invalid XML file output

[Brassrat]

Thanks for writing this library, i think it will be very useful to me. A minor nit however regarding evtxexport. When you ask for xml output (-f xml) the output is not valid xml because

1. The first line contains the program name - this line should either be omitted or surrounded with XML comment ()
2. there is no 'root' tag surrounding the individual tags, say <Events>[<Event>]*</Events>
3. Wrt 'recovered' entries - the xml was just not valid e.g., missing end tag ()

changes for 1 requires moving the call to evtxoutput_version_fprint after argument processing so the export_format is known: `if( evtxexport_export_handle->export_format == EXPORT_FORMAT_XML ) { fprintf(stdout, "<!-- \n"); }

evtxoutput_version_fprint(
 stdout,
 program );

if( evtxexport_export_handle->export_format == EXPORT_FORMAT_XML ) { fprintf(stdout, "\n-->\n"); }`

changes for 2: are just a couple of additional fprintf s in export_handle.c

[joachimmetz]

When you ask for xml output (-f xml) the output is not valid xml because

This is not the goal of the program to have a valid full XML document. The goal of the -f xml option is to provide output that is comparable to windows event log viewer xml output. You can easily write a small program around the library or Python binding to accomplish this if you need to.

Wrt 'recovered' entries - the xml was just not valid e.g., missing end tag ()

Not sure what you mean.

[Brassrat]

Another question, in the xml i see the following (in vim):

%%1537^M %%1538^M %%1539^M %%7168^M %%7169^M %%7170^M %%7171^M %%7172^M %%7173^M

Why the extra carriage return? The characters can be removed ­ so they really are there. Or is this what is in the evtx bXML? Some list separator syntax? I don¹t have a good C IDE environment to debug this; obviously i can simply remove all carriage returns ­ but they only show up for the AccessMask data values.

TIA, -jay

[joachimmetz]

As indicated this is to match the Windows event viewer output.

Or is this what is in the evtx bXML?

Yes