Invalid XML character

[Brassrat]

I haven't traced down the root cause of this, but i am getting a number of Events with ^C characters for the LockoutObservationWindow and/or the MinPasswordLength. These are not valid XML characters and cause xml parsers to fail, event with an xml 1.1 parser these would have to at least be character entity references not simple bytes. Not sure if this is some issue with the virtual machine setup. It is a windows 7 vmware-based vm.

Could someone give me a pointer in the code where such characters would be generated so i can prevent them from getting into the xml stream. Thanks,

an example:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}"/>
    <EventID>4739</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>13569</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2016-10-25T16:36:27.531877000Z"/>
    <EventRecordID>5040</EventRecordID>
    <Correlation/>
    <Execution ProcessID="656" ThreadID="716"/>
    <Channel>Security</Channel>
    <Computer>WIN7VM.local</Computer>
    <Security/>
  </System>
  <EventData>
    <Data Name="DomainPolicyChanged">Lockout Policy</Data>
    <Data Name="DomainName">WIN7VM</Data>
    <Data Name="DomainSid">S-1-5-21-1424057123-4072980456-840877789</Data>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">WIN7VM$</Data>
    <Data Name="SubjectDomainName">DOMAIN</Data>
    <Data Name="SubjectLogonId">0x00000000000003e7</Data>
    <Data Name="PrivilegeList">-</Data>
    <Data Name="MinPasswordAge">-</Data>
    <Data Name="MaxPasswordAge">-</Data>
    <Data Name="ForceLogoff">-</Data>
    <Data Name="LockoutThreshold">5</Data>
    <Data Name="LockoutObservationWindow"></Data>
    <Data Name="LockoutDuration"/>
    <Data Name="PasswordProperties"/>
    <Data Name="MinPasswordLength"></Data>
    <Data Name="PasswordHistoryLength"/>
    <Data Name="MachineAccountQuota"/>
    <Data Name="MixedDomainMode">-</Data>
    <Data Name="DomainBehaviorVersion">-</Data>
    <Data Name="OemInformation">-</Data>
  </EventData>
</Event>

[joachimmetz]

If you have an example evtx file that you can share that would be useful.

[Brassrat]

Thanks for your reply.

Not sure if I can share the whole file.

There only a few such events mostly from a long time ago

However, I have since determined that it is the event file itself.

i.e., the windows event viewer refuses to create XML for these events – so not sure what libevtx could do

Here is the ‘raw text’ for one of them: (from windows event viewer)

4739001356900x80200000000000008530Security666666-WIN7VMLockout Policy666666-WIN7VMS-1-5-21-1424057555-4072980066-844447911S-1-5-18666666-WIN7VM$W0x3e7----0---

(I replaced some characters in the above text )

I am currently piping the output of evtxexport into a sax parser. I plan on wrapping the stream with my own class and just throwing away characters between 0 and 7.

This gets me going.

BTW – we tried using the native windows 64 build vs a Cygwin-based build. The native windows exe ran orders of magnitude slower (>5 minutes vs 30 seconds.)

Any ideas? We figure it’s a buffering issue but don’t know where to begin to debug it.

[joachimmetz]

Not sure if I can share the whole file. (I replaced some characters in the above text )

alas I would need the original data to see what is the culprit

another option is to provide me with the debug output for the offending event log entries. Also see: https://github.com/libyal/libevtx/wiki/Troubleshooting#verbose-and-debug-output

[joachimmetz]

BTW – we tried using the native windows 64 build vs a Cygwin-based build. The native windows exe ran orders of magnitude slower (>5 minutes vs 30 seconds.)

please run with code profiling to determine what is slower on WINAPI + VS C runtime

[joachimmetz]

Closing issue, unable to solve without reproducing the issue