wagga40
commented
2 years ago Thanks ! I will check ASAP, but it is generally linked to evtx_dump (https://github.com/omerbenamram/evtx ) that get stuck by himself.
Closed scudette closed 2 years ago
wagga40
commented
2 years ago Thanks ! I will check ASAP, but it is generally linked to evtx_dump (https://github.com/omerbenamram/evtx ) that get stuck by himself.
scudette
commented
2 years ago Running the evtx command independently works and it does not get stuck so maybe this has to do with the way pipes are created?
wagga40
commented
2 years ago If you pass --noexternal as an argument it will use the bindings instead of dropping the binary (but it is slower). Can you try please ?
scudette
commented
2 years ago Yes that works well. Thank you :-). Perhaps it should be the default setting. Compared to the time taken by the rest of the code the few seconds that can be saved in this step are probably insignificant overall.
wagga40
commented
2 years ago You’re right, I think it will be the default behavior in next commit (and release…). The fact that Zircolite was dropping the evtx_dump binary always seemed « messy » to me.
wagga40
commented
2 years ago Done.
I am trying Zircolite which uses the evtx parser to extract the events and it seems to get stuck while shelling out to the parser.
If I copy paste the commandline into a new terminal and run the subprocess command it returns really quickly .
Everything is running as admin. BTW this particular event file is confirmed to be actually empty.