But obviously, there are (sometimes) BoolTypes with a ValueByteLength of 4, which violate the specification.
You've added a special handling for boolean values which do not match 0x00 or 0x01. Do you know why there are such values?
I'm not sure if this is really a bug of your code, but reading 4 Byte for a boolean value also violates the specification and I was interested in what the reason for this is.
Those (or a similar) messages are created when
evtx
reads a boolean value (type code0x0d
with a length of4
which has a value different from0x00
or0x01
. According to Microsofts definition, aBoolType
is An 8-bit integer that MUST be 0x00 or 0x01 (mapping to true or false, respectively). (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-even6/8aa98312-f199-4e37-a51f-d3a2ccb50d60)There seems to be a bug somewhere either in the creator of evtx files or in the parser.
Microsoft defines the following (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-even6/c73573ae-1c90-43a2-a65f-ad7501155956):
So, a boolean should could like the following:
But obviously, there are (sometimes)
BoolType
s with aValueByteLength
of4
, which violate the specification. You've added a special handling for boolean values which do not match0x00
or0x01
. Do you know why there are such values?I'm not sure if this is really a bug of your code, but reading 4 Byte for a boolean value also violates the specification and I was interested in what the reason for this is.