search

keydet89 / Events-Ripper

Project based on RegRipper, to extract add'l value/pivot points from TLN events file
GNU General Public License v3.0
75 stars 7 forks source link

Error opening Event Log #2

Closed bmmojo closed 2 weeks ago

bmmojo commented 2 weeks ago

Whenever I run the batch file, I will get an error:

PS C:\Users\testlab\Downloads\Events-Ripper-main> .\wevtx.bat C:\Users\testlab\Desktop\ripper\Microsoft-Windows-Bits-Client%4Operational.evtx C:\Users\testlab\Desktop\ripper\test1.txt
Cannot open <from-entity>: Error opening event log "\\?\C:\Users\testlab\Desktop\ripper\Microsoft-Windows-Bits-Client%4Operational.evtx": The parameter is incorrect.

I have tried this on command prompt and "as administrator". I have tried running the batch file to the specific evtx in the Windows\System32\winevt\logs.

Am I doing something wrong?

keydet89 commented 2 weeks ago

Honestly, I don't know. I've never run the tool via PowerShell, and I don't have a copy of the .evtx file to verify...

bmmojo commented 2 weeks ago

Hey @keydet89, I figured out the issue.

The .evtx had an attribute of RA. I had to turn off the "Read-Only" attribute in the file. Now it works on both cmd.exe and powershell.exe.