search

EricZimmerman / Issues

This is a repository for reporting any issues in any of my software
MIT License
11 stars 3 forks source link

EvtxECmd: Record error at offset #187

Open forensenellanebbia opened 2 years ago

forensenellanebbia commented 2 years ago

Description When I try to parse some of evtx files from this set EVTX samples - EVTX-to-MITRE-Attack, EvtxECmd (latest version) displays some error messages and produces a blank CSV with just the header.

For instance, this is one the files I can't parse: ID1116-1117-Defender%20threat%20detected.evtx I can view the contents of the evtx with Event Viewer or Get-WinEvent with no issues.

Debug message Here's a snippet of the message:


evtxecmd -f "c:\temp\EVTX-to-MITRE-Attack-master\Antivirus\ID1116-1117-Defender threat detected.evtx" --csv "c:\tools\evtxecmd" --debug

[2022-04-13 01:21:00.3628260 INF] Processing c:\temp\EVTX-to-MITRE-Attack-master\Antivirus\ID1116-1117-Defender threat detected.evtx...
[2022-04-13 01:21:00.3698752 INF] Chunk count: 1, Iterating records...
[2022-04-13 01:21:00.3747379 DBG] Processing chunk at offset 0x1000. Events found so far: 0
[2022-04-13 01:21:00.4054372 ERR] Record error at offset 0x1200, record #: 1 error: Specified argument was out of the range of valid values. (Parameter Value Type NullType is not handled! Handle it!)
System.ArgumentOutOfRangeException: Specified argument was out of the range of valid values. (Parameter Value Type NullType is not handled! Handle it!)
   at evtx.Tags.Value..ctor(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk) in D:\Code\evtx\evtx\Tags\Value.cs:line 26
   at evtx.Tags.TagBuilder.BuildTag(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk) in D:\Code\evtx\evtx\Tags\TagBuilder.cs:line 271
   at evtx.Tags.OpenStartElementTag..ctor(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk, Boolean hasAttribute) in D:\Code\evtx\evtx\Tags\OpenStartElementTag.cs:line 53
   at evtx.Tags.TagBuilder.BuildTag(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk) in D:\Code\evtx\evtx\Tags\TagBuilder.cs:line 264
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk) in D:\Code\evtx\evtx\EventRecord.cs:line 44
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber) in D:\Code\evtx\evtx\ChunkInfo.cs:line 208
[...]
[2022-04-13 01:21:00.4451981 INF] Record #1: Error: Specified argument was out of the range of valid values. (Parameter Value Type NullType is not handled! Handle it!)
[2022-04-13 01:21:00.4457700 INF] Record #2: Error: Index was out of range. Must be non-negative and less than the size of the collection. (Parameter startIndex)
[2022-04-13 01:21:00.4463243 INF] Record #3: Error: Index was out of range. Must be non-negative and less than the size of the collection. (Parameter startIndex)
[2022-04-13 01:21:00.4468750 INF] Record #4: Error: Index was out of range. Must be non-negative and less than the size of the collection. (Parameter startIndex)
[2022-04-13 01:21:00.4474257 INF] Record #5: Error: Index was out of range. Must be non-negative and less than the size of the collection. (Parameter startIndex)
[2022-04-13 01:21:00.4479763 INF] Record #6: Error: Index was out of range. Must be non-negative and less than the size of the collection. (Parameter startIndex)
[2022-04-13 01:21:00.4491654 INF] Processed 1 file in 1,1180 seconds
[2022-04-13 01:21:00.4546050 INF] Files with errors
[2022-04-13 01:21:00.4555647 INF] c:\temp\EVTX-to-MITRE-Attack-master\Antivirus\ID1116-1117-Defender threat detected.evtx error count: 6```
forensenellanebbia commented 2 years ago

EvtxECmd 1.5.0.0 (.net6) even though it still shows version 1.0.0.0 when I run "--version". I just downloaded it again from "Eric Zimmerman's tools" page.

On Wed, Apr 13, 2022 at 2:26 AM Andrew Rathbun @.***> wrote:

Which version of evtxecmd are you using?

— Reply to this email directly, view it on GitHub https://github.com/EricZimmerman/Issues/issues/187#issuecomment-1097424063, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB7DL6N53ZJM3LYCBGBVPVLVEYIDTANCNFSM5TI6SQIQ . You are receiving this because you authored the thread.Message ID: @.***>

EricZimmerman commented 2 years ago

Are these forwarded event logs by chance?

forensenellanebbia commented 2 years ago

I'm sorry, I don't know. The readme in the repository doesn't say if the events were forwarded:

readme

But I get a similar issue when I try to parse another evtx file that I extracted from a VM running Win10 1809 (where there's no WEF): evtx_win10.zip

AndrewRathbun commented 2 years ago

But I get a similar issue when I try to parse another evtx file that I extracted from a VM running Win10 1809 (where there's no WEF): evtx_win10.zip

For this, I get the following errors:

Processing C:\Users\CFUser\Downloads\evtx_win10\Microsoft-Windows-Windows Firewall With Advanced Security%4FirewallDiagnostics.evtx...
Chunk count: 1, Iterating records...
Record error at offset 0x1200, record #: 1 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x1B20, record #: 2 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x2080, record #: 3 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x23D8, record #: 4 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x2730, record #: 5 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x2A88, record #: 6 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x2DE0, record #: 7 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x3138, record #: 8 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x3490, record #: 9 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x37E8, record #: 10 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x39E8, record #: 11 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x3D40, record #: 12 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x4098, record #: 13 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x43F0, record #: 14 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x4748, record #: 15 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x4AA0, record #: 16 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x4DF8, record #: 17 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)

Event log details
Flags: None
Chunk count: 1
Stored/Calculated CRC: 4DFDFABA/4DFDFABA
Earliest timestamp:
Latest timestamp:
Total event log records found: 0

Records included: 0 Errors: 17 Events dropped: 0

Errors
Record #1: Error: 'Element' is an invalid XmlNodeType.
Record #2: Error: 'Element' is an invalid XmlNodeType.
Record #3: Error: 'Element' is an invalid XmlNodeType.
Record #4: Error: 'Element' is an invalid XmlNodeType.
Record #5: Error: 'Element' is an invalid XmlNodeType.
Record #6: Error: 'Element' is an invalid XmlNodeType.
Record #7: Error: 'Element' is an invalid XmlNodeType.
Record #8: Error: 'Element' is an invalid XmlNodeType.
Record #9: Error: 'Element' is an invalid XmlNodeType.
Record #10: Error: 'Element' is an invalid XmlNodeType.
Record #11: Error: 'Element' is an invalid XmlNodeType.
Record #12: Error: 'Element' is an invalid XmlNodeType.
Record #13: Error: 'Element' is an invalid XmlNodeType.
Record #14: Error: 'Element' is an invalid XmlNodeType.
Record #15: Error: 'Element' is an invalid XmlNodeType.
Record #16: Error: 'Element' is an invalid XmlNodeType.
Record #17: Error: 'Element' is an invalid XmlNodeType.

Processed 1 file in 0.5099 seconds

Files with errors
C:\Users\CFUser\Downloads\evtx_win10\Microsoft-Windows-Windows Firewall With Advanced Security%4FirewallDiagnostics.evtx error count: 17

For instance, this is one the files I can't parse: ID1116-1117-Defender%20threat%20detected.evtx I can view the contents of the evtx with Event Viewer or Get-WinEvent with no issues.

For this one, I get:

Processing C:\Users\CFUser\Downloads\ID1116-1117-Defender threat detected.evtx...
Chunk count: 1, Iterating records...
Record error at offset 0x1200, record #: 1 error: Specified argument was out of the range of valid values.
Parameter name: Value Type NullType is not handled! Handle it!
System.ArgumentOutOfRangeException: Specified argument was out of the range of valid values.
Parameter name: Value Type NullType is not handled! Handle it!
   at evtx.Tags.Value..ctor(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk)
   at evtx.Tags.TagBuilder.BuildTag(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk)
   at evtx.Tags.OpenStartElementTag..ctor(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk, Boolean hasAttribute)
   at evtx.Tags.TagBuilder.BuildTag(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk)
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x24D8, record #: 2 error: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
   at System.ThrowHelper.ThrowArgumentOutOfRangeException(ExceptionArgument argument, ExceptionResource resource)
   at System.BitConverter.ToUInt16(Byte[] value, Int32 startIndex)
   at evtx.ChunkInfo.GetStringTableEntry(UInt32 offset)
   at evtx.Tags.OpenStartElementTag..ctor(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk, Boolean hasAttribute)
   at evtx.Tags.TagBuilder.BuildTag(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk)
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x3538, record #: 3 error: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
   at System.ThrowHelper.ThrowArgumentOutOfRangeException(ExceptionArgument argument, ExceptionResource resource)
   at System.BitConverter.ToUInt16(Byte[] value, Int32 startIndex)
   at evtx.ChunkInfo.GetStringTableEntry(UInt32 offset)
   at evtx.Tags.OpenStartElementTag..ctor(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk, Boolean hasAttribute)
   at evtx.Tags.TagBuilder.BuildTag(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk)
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x45F0, record #: 4 error: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
   at System.ThrowHelper.ThrowArgumentOutOfRangeException(ExceptionArgument argument, ExceptionResource resource)
   at System.BitConverter.ToUInt16(Byte[] value, Int32 startIndex)
   at evtx.ChunkInfo.GetStringTableEntry(UInt32 offset)
   at evtx.Tags.OpenStartElementTag..ctor(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk, Boolean hasAttribute)
   at evtx.Tags.TagBuilder.BuildTag(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk)
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x5650, record #: 5 error: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
   at System.ThrowHelper.ThrowArgumentOutOfRangeException(ExceptionArgument argument, ExceptionResource resource)
   at System.BitConverter.ToUInt16(Byte[] value, Int32 startIndex)
   at evtx.ChunkInfo.GetStringTableEntry(UInt32 offset)
   at evtx.Tags.OpenStartElementTag..ctor(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk, Boolean hasAttribute)
   at evtx.Tags.TagBuilder.BuildTag(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk)
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x6748, record #: 6 error: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
   at System.ThrowHelper.ThrowArgumentOutOfRangeException(ExceptionArgument argument, ExceptionResource resource)
   at System.BitConverter.ToUInt16(Byte[] value, Int32 startIndex)
   at evtx.ChunkInfo.GetStringTableEntry(UInt32 offset)
   at evtx.Tags.OpenStartElementTag..ctor(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk, Boolean hasAttribute)
   at evtx.Tags.TagBuilder.BuildTag(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk)
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)

Event log details
Flags: None
Chunk count: 1
Stored/Calculated CRC: 2B054F09/2B054F09
Earliest timestamp:
Latest timestamp:
Total event log records found: 0

Records included: 0 Errors: 6 Events dropped: 0

Errors
Record #1: Error: Specified argument was out of the range of valid values.
Parameter name: Value Type NullType is not handled! Handle it!
Record #2: Error: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
Record #3: Error: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
Record #4: Error: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
Record #5: Error: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
Record #6: Error: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex

Processed 1 file in 0.5749 seconds

Files with errors
C:\Users\CFUser\Downloads\ID1116-1117-Defender threat detected.evtx error count: 6