extract.py: exception unsupported resource type: 0x00000000

[Joe860]

I'm trying to build new winevt-kb.db so that i could use plaso tagging analyser with sysmon logs. My assumption is that you can't add sysmon events to tag_windows.txt without rebuilding winevt-kb.db , is that correct? psort.py reports immediatly "killed" while using custom sysmon tags.

I have mounted filesystem under win10sysmon/image -path. I noticed that i'll have to use dfvfs version 20180831 or extract.py does not run at all, and if i used newer version of dfvfs, for some reason i'll get apfs related -errors which are not relevant at all(?)

./extract.py --db win10sysmon/ win10sysmon/image/
Windows version: 10.0.17763.737.

[INFO] Current control set
[INFO] Processing: %SystemRoot%\system32\dimsjob.dll
[INFO] Processing: %SystemRoot%\System32\gpprefcl.dll
[INFO] Processing: %SystemRoot%\system32\wbem\WinMgmtR.dll
[INFO] Processing: %SystemRoot%\System32\appmgr.dll
[INFO] Processing: %SystemRoot%\system32\perfctrs.dll
[INFO] Processing: %SystemRoot%\system32\sxproxy.dll
[INFO] Processing: %SystemRoot%\System32\AxInstSv.dll
Traceback (most recent call last):
  File "./extract.py", line 291, in <module>
    if not Main():
  File "./extract.py", line 272, in Main
    extractor_object.ExtractEventLogMessageStrings(output_writer)
  File "/usr/local/lib/python2.7/dist-packages/winevtrc/extractor.py", line 431, in ExtractEventLogMessageStrings
    message_filename, definitions.MESSAGE_FILE_TYPE_EVENT)
  File "/usr/local/lib/python2.7/dist-packages/winevtrc/extractor.py", line 226, in _ExtractMessageFile
    mui_language = message_file.GetMUILanguage()
  File "/usr/local/lib/python2.7/dist-packages/winevtrc/resource_file.py", line 134, in GetMUILanguage
    if language_identifier in mui_resource.language_identifiers:
IOError: pywrc_resource_get_language_identifiers: unable to retrieve number of languages. libwrc_resource_read_value: unsupported resource type: 0x00000000. libwrc_resource_get_number_of_languages: unable to read resource value.

[Joe860]

I guess Workaround would be Mark Hallman's Filters

by using "message contains" method? which is clever.

[joachimmetz]

by using "message contains" method? which is clever.

Actually this is unlikely to work with the latest plaso, since message is a virtual member of event which we no longer support in the event filter. See the bottom of https://plaso.readthedocs.io/en/latest/sources/user/Event-filters.html#how-do-event-filters-work

The best way to to filter on event log messages in event filters is use:

• message provider
• event ID + qualifiers
• and specific event string/data values

IOError: pywrc_resource_get_language_identifiers: unable to retrieve number of languages. libwrc_resource_read_value: unsupported resource type: 0x00000000. libwrc_resource_get_number_of_languages: unable to read resource value.

This looks the wrc library encounters an unsupported format issue. Could you indicate to me which version of libwrc/pywrc you are using. I'll see if I can reproduce this on Win10 when time permits.

[Joe860]

by using "message contains" method? which is clever.

Actually this is unlikely to work with the latest plaso, since message is a virtual member of event which we no longer support in the event filter. See the bottom of https://plaso.readthedocs.io/en/latest/sources/user/Event-filters.html#how-do-event-filters-work

I can confirm this, it didn't work.

The best way to to filter on event log messages in event filters is use:

• message provider
• event ID + qualifiers
• and specific event string/data values

IOError: pywrc_resource_get_language_identifiers: unable to retrieve number of languages. libwrc_resource_read_value: unsupported resource type: 0x00000000. libwrc_resource_get_number_of_languages: unable to read resource value.

This looks the wrc library encounters an unsupported format issue. Could you indicate to me which version of libwrc/pywrc you are using. I'll see if I can reproduce this on Win10 when time permits.

./runtests.py gives me:

[OK] pywrc version: 20181203

[joachimmetz]

pywrc_resource_get_language_identifiers has been deprecated and scripts have been updated to use new pywrc API. Give it a try and reopen if issue persists.