Skip to content

shibijm/nso-winevt-extractor

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
.github/workflows
.github/workflows
 
 
.vscode
.vscode
 
 
.gitignore
.gitignore
 
 
COPYRIGHT
COPYRIGHT
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
main.c
main.c
 
 

Repository files navigation

nso-winevt-extractor

nso-winevt-extractor is a command-line utility to extract Windows event logs pertaining to network share objects.

Latest Release Build Status

Download

Downloadable builds are available on the releases page.

Usage

Auditing has to be turned on under the "Audit object access" group policy.

Run the program with administrator privileges.

$ sudo nso-winevt-extractor.exe
2025-05-15 15:34:40	192.168.0.2	\\*\Shared\desktop.ini	Read	0x00120089
2025-05-15 15:34:45	192.168.0.2	\\*\Shared\VID_20250420_233209.mp4	Read	0x00120089
2025-05-15 15:44:00	192.168.0.2	\\*\Shared\New Text Document.txt	Read Write Append	0x0016019F
2025-05-15 15:44:00	192.168.0.2	\\*\Shared\New Text Document.txt	Write	0x00000002
2025-05-15 15:44:05	192.168.0.2	\\*\Shared\New Text Document.txt	Read	0x00120089
2025-05-15 15:44:06	192.168.0.2	\\*\Shared\New Text Document.txt	Read Write Append	0x0012019F
2025-05-15 15:44:09	192.168.0.2	\\*\Shared\New Text Document.txt	Delete	0x00110080
2025-05-15 15:44:09	192.168.0.2	\\*\Shared\\	Read	0x00120089
2025-05-15 15:44:09	192.168.0.2	\\*\Shared\New Text Document.txt	Delete	0x00010080

Output Format: Time\tIpAddress\tPath\tActions\tAccessMask

Source Event: Event 5145 - A network share object was checked to see whether client can be granted desired access

About

Extract Windows event logs pertaining to network share objects

Topics

windows forensics event-logs

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 1

v0.1.0 Latest
May 16, 2025

Languages