Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

InstanceID missing from logs #115

Open
truekonrads opened this issue Jul 16, 2020 · 1 comment
Open

InstanceID missing from logs #115

truekonrads opened this issue Jul 16, 2020 · 1 comment

Comments

@truekonrads
Copy link

Evtx'es have a property "InstanceID" which is related to EventID:

InstanceID is not EventID, but can be:

The InstanceId property uniquely identifies an event entry for a configured event source. The InstanceId for an event log entry represents the full 32-bit resource identifier for the event in the message resource file for the event source. The EventID property equals the InstanceId with the top two bits masked off. Two event log entries from the same source can have matching EventID values, but have different InstanceId values due to differences in the top two bits of the resource identifier. If the application wrote the event entry using one of the WriteEntry methods, the InstanceId property matches the optional eventId parameter. If the application wrote the event using WriteEvent, the InstanceId property matches the resource identifier specified in the InstanceId of the instance parameter. If the application wrote the event using the Win32 API ReportEvent, the InstanceId property matches the resource identifier specified in the dwEventID parameter.

Taken from here: https://evotec.xyz/powershell-everything-you-wanted-to-know-about-event-logs/

I would very much like to have InstanceID read in. It isn't in the XML data; XML data contains EventID

I don't know enough about evtx structure to offer a patch.

Cross post with pyevtx-rs/issues/9
@forensicmatt
Copy link
Contributor

I looked at this and see that the actually record's event id does no bit masking in this library:

https://github.com/omerbenamram/evtx/blob/master/src/evtx_record.rs#L50

Thus, this should maintain the instance id (as no bit mask is applied). Use the event record's event_record_id attribute rather than the serialized value. I believe the python bindings also preserves this value. Let me know if you find this is not the case.

While InstanceID is not documented in Metz' documentation of EVTX structure, this is the only other value from timestamp, size, and signature outside of the XML data: https://github.com/libyal/libevtx/blob/master/documentation/Windows%20XML%20Event%20Log%20(EVTX).asciidoc#32-event-record

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@truekonrads @forensicmatt