for your information: other uses of binary xml

[williballenthin]

over at https://github.com/williballenthin/python-evtx/issues/42 there's an interesting request for a parser for the EVTX log entries queried via RPC. notably, this API returns a binary blob per event record. while the blob header is different from the EVTX record header, its obvious most of the binary XML format is shared. perhaps at your convenience, you might also be interested in reviewing this data.

for example, since records are transmitted independently, strings and templates seem to be placed in-line, rather than defined in a shared location. i think there are a few flags in the node headers which dictate this; however, i'm still exploring.

i'm not expecting anything from you here --- just passing along the pointer.

[joachimmetz]

@williballenthin thx, yes I was aware of this since I ran into "[MS-EVEN6]: EventLog Remoting Protocol Version 6.0"

per http://msdn.microsoft.com/en-us/library/cc231282(v=prot.10).aspx

Specifies the EventLog Remoting Protocol Version 6.0 protocol, which exposes RPC methods for reading events in both live and backup event logs on remote computers. 

Most of the binary xml functionality has therefore been moved to https://github.com/libyal/libfwevt

[joachimmetz]

@williballenthin the binary XML format is even stored in PE/COFF files: https://github.com/libyal/libexe/blob/master/documentation/Executable%20(EXE)%20file%20format.asciidoc#68-windows-event-template-resource-data