UnicodeDecodeError: 'utf-8' codec can't decode byte 0x80 in position 32: invalid start byte

[hayasec]

env: macos

java: openjdk version "11.0.12" 2021-07-20 OpenJDK Runtime Environment Homebrew (build 11.0.12+0) OpenJDK 64-Bit Server VM Homebrew (build 11.0.12+0, mixed mode)

python: Python 3.9.6

command: windows: wevtutil epl Security test.evtx

macos: python3 logontracer.py -x test.evtx -z 8 -u neo4j -p mupass -s 127.0.0.1

error: [+] Script start. 2021/10/28 17:05:54 [+] Neo4j Kernel version: 4.3.6 [+] Time zone is 8. Traceback (most recent call last): File "/Users/test/LogonTracer/logontracer.py", line 1869, in main() File "/Users/test/LogonTracer/logontracer.py", line 1860, in main parse_evtx(args.xmls) File "/Users/test/LogonTracer/logontracer.py", line 815, in parse_evtx fb_header = fb.read(6) File "/usr/local/Cellar/python@3.9/3.9.6/Frameworks/Python.framework/Versions/3.9/lib/python3.9/codecs.py", line 322, in decode (result, consumed) = self._buffer_decode(data, self.errors, final) UnicodeDecodeError: 'utf-8' codec can't decode byte 0x80 in position 32: invalid start byte

but docker web import works fine.

[shu-tom]

If the file you are parsing is EVTX, use option -e. Option -x parses the XML file.