Windows event log (evt)
MS Windows 2000, XP and 2003 typically maintain three Event Log files: Application, System, and Security. They are generally found in the C:\Windows\system32\config directory. Server versions of the OS may maintain additional Event Logs (DNS Server.evt, Directory Service.evt, File Replication Service.evt) depending upon the functionality of the server.
Note that Windows Vista and later use the Windows XML Event Log (evtx) format.
Each log file consists of a Header record and the Body. The body again consists of Event records, the Cursor record and unused space. The body could form a ring buffer, where the cursor record will mark the border between the oldest and the newest event record. Unused space could be empty, slack and padding.
Header Record
The Header Record defined as ELF_LOGFILE_HEADER on MSDN consists of:
- uint32 length of record in bytes, fixed 0x30
- char magic[4], fixed 'LfLe' (for Event log file)
- uint32 unknown, fixed 0x0100 0x0000, possibly indicates version
- uint32 unknown, fixed 0x0100 0x0000, possibly indicates version
- uint32 offset of first event record
- uint32 offset of next event record
- uint32 number of next event record
- uint32 number of first event record
- uint32 filesize (see below)
- uint32 flags (see below)
- uint32 retention period in seconds
- uint32 length of record in bytes (again), fixed 0x30
Offsets and record numbers are updated only during a file close operation, that is if the DIRTY flag (see below) is unset. Consult the cursor record in that case.
Filesize is updated only during some recovery operations.
Flags
- 0x0001 DIRTY if set, flag is set after first first write after an open operation.
- 0x0002 WRAPPED is set, flag is set if the log wrapped around.
- 0x0004 FULL if set, flag is set if an event record could not be written because of size limitations and the retention policy in effect.
- 0x0008 PRIMARY if set, BACKUP if unset. This flag possibly depends on the origin of a log file, usage seems change between earlier (pre SP1) and later versions (SP4) of Windows 2000.
Cursor Record
- uint32 length of record in bytes, fixed 0x28
- uint32 magic[4], fixed 0x11111111 0x22222222 0x33333333 0x44444444
- uint32 offset of first event record
- uint32 offset of next event record
- uint32 number of next event record
- uint32 number of first event record
- uint32 length of record in bytes, fixed 0x28
Event Record
Details of the Event record can be found in Microsoft's MSDN library under EVENTLOGRECORD.
Padding
If
- a log file has reached its configured size limit
- and the retention policy allows wrapping
- and the remaining size is larger than 0x38 but smaller than the event record to be written,
then
- the event log service writes the first part of the event record (to record offset 0x38)
- fills the remaining space with a padding of 0x0027
- continues to write the second part of the event record (starting at record offset 0x38) at the top of the body (immediately after the header, that is at file offset 0x30).
Message Templates
When written to disk, EVT log records contain very little human-readable context. Log entries are made human-readable at analysis time through tools such as the event viewer, by combining pre-defined log templates (stored in system DLLs and EXEs) with variable data stored in the EVT file. The templates and variable data are combined with a call to FormatMessage(), which means the templates look similar to printf()'s format strings.
When event viewer (or other log viewing tools) displays log records, it has to determine which DLLs store the message templates. This linking information is stored in the registry, and is specific to each type of log (System, Security, Application, etc). These entries ultimately point out a list of DLLs which contain the message templates. Each log record contains a relative virtual address (RVA) to reference the associated message template. The lower 16 bits of this RVA is typically displayed as the Message ID, but this alone generally isn't enough to uniquely reference a message template.
All of this means that EVT files aren't really complete on their own. The files which store the core meaning of the log entry are separate from the logs themselves and this creates several analysis problems. First of all, an attacker could modify DLLs or the registry in order to change the meaning of logs without having to touch the EVT file at all. Secondly, when software is uninstalled in the future, it could cause some EVT records to lose their context. Finally, EVT files aren't particularly portable to other systems, since some log records could rely on message templates which don't exist on other systems. One must be careful to keep these issues in mind when analyzing EVT logs.
See Also
External Links
File Format
Tools
- File::ReadEVT is a Perl module that parses event log files for the purpose of forensics. This tool appears to be abandoned.
- evtkit - fix broken evt files. This tool appears to be abandoned.
- lfle.py, by Willi Ballenthin. This tool appears to be abandoned.
- libevt