scudette
commented
3 years ago I dont quite follow - are you talking about the extract_windows program dumping out event messages?
I found that many message files contain duplicate messages all the time - this is just the way the message tables are built. It is so that the message id can be mapped back to the same string.
Does it still render the correct message when parsing the evtx file?
benstobbs
When multiple event providers use the same EventMessageFile (e.g
Microsoft-Windows-AppModel-RuntimeandMicrosoft-Windows-AppModel-State), only part of the EventMessageFile pertains to each event provider. However, every message is processed for each provider.This results in message duplications:
Apologies if I'm missing anything!