winevtec.db support message strings for different versions

libyal / winevt-kb

Windows Event Log Knowledge Base

Apache License 2.0

16 stars 5 forks source link

winevtec.db support message strings for different versions #4

Open joachimmetz opened 9 years ago

joachimmetz commented 9 years ago

Update the portable (exported) message string database to support message strings for different versions

[WARNING] Found duplicate alternating message string: 0xc00007d1 in LCID: 0x00000409 and version: 5.1.2600.5512.
Previous: Unable to collect process virtual memory information. The first four bytes (DWORD) of the Data section contains the status code.

New:Unable to collect process virtual memory information. Status code
returned is data DWORD 0.

joachimmetz commented 9 years ago

Also different variants of Windows having different message strings.

E.g. in %SystemRoot%\System32\win32k.sys

[WARNING] Message string mismatch for LCID: 0x00000409, file version: 5.2.3790.4571, message identifier: 0x000000e3.
- Server 2003 Small Business Server x64 Edition
?                                  ------------
+ Server 2003 for Small Business Server
?            ++++

Maybe use pdb/debug GUID?

joachimmetz commented 4 months ago

[ ] remove message_table_languages table given that the name of the message table already contains the LCID e.g. message_table_1_0x00000409
[ ] message_files add file/product version