search

libyal / winevt-kb

Windows Event Log Knowledge Base
Apache License 2.0
16 stars 5 forks source link

Add support for WEVT_TEMPLATE mapped event identifiers #18

Open J-A-Sec opened 1 week ago

J-A-Sec commented 1 week ago

Describe the problem:

When running psort against a log2timeline-generated plaso file, message strings from the a custom winevt-rc.db database are applied only to a minority of Event Logs records, despite multiple messages and logs in the database which should apply. The custom database was generated from the same language and OS version as the host where the Event Logs were captured from.

Upon further inspection, I noticed that the custom winevt-rc.db I generated from a fresh Windows 11 install (using instructions from here: http://blog.kiddaland.net/2015/04/windows-event-log-message-strings.html) had prefixed 0xb instead of 0x0 to the majority of message_identifier fields.

A good example is the source "Microsoft-Windows-TerminalServices-LocalSessionManager". The entries in winevt-rc.db look like this: image

If I manually change line 22 to 0x0 from 0xb, the Message String is correctly displayed in the psort output for that event: image

Have I done something wrong in generating winevt-rc.db or is this a bug?

To Reproduce:

The versions used: winevt-kb latest, from https://github.com/libyal/winevt-kb dfvfs latest, from https://github.com/log2timeline/dfvfs

The operating system you are running Plaso on (Not the operating system of the image/files you're trying to analyze): Ubuntu 24.04

Steps to reproduce the behavior including command line and arguments and output: Follow the instructions to build your own winevt-rc.db here, running against a fresh Windows 11 installation disk image: http://blog.kiddaland.net/2015/04/windows-event-log-message-strings.html#:~:text=How%20to%20build%20your%20own%20winevt%2Drc.db

Please provide the source data you used when you experienced the problem. For publicly available data please provide a URL or path of the source data: Fresh Windows 11 ISO from Microsoft > create Hyper-V VM > Run winevt-kb/extract.py against the image

The method you used to install Plaso: Installed from [l2tbinaries][https://github.com/log2timeline/l2tbinaries] main branch

Expected behavior:

Message Strings are generated for Event Logs, based on message_identifier mappings

joachimmetz commented 11 hours ago

Have a look at https://osdfir.blogspot.com/2021/10/common-misconceptions-about-windows.html winevtrc.db needs to be extended to support the identifier mappings in the WEVT_TEMPLATE resources.