You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Evtx'es have a property "InstanceID" which is related to EventID:
InstanceID is not EventID, but can be:
The InstanceId property uniquely identifies an event entry for a configured event source. The InstanceId for an event log entry represents the full 32-bit resource identifier for the event in the message resource file for the event source. The EventID property equals the InstanceId with the top two bits masked off. Two event log entries from the same source can have matching EventID values, but have different InstanceId values due to differences in the top two bits of the resource identifier. If the application wrote the event entry using one of the WriteEntry methods, the InstanceId property matches the optional eventId parameter. If the application wrote the event using WriteEvent, the InstanceId property matches the resource identifier specified in the InstanceId of the instance parameter. If the application wrote the event using the Win32 API ReportEvent, the InstanceId property matches the resource identifier specified in the dwEventID parameter.
Thus, this should maintain the instance id (as no bit mask is applied). Use the event record's event_record_id attribute rather than the serialized value. I believe the python bindings also preserves this value. Let me know if you find this is not the case.
Evtx'es have a property "InstanceID" which is related to EventID:
Taken from here: https://evotec.xyz/powershell-everything-you-wanted-to-know-about-event-logs/
I would very much like to have InstanceID read in. It isn't in the XML data; XML data contains EventID
I don't know enough about evtx structure to offer a patch.
Cross post with pyevtx-rs/issues/9
The text was updated successfully, but these errors were encountered: