Tau EventID Filter error

[Richard1611]

Hi!

I've been trying to filter an specific eventid (system eventid 41) this way: chainsaw.exe search c:\Windows\System32\winevt\Logs -t 'Event.System.EventID=4104'

Im getting this error:

[+] Loading forensic artefacts from: c:\Windows\System32\winevt\Logs [+] Loaded 376 forensic files (1.3 GB) [x] Invalid tau key value pair ''Event.System.EventID=4104''

What should I do?

[alexkornitzer]

Hey @Richard1611,

The Key/Value pair is delimited with : (https://github.com/WithSecureLabs/chainsaw/issues/114). So it would be Event.System.EventID: 4104

[Richard1611]

Hi Alex, Thanks for your repply.

Now, when am doing chainsaw.exe search c:\Windows\System32\winevt\Logs -t Event.System.EventID: 4104 im getting this error:

[x] Specified event log path is invalid - 4104

I've tried to change the parameters orders as the help says, but it still not working.

Example: chainsaw.exe search [OPTIONS] [PATTERN] [PATH] = chainsaw.exe search -t Event.System.EventID: 4624 c:\Windows\System32\winevt\Logs

[alexkornitzer]

Because there is a space there you will need to wrap it in quotes, something like this: chainsaw.exe search c:\Windows\System32\winevt\Logs -t 'Event.System.EventID: 4104'

Also as EventID can sometimes be a string, IIRC, the safest way to do it is: chainsaw.exe search c:\Windows\System32\winevt\Logs -t 'int(Event.System.EventID): 4104'

[Richard1611]

It stills giving me the same error: [x] Specified event log path is invalid - 4104'

PD: Chainsaw version 2.6.0

[alexkornitzer]

Oh is this in Command Prompt or Powershell, you probably need to use " instead if '. I don't use Windows all that much.

[Richard1611]

Yep, im using Powershell. After following your last recommendation of changing ' for " it works!

Thanks a lot!