Skip to content
This repository has been archived by the owner on Jun 13, 2023. It is now read-only.

nsacyber/Windows-Event-Log-Messages

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
2 branches 1 tag
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
docs
 
 
welm
 
 
.gitignore
 
 
DISCLAIMER.md
 
 
LICENSE.md
 
 
README.md
 
 
Windows Event Log Messages Documentation Data Links License Disclaimer

README.md

Windows Event Log Messages

The Windows Event Log Messages (WELM) tool retrieves the definitions of Windows Event Log messages embedded in binaries. The tool's output can be used to create an exhaustive list of event information for an operating system.

The tool was initially developed to aid in writing the Spotting the Adversary with Windows Event Log Monitoring paper but has proven useful in a number of scenarios:

  • Determining if there is an event that captures specific data of interest.
  • Diffing event changes between operating system releases.
  • Diffing event changes between operating system patch levels (more common in Windows 10).
  • Documenting event specific informational fields and their data types which is useful for enriching event collection and analysis systems.
  • Determining default states for logs and sources (enabled/disabled, max size, rotation policy, permissions, etc).
  • Observing event system changes over time.

Documentation

For more information see:

Data

Retrieved data is available as a dated (YYYMMDD) zip file attachment on the latest release organized by operating system version and architecture. Expanding the dated zip file attachment results in a number of folders that corresponding to Windows operating system releases along with the architecture version. See the Datasets page for more information about each folder and its corresponding media.

Most of the operating system folders contain two folders: welm and wevtutil. These folders were generated by using a batch file that calls WELM and wevutil. The welm folder contains files generated by the WELM tool. The wevtutil folder contains files generated by using wevutil to dump all log and publisher information. Most users will be interested in the events.csv, logs.csv, and providers.csv files inside the the welm folder for each operating system.

Links

License

See License.

Disclaimer

See Disclaimer.

About

Retrieves the definitions of Windows Event Log messages embedded in Windows binaries and provides them in discoverable formats. #nsacyber

Topics

windows event-log

Resources

Readme

License

View license
Activity

Stars

384 stars

Watchers

57 watching

Forks

100 forks
Report repository

Releases 1

WELM 2.3.0.0 and 04/06/2017 dataset Latest
Aug 15, 2017

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages