sysmon evtx files corrupt? #9
Comments
|
don't think the log is corrupted (see below XML view of the same event file), it was recored on a Windows 7 VM, those issues are often related to EventMessageFile DLL version used to format event message.
|
|
It's strange, because I see the same on the XML view in EventViewer, but
the general view shows the mis-alignment the same as powershell's
get-winevent cmd-let.
[image: image.png]
…On Thu, Aug 13, 2020 at 5:00 AM sbousseaden ***@***.***> wrote:
don't think the log is corrupted (see below XML view of the same event
file), it was recored on a Windows 7 VM, those issues are often related to
EventMessageFile
<https://docs.microsoft.com/en-us/troubleshoot/windows/win32/troubleshoot-event-message-not-found>
DLL version used to format event message.
[image: image]
<https://user-images.githubusercontent.com/20989958/90115030-d394f480-dd53-11ea-8484-ab0a2c3c3214.png>
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#9 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AE7XCISIZZ6K6V2OCZPXUNDSAOTT7ANCNFSM4P5HBONA>
.
|
|
Even opening it on a Win7 system, I'm getting the same
|
|
I think this may be because the logs were collected with an older version of sysmon. Version 10 (which I'm using) added OriginalFilename as the 10th element in the list, and that seems to be where the misalignment starts. In the screenshot above, "c:\Windows\System32\calc.exe" should be CommandLine, and everything else after that shifted down one. |
|
yes probably that's the reason (sysmon vers) tough not sure 100% :) |
|
Seems that's what it is. Closing out the issue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm trying to use some of these sample evtx files to test a new powershell tool, and I'm having trouble parsing them. It seems they may be corrupt and the event data/messages aren't formatted correctly?
For example, see the output I'm getting below where the process Hashes are showing as the "IntegrityLevel" instead of "Hashes". I don't have that same problem with sysmon evtx files I generate here. Any thoughts?
Process Create:RuleName:UtcTime: 2019-05-12 13:38:01.297ProcessGuid: {365ABB72-21B9-5CD8-0000-0010FC002700}ProcessId: 704Image: C:\Windows\System32\calc.exeFileVersion: 6.1.7600.16385 (win7_rtm.090713-1255)Description: Windows CalculatorProduct: Microsoft® Windows® Operating SystemCompany: Microsoft CorporationOriginalFileName: "C:\Windows\System32\calc.exe"CommandLine: c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\CurrentDirectory: IEWIN7\IEUserUser: {365ABB72-1596-5CD8-0000-0020103A0100}LogonGuid: 0x13a10LogonId: 0x1TerminalSessionId: 0IntegrityLevel:SHA1=9018A7D6CDBE859A430E8794E73381F77C840BE0,MD5=60B7C0FEAD45F2066E5B805A91F4F0FC,SHA256=80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22,IMPHASH=F93B5D76132F6E6068946EC238813CE1Hashes: {365ABB72-21B8-5CD8-0000-0010E4E82600}ParentProcessGuid: 2964ParentProcessId: 0ParentImage: "C:\Windows\System32\mshta.exe" "C:\programdata\calc.hta"ParentCommandLine: %22The text was updated successfully, but these errors were encountered: