Skip to content
Switch branches/tags


Failed to load latest commit information.
Latest commit message
Commit time

Windows Event Log Messages

The Windows Event Log Messages (WELM) tool retrieves the definitions of Windows Event Log messages embedded in binaries. The tool's output can be used to create an exhaustive list of event information for an operating system.

The tool was initially developed to aid in writing the Spotting the Adversary with Windows Event Log Monitoring paper but has proven useful in a number of scenarios:

  • Determining if there is an event that captures specific data of interest.
  • Diffing event changes between operating system releases.
  • Diffing event changes between operating system patch levels (more common in Windows 10).
  • Documenting event specific informational fields and their data types which is useful for enriching event collection and analysis systems.
  • Determining default states for logs and sources (enabled/disabled, max size, rotation policy, permissions, etc).
  • Observing event system changes over time.


For more information see:


Retrieved data is available as a dated (YYYMMDD) zip file attachment on the latest release organized by operating system version and architecture. Expanding the dated zip file attachment results in a number of folders that corresponding to Windows operating system releases along with the architecture version. See the Datasets page for more information about each folder and its corresponding media.

Most of the operating system folders contain two folders: welm and wevtutil. These folders were generated by using a batch file that calls WELM and wevutil. The welm folder contains files generated by the WELM tool. The wevtutil folder contains files generated by using wevutil to dump all log and publisher information. Most users will be interested in the events.csv, logs.csv, and providers.csv files inside the the welm folder for each operating system.



See License.


See Disclaimer.


Retrieves the definitions of Windows Event Log messages embedded in Windows binaries and provides them in discoverable formats. #nsacyber





No packages published