Windows Event Log message strings support enhancements #4259

joachimmetz · 2022-09-23T03:19:31Z

Continuation of #4169

Add support for resource files stored as:
- relative path "system32..."
- as "$(runtime.system32)" or "$(runtime.windows)"
- Changes to handling message file resource paths #4259 #4773
Add support for WEVT_TEMPLATE .mun files (PE/COFF) under C:\Windows\SystemResources\
- Added support for SystemResources .mun files #4259 #4774
Look into missing message strings (see Windows Event Log message strings support enhancements #163 (comment))
- ~~improve WEVT_TEMPLATE support and MUI file lookup - Changes to improve Event Log message string support #4169 #4194~~
- ~~normalize path when looking up message file paths in winevt_rc, use environment variables - Changes to normalize EventLog message file paths #4169 #4198~~
- Replacement index # out of range for positional args tuple - Windows Event Log message strings support enhancements #4259 (comment)
- No message string for message: 0xffffffff - Windows Event Log message strings support enhancements #4259 (comment)
Add parameter expansion support
- observed fallback to event message file - Worked on support for parameter expansion #4259 #4776
- observed fallback to MsObjs.dll and kernel32.dll (Windows 10) - Worked on support for parameter expansion #4259 #4777

joachimmetz · 2023-12-31T15:24:56Z

2023-12-31 15:07:02,439 [WARNING] (MainProcess) PID:109203 <winevt_rc> No message string for message: 0xffffffff (0x00000069) of provider: {315a8872-923e-4ea2-9889-33cd4754bf64}

evtxexport 20231121

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Immersive-Shell" Guid="{315A8872-923E-4EA2-9889-33CD4754BF64}"/>
    <EventID>105</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>104</Task>
    <Opcode>0</Opcode>
    <Keywords>0x4000000000000000</Keywords>
    <TimeCreated SystemTime="2020-12-11T19:11:58.243969300Z"/>
    <EventRecordID>1</EventRecordID>
    <Correlation/>
    <Execution ProcessID="2132" ThreadID="5152"/>
    <Channel>Microsoft-Windows-TWinUI/Operational</Channel>
    <Computer>DESKTOP-SSPQK1B</Computer>
    <Security UserID="S-1-5-21-539969222-1187471189-2727535519-1000"/>
  </System>
  <EventData/>
</Event>

            <provider
                guid="{315A8872-923E-4EA2-9889-33CD4754BF64}">
                <events>
                    ...
                    <event
                        value="105"
                        version="0"
                        message="$(string.MessageTable.0xffffffff)">
                    </event>

Spot check with EventViewer indicates that this is an unresolvable message string.

joachimmetz · 2023-12-31T15:43:40Z

2023-12-31 15:07:05,933 [ERROR] (MainProcess) PID:109203 <winevt>
Unable to format message: 0x0000f2c0
of provider: {30336ed4-e327-447c-9de0-51b652c86108}
template: "Updating install state of package {0:s} to '{1:s}' with HRESULT {2:s}."
and strings: "MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy, Completed"
with error: Replacement index 2 out of range for positional args tuple

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Shell-Core" Guid="{30336ED4-E327-447C-9DE0-51B652C86108}"/>
    <EventID>62144</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>62132</Task>
    <Opcode>0</Opcode>
    <Keywords>0x2000000000010000</Keywords>
    <TimeCreated SystemTime="2020-12-11T19:09:14.808226700Z"/>
    <EventRecordID>19</EventRecordID>
    <Correlation/>
    <Execution ProcessID="3620" ThreadID="4576"/>
    <Channel>Microsoft-Windows-Shell-Core/Operational</Channel>
    <Computer>DESKTOP-SSPQK1B</Computer>
    <Security UserID="S-1-5-21-539969222-1187471189-2727535519-1000"/>
  </System>
  <EventData>
    <Data Name="PackageFamilyName">MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy</Data>
    <Data Name="InstallState">Completed</Data>
    <Data Name="ErrorCode">0</Data>
  </EventData>
</Event>

                    <event
                        value="62144"
                        version="0"
                        template="{00203874-A3F5-556D-4C97-825EF9FA2AA5}"
                        message="$(string.MessageTable.0xb000f2c0)">
                    </event>
                    ...
                    <template tid="{00203874-A3F5-556D-4C97-825EF9FA2AA5}">
                        <data
                            name="PackageFamilyName"
                            inType="win:UnicodeString"
                            outType="xs:string">
                        </data>
                        <data
                            name="InstallState"
                            inType="win:UnicodeString"
                            outType="xs:string">
                        </data>
                        <data
                            name="ErrorCode"
                            inType="win:UInt32"
                            outType="xs:unsignedInt">
                        </data>
                    <template/>

Spot check with EventViewer indicates that this should be format-able

Updating install state of package MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy to 'Completed' with HRESULT 0.

These appear recovered records where the 3rd string is not included

Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Shell-Core" Guid="{30336ED4-E327-447C-9DE0-51B652C86108}"/>
    <EventID>62144</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>62132</Task>
    <Opcode>0</Opcode>
    <Keywords>0x2000000000010000</Keywords>
    <TimeCreated SystemTime="2020-12-11T19:12:04.250958100Z"/>
    <EventRecordID>476</EventRecordID>
    <Correlation/>
    <Execution ProcessID="3620" ThreadID="5100"/>
    <Channel>Microsoft-Windows-Shell-Core/Operational</Channel>
    <Computer>DESKTOP-SSPQK1B</Computer>
    <Security UserID="S-1-5-21-539969222-1187471189-2727535519-1001"/>
  </System>
  <EventData>
    <Data Name="LogonType">MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy</Data>
    <Data Name="TaskName">Completed</Data>
  </EventData>
</Event>

* Changes to use pyproject.toml (log2timeline#4756) * Added support for version 118 Firefox downloads database files (log2timeline#4749) * Corrected missing test file firefox_cookies.sqlite log2timeline#4757 (log2timeline#4758) * Updated pylintrc to version 3.0 (log2timeline#4761) * Changes for pyparsing 3.1 log2timeline#4580 (log2timeline#4760) * Updated documentation (log2timeline#4763) * Changes for BDE Windows CI tests log2timeline#4757 (log2timeline#4759) * Updated version and documentation (log2timeline#4764) * Changed mrulist parsers to produce list of entries (log2timeline#4739) * Updated release script and version (log2timeline#4767) * Changes for deployment (log2timeline#4768) * Changes for deployment (log2timeline#4770) * Changes to release GitHub issue template (log2timeline#4771) * Added readthedocs configuration (log2timeline#4772) * Changes to handling message file resource paths log2timeline#4259 (log2timeline#4773) --------- Co-authored-by: Joachim Metz <joachim.metz@gmail.com> Co-authored-by: Christopher Burkhalter <chb2mn@virginia.edu>

joachimmetz · 2024-01-07T08:06:13Z

Interesting edge case

5.1.11548.0

0x4008003d | %2: Ecn RP attributes (2) for port %3:%n\r\nEcnRpgMinRate = %4%n\r\nEcnMaxTimeRise = %5%n\r\nEcnMaxByteRise = %6%n\r\nEcnAlphaToRateCoeff = %7%n\r\nEcnMarkedRatioMultiplier = %8%n\r\nEcnMarkedRatioShift = %9%n\r\nEcnRateToSetOnFirstCnp = %10%n\r\nEcnDceTcpG = %11%n\r\nEcnDceTcpRtt = %12%n\r\nEcnDceTcpRttDelay = %13%n\r\nEcnInitialAlphaValue = %14%n\r\nEcnSupportIBStandardCnp = %15%n\r\nEcnCoalesceCnpInRp = %16%n\r\n

EcnRpgMinRate = %4

5.50.14643.0

0x4008003d | %2: Ecn RP attributes (2) for port %3 (%4):%n\r\nEcnRpgMinRate = %5%n\r\nEcnMaxTimeRise = %6%n\r\nEcnMaxByteRise = %7%n\r\nEcnAlphaToRateCoeff = %8%n\r\nEcnMarkedRatioMultiplier = %9%n\r\nEcnMarkedRatioShift = %10%n\r\nEcnRateToSetOnFirstCnp = %11%n\r\nEcnDceTcpG = %12%n\r\nEcnDceTcpRtt = %13%n\r\nEcnDceTcpRttDelay = %14%n\r\nEcnInitialAlphaValue = %15%n\r\nEcnSupportIBStandardCnp = %16%n\r\nEcnCoalesceCnpInRp = %17%n\r\nEcnBurstSize = %18%n\r\nEcnPriorityEnable = %19%n\r\n

EcnRpgMinRate = %5

joachimmetz added the enhancement New or improved functionality label Sep 25, 2022

joachimmetz added a commit to joachimmetz/plaso that referenced this issue Dec 31, 2023

Changes to handling message file resource paths log2timeline#4259

f3483d5

joachimmetz added a commit to joachimmetz/plaso that referenced this issue Dec 31, 2023

Changes to handling message file resource paths log2timeline#4259

596b7db

joachimmetz added a commit to joachimmetz/plaso that referenced this issue Dec 31, 2023

Changes to handling message file resource paths log2timeline#4259

21ba40f

joachimmetz added a commit that referenced this issue Dec 31, 2023

Changes to handling message file resource paths #4259 (#4773)

b1a65b6

joachimmetz added a commit to joachimmetz/plaso that referenced this issue Dec 31, 2023

Added support for SystemResources .mun files log2timeline#4259

caaea3d

joachimmetz added a commit to joachimmetz/plaso that referenced this issue Dec 31, 2023

Changes to handling message file resource paths log2timeline#4259

122f47c

joachimmetz added a commit to joachimmetz/plaso that referenced this issue Dec 31, 2023

Changes to handling message file resource paths log2timeline#4259

13f7a99

joachimmetz added a commit to joachimmetz/plaso that referenced this issue Dec 31, 2023

Changes to handling message file resource paths log2timeline#4259

1195286

joachimmetz self-assigned this Dec 31, 2023

joachimmetz added a commit that referenced this issue Dec 31, 2023

Added support for SystemResources .mun files #4259 (#4774)

02ea3c8

joachimmetz added this to the 2024 February release milestone Jan 1, 2024

joachimmetz added a commit to joachimmetz/plaso that referenced this issue Jan 1, 2024

Worked on support for parameter expansion log2timeline#4259

f94de0d

joachimmetz added a commit to joachimmetz/plaso that referenced this issue Jan 1, 2024

Worked on support for parameter expansion log2timeline#4259

8e16122

joachimmetz added a commit that referenced this issue Jan 1, 2024

Worked on support for parameter expansion #4259 (#4776)

86699f8

joachimmetz added a commit to joachimmetz/plaso that referenced this issue Jan 1, 2024

Worked on support for parameter expansion log2timeline#4259

e261a2d

joachimmetz added a commit that referenced this issue Jan 1, 2024

Worked on support for parameter expansion #4259 (#4777)

2344740

joachimmetz closed this as completed Mar 2, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Windows Event Log message strings support enhancements #4259

Windows Event Log message strings support enhancements #4259

joachimmetz commented Sep 23, 2022 •

edited

Loading

joachimmetz commented Dec 31, 2023 •

edited

Loading

joachimmetz commented Dec 31, 2023 •

edited

Loading

joachimmetz commented Jan 7, 2024

Windows Event Log message strings support enhancements #4259

Windows Event Log message strings support enhancements #4259

Comments

joachimmetz commented Sep 23, 2022 • edited Loading

joachimmetz commented Dec 31, 2023 • edited Loading

joachimmetz commented Dec 31, 2023 • edited Loading

joachimmetz commented Jan 7, 2024

joachimmetz commented Sep 23, 2022 •

edited

Loading

joachimmetz commented Dec 31, 2023 •

edited

Loading

joachimmetz commented Dec 31, 2023 •

edited

Loading