Open jtmoon79 opened 1 year ago
Support parsing Windows Event Tracing Logs.
These can be viewed by the PowerShell cmdlet Get-WindowsUpdateLog. The diagnostic information reveals Event Tracing logs reside at path C:\Windows\Logs\WindowsUpdate\*.etl
Get-WindowsUpdateLog
C:\Windows\Logs\WindowsUpdate\*.etl
Also program tracerpt.exe will write an .etl file to various formats.
tracerpt.exe
.etl
PS1> tracerpt.exe -of XML "C:\Windows\Logs\WindowsUpdate\WindowsUpdate.20230329.121657.223.1.etl" PS1> get-content dumpfile.xml <Events> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="WUTraceLogging" Guid="{921353-0000-454e-0000-e868d637e4d8}" /> <EventID>0</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x800</Keywords> <TimeCreated SystemTime="2023-03-29T12:33:05.621016900-07:00" /> <Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" /> <Execution ProcessID="21064" ThreadID="11964" ProcessorID="0" KernelTime="0" UserTime="0" /> <Channel /> <Computer /> </System> <EventData> <Data Name="Info">* END * Service exit Exit code = 0x240001</Data> </EventData> <RenderingInfo Culture="en-US"> <Task>Shared</Task> </RenderingInfo> </Event> </Events>
Project dissect.etl and etl-parser are Python implementations of an ETL parser. Derived from work at Geoff Chappell, Software Analyst.
dissect.etl
etl-parser
Relates to #105
jtmoon79
commented
1 year ago
Summary
Support parsing Windows Event Tracing Logs.
These can be viewed by the PowerShell cmdlet
Get-WindowsUpdateLog. The diagnostic information reveals Event Tracing logs reside at pathC:\Windows\Logs\WindowsUpdate\*.etlAlso program
tracerpt.exewill write an.etlfile to various formats.Project
dissect.etlandetl-parserare Python implementations of an ETL parser. Derived from work at Geoff Chappell, Software Analyst.