xml EvtxRecordId Error!

3gstudent / Eventlogedit-evtx--Evolution

Remove individual lines from Windows XML Event Log (EVTX) files

260 stars 62 forks source link

xml EvtxRecordId Error! #15

Open UbuntuOS-git opened 2 years ago

UbuntuOS-git commented 2 years ago

Here! DeleteRecordofFile and DeleteRecordbyGetHandle:

v7 = eventRecordIdentifier; ===> v7 = *v7 - 1;

When the first recordID is not 1 , it will be wrong.

3gstudent commented 2 years ago

DeleteRecordofFile and DeleteRecordbyGetHandle are not the final version, because there will still be traces of modification, and the format has not been completely corrected.

If you want to achieve the function, you can use DeleteRecordofFileEx and DeleteRecordbyGetHandleEx.

UbuntuOS-git commented 2 years ago

But if use DeleteRecordofFileEx and DeleteRecordbyGetHandleEx,the EventRecordIDs are not consecutive...