Windows xml event log (evtx)

The Windows XML Event Log (EVTX) format was introduces in Windows Vista as a replacement for the Windows Event Log (evt) format.

Event Viewer

On Windows the event logs can be managed with "Event Viewer" (eventvwr.msc) or "Windows Events Command Line Utility" (wevtutil.exe). Event Viewer can represent the EVTX files in both "general view" (or formatted view) and "details view" (which has both a "friendly view" and "XML view"). Note that the formatted view can hide significant event data that is stored in the event record and can be seen in the detailed view.

If you export an event log from Event Viewer additional "display information" can be exported. This display information is stored in a corresponding file named:

LocaleMetaData\%FILENAME%_%LCID%.MTA

Where LCID is the "locale identifier" 1.

Location

C:\Windows\system32\winevt\Logs

See Also

• Windows Event Log (evt)
• Windows

External Links

• Mute Sysmon - Silence Sysmon via event manifest tampering, by SecurityJosh, April 23, 2020

File Format

• EventLog Remoting Protocol Version 6.0 Specification, by Microsoft
• Simple BinXml Example, by Microsoft
• Introducing the Microsoft Vista Event Log File Format, by Andreas Schuster, in 2007
• Windows XML Event Log (EVTX) format, by the libevtx project

Windows Vista/2008

• Description of security events in Windows Vista and in Windows Server 2008

Windows 7

• Core OS Events in Windows 7, Part 1
• Core Instrumentation Events in Windows 7, Part 2

Tools

• libevtx
• log2timeline
• wevtutil
• LogParser
• python-evtx
• winlast
• Event log explorer
• Event-Log Hunting tools collection by Renzon