EricZimmerman
commented
2 years ago your message seems to contradict itself. you say the filename is 20220615100000_EvtxECmd_Output.csv then imply that is somehow wrong, and want the filename to be 20220615100000_EvtxECmd_Output.csv, which it already is?
so, do you want all the generated filenames to use UTC time, or local time?
cc @AndrewRathbun
in evtxecmd, that filename is based on this:
var ts = DateTimeOffset.UtcNow;
then its converted to this format for the name of the file:
var outName = $"{ts:yyyyMMddHHmmss}_EvtxECmd_Output.csv";
in LECmd, its
var tsNow = DateTimeOffset.Now;
var outName = $"{tsNow:yyyyMMddHHmmss}_LECmd_Output.csv";
which is local time vs UTC.
i would be much more inclined to change the tools to all be using UTC. JLECmd is also using local time.
RduMarais
EvtxECmd version # I am running EvtxCmd version 1.0.0.0
Describe the bug If I run EvtxCmd at 12:00 without specifying an output file name, the generated file has a name such as
20220615100000_EvtxECmd_Output.csv. If I run it with others EZTools in a powershell loop, all others default output file names are like20220615120101_LECmd_Output.csv. @ro-olivier identified the same behavior on its end.To Reproduce The exact command executed is
.\EvtxECmd.exe -d .\C\Windows\System32\winevt\Logs\ --csv .\output\EventLogswith a fresh install of all EZTools.Expected behavior I expect the timestamp to be
20220615100000_EvtxECmd_Output.csvAdditional context My timezone is GMT + 2 / UTC+1
Possible explanation I suspect there are some time conversion between UTC and local timezone that somehow affected also the file name ?