bad format UserData - Githubissues

ling7334 commented 6 years ago

I've try to capture provider Active Directory Domain Service: Core's events. The UserData is bad formatted like below: "Description": "닼ᲃ쁏ᇑﲊ쀀쉏ᐙ瀪맔檘ᇒႷ쀀륏ꊘ"

I've also use tracerpt tool to process the events and save it into a CSV file, and it convert properly.

Event Name,       Type,     Event ID,    Version,    Channel,      Level,     Opcode,       Task,            Keyword,        PID,        TID,     Processor Number,  Instance ID,   Parent Instance ID,                              Activity ID,                      Related Activity ID,           Clock-Time, Kernel(ms),   User(ms), User Data
DsDirSearch,      Start,            0,          4,          0,          0,          1,          0, 0x0000000000000000, 0x000001D8, 0x000004EC,                    0,             ,                     ,   {00000000-0000-0000-0000-000000000000},                                         ,   131644278080567528,          0,          0, "DS", 4, 6, 1141178432, 27086592, "127.0.0.1:54449", "base", "CN=***CommonName***,CN=***CommonName*** ,CN=***CommonName*** ,CN=***CommonName*** ,CN=***CommonName*** ,CN=***CommonName*** ,DC=***CommonName*** ,DC=***CommonName*** ", " (objectClass=*) ", "options", "", "", "",  0x0000160000000000

The System is Windows 2008 R2 Server, Active Directory Domain Server is enabled.

The issue also occour on windows 10 with provider Active Directory Domain Service: SAM

abergl commented 6 years ago

Did the rest of the message parse correctly?

ling7334 commented 6 years ago

yes,other providers message is ok

ling7334 commented 6 years ago

I wondered if it is because such provider use manifest to define events.

abergl commented 6 years ago

I just pushed a change to the general_updates branch that addresses mangled description you described. If there is no message string the string will be an empty string.

abergl commented 6 years ago

Fix is in current release. Closing issue.

fireeye / pywintrace

bad format UserData #11