thread 'main' panicked at 'invalid or out-of-range date'

[DB-37]

Hello !

We stumbled upon an error thread 'main' panicked at 'invalid or out-of-range date' while using the evtx library.
We are wondering if it's the expected behavior, and if not, is there a workaround ?
It seems that when the evtx library processes a "faulty" event, it fails and returns by throwing the aformentioned error.

Used command:
./evtx_dump-v0.7.2-x86_64-unknown-linux-gnu <filename>.evtx -f <filename>.json --no-confirm-overwrite -ojson --no-indent

Error:

thread '<unnamed>' panicked at 'invalid or out-of-range date', /home/runner/.cargo/registry/src/github.com-1ecc6299db9ec823/chrono-0.4.19/src/naive/date.rs:173:51
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
thread '<unnamed>' panicked at 'invalid or out-of-range date', /home/runner/.cargo/registry/src/github.com-1ecc6299db9ec823/chrono-0.4.19/src/naive/date.rs:173:51
thread '<unnamed>' panicked at 'invalid or out-of-range date', /home/runner/.cargo/registry/src/github.com-1ecc6299db9ec823/chrono-0.4.19/src/naive/date.rs:173:51

We looked inside our evtx file with Windows Event Viewer. We found that the evtx command failed on events containing the following data:

<EventData>
    <Data Name="IdentificationGUID">{00280040-0022-0049-6400-65006e007400}</Data>
    <Data Name="ProtectorGUID">{00660069-0069-0063-6100-740069006f00}</Data>
    <Data Name="ProtectorType">0x47006e</Data>
    <Data Name="UnlockTime">1601-01-01T00:00:00.0000000Z</Data>
</EventData>

specifically on the "UnlockTime" field (see the attached image).

Things look fine by viewing the associated scheme though:

Template    : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">
                <data name="IdentificationGUID" inType="win:GUID" outType="xs:GUID"/>
                <data name="ProtectorGUID" inType="win:GUID" outType="xs:GUID"/>
                <data name="ProtectorType" inType="win:HexInt32" outType="win:HexInt32"/>
                <data name="UnlockTime" inType="win:SYSTEMTIME" outType="xs:dateTime"/>
              </template>

We found topics similar to this case:

• Crash with special timestamp value in mysql (0000-00-00 00:00:00) through chrono diesel-rs/diesel#1130
• Crash with special timestamp value in mysql (0000-00-00 00:00:00) through chrono diesel-rs/diesel#1130 (comment)
• https://eventlogxp.com/blog/invalid-dates-inside-some-events/

Therefore, we supposed that the raw evtx file contains an "UnlockTime" event date with a raw value of 0.
Windows Event Viewer support and display the value "1601-01-01T00:00:00.0000000Z" while the evtx library don't.
By looking at the code, we found that the library use the rust function from_ymd that can throw this error.
In this case, if any event has a wrong "UnlockTime" value, the whole evtx file cannot be processed.
If it's the expected behavior, is adding an option that allows the user to process the whole file while skipping faulty events possible as a workaround ?
If not, can an update to this using from_ymd_opt instead of from_ymd fix it ? Events will have empty "UnlockTime" data value.

In any case, thank you for your work !

Regards.

[DB-37]

Hello !

Thank you very much. Tested it. It seems to work as expected. It generates an output file without "faulty" events while displaying relevant warnings.

Best regards,
DB-37.