keydet89
commented
7 months ago That's weird.
I'll see what I can about replacing those three from my local repo.
Closed CmdrBurrito closed 7 months ago
keydet89
commented
7 months ago That's weird.
I'll see what I can about replacing those three from my local repo.
keydet89
commented
7 months ago Okay, try it now
CmdrBurrito
commented
7 months ago Yep, the problem appears to have be resolved. Many thanks!
Something appears to be wrong with the "apptelem.pl", "failedlogins.pl", and "restarts.pl" plugins that have been uploaded into your "Events-Ripper" repository on GitHub.
After running a "git clone" against the current "Events-Ripper" repository, those three (3) specific plugin files appear to be filled with blank lines (or some other non-printable special character). When run on Windows, the command "erip.exe -l -c" returns errors when it hits those plugins as well. Lastly, attempting to view the source code for any of those plugins via the github website, appears to just return a bunch of the same repeating special characters (i.e., no source code is displayed).
Below is an example of "erip.exe -l -c" output on my machine:
PS C:\keydet89\Events-Ripper> .\erip.exe -l -c Plugin,Version,Description appissue,20230605,Parse Application Hang/Error events Error: C:\keydet89\Events-Ripper\plugins\apptelem.pl did not return a true value at C:\keydet89\Events-Ripper\erip.exe line 65.
bitsclient,20230523,Gets info from BITS-Client/3 and /59 events cleared,20230302,Check for EventLog cleared events dcom10028,20220930,Parse DCOM/10028 events defender,20230802,Parse multiple WinDefend events Error: C:\keydet89\Events-Ripper\plugins\failedlogins.pl did not return a true value at C:\keydet89\Events-Ripper\erip.exe line 65.
filter,20230802,Parse Windows Filtering Platform events from Security.evtx filtering,20230302,Parse filtering platform events hitman,20220930,Parse HitmanPro.Alert/911 events localsessionips,20230209,Parse LocalSessionManager events for IP addrs logins,20230714,Parse Security-Auditing/4624 login events mount,20221010,Get VHD[X]/ISO files mounted msi,20230504,Parse MsiInstaller events mssql,20230411,Parse MSSQL/18456 and ../15457 events
nssm,20230525,Parse nssm events
ntfs,20221010,Get NTFS volumes
osversion,20220930,Determine Windows version from EventLog/6009 events
pca,20220930,Gets info from Program Compat Asst Event Log
posh600,20230526,Parse Powershell/600 events for scripts
rdpcore140,20230203,Parse RdpCoreTS/140 events
Error: C:\keydet89\Events-Ripper\plugins\restarts.pl did not return a true value at C:\keydet89\Events-Ripper\erip.exe line 65.
s1,20220930,Parse SentinelOne/31 and /32 events scm,20230802,Parse Service Control Manager events sec4648,20220930,Parse Security-Auditing/4648 events sec4688,20220930,Parse Security-Auditing/4688 events sec4697,20220930,Parse Security-Auditing/4697 (service install) events sec4797,20230504,Parse Security-Auditing/4797 (user account checked for blank passwd) events sec4948,20220928,Parse Security-Auditing/4948 (firewall rule deletion) events sec5381,20230605,Parse Security-Auditing/5381 (user enum. vault creds) events sessions,20230307,Parse login/logoff events shellcore,20220930,Get apps run via Run/RunOnce keys timechange,20230601,Parse Security-Auditing/616 (system clock changed) events tsgateway,20230209,Parse TSGateway events usrmgr,20220930,Parse user mgmt events
Please advise if you have any questions. Regards!