20Event%20Log%20(EVTX).asciidoc


    Tim Roberts | Driver MVP Emeritus | Providenza & Boekelheide, Inc.

    Sunday, March 17, 2019 6:25 AM
  • Hello shari_cyberbuddy,

    This forum is for "Discuss general issues about developing applications for Windows." C++ focused.

    Since your issue is C# related I'll move it to C# forum for more professional support. 

    Best regards,

    Rita


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, March 18, 2019 2:37 AM
  • Thanks for the reply Tim, but I want to get a C# source code to parse the evtx log format mention on the page you have shared to get the relevant events and also its relevant information that we get from the xml details part in the eventviewer.
    Monday, April 1, 2019 9:26 AM
  • Hi shari_cyberbuddy,

    You could download the source file from the code project for reference.

    https://www.codeproject.com/Articles/15288/Parsing-event-log-evt-file

    Best Regards,

    Wendy


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Wednesday, April 3, 2019 7:55 AM
    Moderator