According to #10, we had 5 missing records for 2-vss_7-System.evtx (1160 in evtxcmd, 1155 for us).
It seems like it's OK for chunks to be used non-linearly, so it's not enough to try and read past the last chunk.
I implemented a simple fix which reads all chunks until the end of the file, only parsing non-empty chunks.
According to #10, we had 5 missing records for
2-vss_7-System.evtx(1160 in evtxcmd, 1155 for us).It seems like it's OK for chunks to be used non-linearly, so it's not enough to try and read past the last chunk. I implemented a simple fix which reads all chunks until the end of the file, only parsing non-empty chunks.