invalid XML file output

[Brassrat]

Thanks for writing this library, i think it will be very useful to me.
A minor nit however regarding evtxexport.
When you ask for xml output (-f xml) the output is not valid xml because

1. The first line contains the program name - this line should either be omitted or surrounded with XML comment ()
2. there is no 'root' tag surrounding the individual tags, say <Events>[<Event>]*</Events>
3. Wrt 'recovered' entries - the xml was just not valid e.g., missing end tag ()

changes for 1 requires moving the call to evtxoutput_version_fprint after argument processing so the export_format is known:
`if( evtxexport_export_handle->export_format == EXPORT_FORMAT_XML )
{
fprintf(stdout, "<!-- \n");
}

evtxoutput_version_fprint(
 stdout,
 program );

if( evtxexport_export_handle->export_format == EXPORT_FORMAT_XML )
{
fprintf(stdout, "\n-->\n");
}`

changes for 2: are just a couple of additional fprintf s in export_handle.c

[joachimmetz]

When you ask for xml output (-f xml) the output is not valid xml because

This is not the goal of the program to have a valid full XML document. The goal of the -f xml option is to provide output that is comparable to windows event log viewer xml output. You can easily write a small program around the library or Python binding to accomplish this if you need to.

Wrt 'recovered' entries - the xml was just not valid e.g., missing end tag ()

Not sure what you mean.

[Brassrat]

Another question, in the xml i see the following (in vim):
%%1537^M
%%1538^M
%%1539^M
%%7168^M
%%7169^M
%%7170^M
%%7171^M
%%7172^M
%%7173^M

Why the extra carriage return? The characters can be removed ­ so they
really are there.
Or is this what is in the evtx bXML? Some list separator syntax? I don¹t
have a good C IDE environment to debug this; obviously i can simply remove
all carriage returns ­ but they only show up for the AccessMask data values.

TIA,
-jay

[joachimmetz]

As indicated this is to match the Windows event viewer output.

Or is this what is in the evtx bXML?

Yes