You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
But obviously, there are (sometimes) BoolTypes with a ValueByteLength of 4, which violate the specification.
You've added a special handling for boolean values which do not match 0x00 or 0x01. Do you know why there are such values?
I'm not sure if this is really a bug of your code, but reading 4 Byte for a boolean value also violates the specification and I was interested in what the reason for this is.
The text was updated successfully, but these errors were encountered:
Those (or a similar) messages are created when
evtx
reads a boolean value (type code0x0d
with a length of4
which has a value different from0x00
or0x01
. According to Microsofts definition, aBoolType
is An 8-bit integer that MUST be 0x00 or 0x01 (mapping to true or false, respectively). (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-even6/8aa98312-f199-4e37-a51f-d3a2ccb50d60)There seems to be a bug somewhere either in the creator of evtx files or in the parser.
Microsoft defines the following (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-even6/c73573ae-1c90-43a2-a65f-ad7501155956):
So, a boolean should could like the following:
But obviously, there are (sometimes)
BoolType
s with aValueByteLength
of4
, which violate the specification.You've added a special handling for boolean values which do not match
0x00
or0x01
. Do you know why there are such values?I'm not sure if this is really a bug of your code, but reading 4 Byte for a boolean value also violates the specification and I was interested in what the reason for this is.
The text was updated successfully, but these errors were encountered: