search

williballenthin / EVTXtract

EVTXtract recovers and reconstructs fragments of EVTX log files from raw binary data, including unallocated space and memory images.
Apache License 2.0
186 stars 22 forks source link

EVTXtract install on Windows 10 #16

Closed knightkk closed 6 years ago

knightkk commented 6 years ago

Good afternoon,

Here is a list of what I did and the results of the install.

Installed Python 3.7 Download EVTXtract-master.zip Extracted all into EVTXtract-master folder Opened CMD window as administrator Navigated to C:\user\lab\downloads\EVTXtract-master ran the command: setup.py install

The results are below. I'm not sure where to begin. There are two items that appear to be Python related; the Zip_Safe Flag and the value error for marsha1.load

Regards, Ken (ken@ellington.net)

C:\WINDOWS\system32>cd c:\users\lab\downloads\evtxtract-master

c:\Users\lab\Downloads\EVTXtract-master>setup.py install running install running bdist_egg running egg_info creating evtxtract.egg-info writing evtxtract.egg-info\PKG-INFO writing dependency_links to evtxtract.egg-info\dependency_links.txt writing entry points to evtxtract.egg-info\entry_points.txt writing requirements to evtxtract.egg-info\requires.txt writing top-level names to evtxtract.egg-info\top_level.txt writing manifest file 'evtxtract.egg-info\SOURCES.txt' reading manifest file 'evtxtract.egg-info\SOURCES.txt' writing manifest file 'evtxtract.egg-info\SOURCES.txt' installing library code to build\bdist.win-amd64\egg running install_lib running build_py creating build creating build\lib creating build\lib\evtxtract copying evtxtract\carvers.py -> build\lib\evtxtract copying evtxtract\main.py -> build\lib\evtxtract copying evtxtract\templates.py -> build\lib\evtxtract copying evtxtract\utils.py -> build\lib\evtxtract copying evtxtract\version.py -> build\lib\evtxtract copying evtxtract__init.py -> build\lib\evtxtract creating build\bdist.win-amd64 creating build\bdist.win-amd64\egg creating build\bdist.win-amd64\egg\evtxtract copying build\lib\evtxtract\carvers.py -> build\bdist.win-amd64\egg\evtxtract copying build\lib\evtxtract\main.py -> build\bdist.win-amd64\egg\evtxtract copying build\lib\evtxtract\templates.py -> build\bdist.win-amd64\egg\evtxtract copying build\lib\evtxtract\utils.py -> build\bdist.win-amd64\egg\evtxtract copying build\lib\evtxtract\version.py -> build\bdist.win-amd64\egg\evtxtract copying build\lib\evtxtract\init.py -> build\bdist.win-amd64\egg\evtxtract byte-compiling build\bdist.win-amd64\egg\evtxtract\carvers.py to carvers.cpython-37.pyc byte-compiling build\bdist.win-amd64\egg\evtxtract\main.py to main.cpython-37.pyc byte-compiling build\bdist.win-amd64\egg\evtxtract\templates.py to templates.cpython-37.pyc byte-compiling build\bdist.win-amd64\egg\evtxtract\utils.py to utils.cpython-37.pyc byte-compiling build\bdist.win-amd64\egg\evtxtract\version.py to version.cpython-37.pyc byte-compiling build\bdist.win-amd64\egg\evtxtract\init.py to init__.cpython-37.pyc creating build\bdist.win-amd64\egg\EGG-INFO copying evtxtract.egg-info\PKG-INFO -> build\bdist.win-amd64\egg\EGG-INFO copying evtxtract.egg-info\SOURCES.txt -> build\bdist.win-amd64\egg\EGG-INFO copying evtxtract.egg-info\dependency_links.txt -> build\bdist.win-amd64\egg\EGG-INFO copying evtxtract.egg-info\entry_points.txt -> build\bdist.win-amd64\egg\EGG-INFO copying evtxtract.egg-info\requires.txt -> build\bdist.win-amd64\egg\EGG-INFO copying evtxtract.egg-info\top_level.txt -> build\bdist.win-amd64\egg\EGG-INFO zip_safe flag not set; analyzing archive contents... Traceback (most recent call last): File "C:\Users\lab\Downloads\EVTXtract-master\setup.py", line 30, in 'python-evtx>=0.5.2', File "C:\Users\lab\AppData\Local\Programs\Python\Python37\lib\distutils\core.py", line 148, in setup dist.run_commands() File "C:\Users\lab\AppData\Local\Programs\Python\Python37\lib\distutils\dist.py", line 966, in run_commands self.run_command(cmd) File "C:\Users\lab\AppData\Local\Programs\Python\Python37\lib\distutils\dist.py", line 985, in run_command cmd_obj.run() File "C:\Users\lab\AppData\Local\Programs\Python\Python37\lib\site-packages\setuptools\command\install.py", line 67, in run self.do_egg_install() File "C:\Users\lab\AppData\Local\Programs\Python\Python37\lib\site-packages\setuptools\command\install.py", line 109, in do_egg_install self.run_command('bdist_egg') File "C:\Users\lab\AppData\Local\Programs\Python\Python37\lib\distutils\cmd.py", line 313, in run_command self.distribution.run_command(command) File "C:\Users\lab\AppData\Local\Programs\Python\Python37\lib\distutils\dist.py", line 985, in run_command cmd_obj.run() File "C:\Users\lab\AppData\Local\Programs\Python\Python37\lib\site-packages\setuptools\command\bdist_egg.py", line 209, in run os.path.join(archive_root, 'EGG-INFO'), self.zip_safe() File "C:\Users\lab\AppData\Local\Programs\Python\Python37\lib\site-packages\setuptools\command\bdist_egg.py", line 245, in zip_safe return analyze_egg(self.bdist_dir, self.stubs) File "C:\Users\lab\AppData\Local\Programs\Python\Python37\lib\site-packages\setuptools\command\bdist_egg.py", line 355, in analyze_egg safe = scan_module(egg_dir, base, name, stubs) and safe File "C:\Users\lab\AppData\Local\Programs\Python\Python37\lib\site-packages\setuptools\command\bdist_egg.py", line 392, in scan_module code = marshal.load(f) ValueError: bad marshal data (unknown type code)

c:\Users\lab\Downloads\EVTXtract-master>

williballenthin commented 6 years ago

That's strange. I just successfully installed the tool on Win10 with Python 3.6. Let me download 3.7 and see if I can reproduce.

williballenthin commented 6 years ago

I'm not seeing the same issue with python3.7b1:

C:\Users\user\Downloads\EVTXtract-master
λ virtualenv.exe -p C:\Users\user\AppData\Local\Programs\Python\Python37\python.exe  env2\
Running virtualenv with interpreter C:\Users\user\AppData\Local\Programs\Python\Python37\python.exe
Using base prefix 'C:\\Users\\user\\AppData\\Local\\Programs\\Python\\Python37'
c:\users\user\appdata\local\programs\python\python36\lib\site-packages\virtualenv.py:1039: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
  import imp
New python executable in C:\Users\user\Downloads\EVTXtract-master\env2\Scripts\python.exe
Installing setuptools, pip, wheel...done.

C:\Users\user\Downloads\EVTXtract-master
λ env2\Scripts\python setup.py install
running install
running bdist_egg
running egg_info
writing evtxtract.egg-info\PKG-INFO
writing dependency_links to evtxtract.egg-info\dependency_links.txt
writing entry points to evtxtract.egg-info\entry_points.txt
writing requirements to evtxtract.egg-info\requires.txt
writing top-level names to evtxtract.egg-info\top_level.txt
reading manifest file 'evtxtract.egg-info\SOURCES.txt'
writing manifest file 'evtxtract.egg-info\SOURCES.txt'
installing library code to build\bdist.win-amd64\egg
running install_lib
running build_py
creating build\bdist.win-amd64\egg
creating build\bdist.win-amd64\egg\evtxtract
copying build\lib\evtxtract\carvers.py -> build\bdist.win-amd64\egg\evtxtract
copying build\lib\evtxtract\main.py -> build\bdist.win-amd64\egg\evtxtract
copying build\lib\evtxtract\templates.py -> build\bdist.win-amd64\egg\evtxtract
copying build\lib\evtxtract\utils.py -> build\bdist.win-amd64\egg\evtxtract
copying build\lib\evtxtract\version.py -> build\bdist.win-amd64\egg\evtxtract
copying build\lib\evtxtract\__init__.py -> build\bdist.win-amd64\egg\evtxtract
byte-compiling build\bdist.win-amd64\egg\evtxtract\carvers.py to carvers.cpython-37.pyc
byte-compiling build\bdist.win-amd64\egg\evtxtract\main.py to main.cpython-37.pyc
byte-compiling build\bdist.win-amd64\egg\evtxtract\templates.py to templates.cpython-37.pyc
byte-compiling build\bdist.win-amd64\egg\evtxtract\utils.py to utils.cpython-37.pyc
byte-compiling build\bdist.win-amd64\egg\evtxtract\version.py to version.cpython-37.pyc
byte-compiling build\bdist.win-amd64\egg\evtxtract\__init__.py to __init__.cpython-37.pyc
creating build\bdist.win-amd64\egg\EGG-INFO
copying evtxtract.egg-info\PKG-INFO -> build\bdist.win-amd64\egg\EGG-INFO
copying evtxtract.egg-info\SOURCES.txt -> build\bdist.win-amd64\egg\EGG-INFO
copying evtxtract.egg-info\dependency_links.txt -> build\bdist.win-amd64\egg\EGG-INFO
copying evtxtract.egg-info\entry_points.txt -> build\bdist.win-amd64\egg\EGG-INFO
copying evtxtract.egg-info\requires.txt -> build\bdist.win-amd64\egg\EGG-INFO
copying evtxtract.egg-info\top_level.txt -> build\bdist.win-amd64\egg\EGG-INFO
zip_safe flag not set; analyzing archive contents...
creating 'dist\evtxtract-0.2.3-py3.7.egg' and adding 'build\bdist.win-amd64\egg' to it
removing 'build\bdist.win-amd64\egg' (and everything under it)
Processing evtxtract-0.2.3-py3.7.egg
Copying evtxtract-0.2.3-py3.7.egg to c:\users\user\downloads\evtxtract-master\env2\lib\site-packages
[...]
williballenthin commented 6 years ago

if your workstation has internet connectivity, I recommend installing via pip:

pip install evtxtract

otherwise, you can download the whl from the attached file and rename from .png to .whl (github filename limitation, sorry!).

evtxtract-0 2 3-py3-none-any whl

then you should be able to point pip to the .whl file and have it install locally.

knightkk commented 6 years ago

Good Morning,

Thank you for answering so quickly.

Tried the "pip install evtxtract" and it worked to a point. It is looking for Visual C++ 14 which I have on my machine.

capture

So I'm looking into that now. I think there is something on my desktop that is getting in the way.

Ken

c:\Users\lab\Downloads\EVTXtract-master\EVTXtract-master>pip install evtxtract Collecting evtxtract Downloading evtxtract-0.2.3.tar.gz Requirement already satisfied: six in c:\users\lab\appdata\local\programs\python\python37\lib\site-packages (from evtxtract) Collecting lxml (from evtxtract) Using cached lxml-4.1.1.tar.gz Collecting pytest (from evtxtract) Using cached pytest-3.4.0-py2.py3-none-any.whl Collecting python-evtx>=0.5.2 (from evtxtract) Using cached python_evtx-0.6.1-py3-none-any.whl Collecting py>=1.5.0 (from pytest->evtxtract) Using cached py-1.5.2-py2.py3-none-any.whl Requirement already satisfied: setuptools in c:\users\lab\appdata\local\programs\python\python37\lib\site-packages (from pytest->evtxtract) Collecting pluggy<0.7,>=0.5 (from pytest->evtxtract) Using cached pluggy-0.6.0.tar.gz Collecting attrs>=17.2.0 (from pytest->evtxtract) Using cached attrs-17.4.0-py2.py3-none-any.whl Collecting colorama; sys_platform == "win32" (from pytest->evtxtract) Using cached colorama-0.3.9-py2.py3-none-any.whl Collecting pytest-cov (from python-evtx>=0.5.2->evtxtract) Using cached pytest_cov-2.5.1-py2.py3-none-any.whl Collecting hexdump (from python-evtx>=0.5.2->evtxtract) Using cached hexdump-3.3.zip Collecting coverage>=3.7.1 (from pytest-cov->python-evtx>=0.5.2->evtxtract) Using cached coverage-4.5.tar.gz Installing collected packages: lxml, py, pluggy, attrs, colorama, pytest, coverage, pytest-cov, hexdump, python-evtx, evtxtract Running setup.py install for lxml ... error Complete output from command c:\users\lab\appdata\local\programs\python\python37\python.exe -u -c "import setuptools, tokenize;file='C:\Users\lab\AppData\Local\Temp\pip-build-c10f_8a6\lxml\setup.py';f=getattr(tokenize, 'open', open)(file);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, file, 'exec'))" install --record C:\Users\lab\AppData\Local\Temp\pip-eo_uii_y-record\install-record.txt --single-version-externally-managed --compile: Building lxml version 4.1.1. Building without Cython. ERROR: b"'xslt-config' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n" make sure the development packages of libxml2 and libxslt are installed 

Using build configuration of libxslt
running install
running build
running build_py
creating build
creating build\lib.win-amd64-3.7
creating build\lib.win-amd64-3.7\lxml
copying src\lxml\builder.py -> build\lib.win-amd64-3.7\lxml
copying src\lxml\cssselect.py -> build\lib.win-amd64-3.7\lxml
copying src\lxml\doctestcompare.py -> build\lib.win-amd64-3.7\lxml
copying src\lxml\ElementInclude.py -> build\lib.win-amd64-3.7\lxml
copying src\lxml\pyclasslookup.py -> build\lib.win-amd64-3.7\lxml
copying src\lxml\sax.py -> build\lib.win-amd64-3.7\lxml
copying src\lxml\usedoctest.py -> build\lib.win-amd64-3.7\lxml
copying src\lxml\_elementpath.py -> build\lib.win-amd64-3.7\lxml
copying src\lxml\__init__.py -> build\lib.win-amd64-3.7\lxml
creating build\lib.win-amd64-3.7\lxml\includes
copying src\lxml\includes\__init__.py -> build\lib.win-amd64-3.7\lxml\includes
creating build\lib.win-amd64-3.7\lxml\html
copying src\lxml\html\builder.py -> build\lib.win-amd64-3.7\lxml\html
copying src\lxml\html\clean.py -> build\lib.win-amd64-3.7\lxml\html
copying src\lxml\html\defs.py -> build\lib.win-amd64-3.7\lxml\html
copying src\lxml\html\diff.py -> build\lib.win-amd64-3.7\lxml\html
copying src\lxml\html\ElementSoup.py -> build\lib.win-amd64-3.7\lxml\html
copying src\lxml\html\formfill.py -> build\lib.win-amd64-3.7\lxml\html
copying src\lxml\html\html5parser.py -> build\lib.win-amd64-3.7\lxml\html
copying src\lxml\html\soupparser.py -> build\lib.win-amd64-3.7\lxml\html
copying src\lxml\html\usedoctest.py -> build\lib.win-amd64-3.7\lxml\html
copying src\lxml\html\_diffcommand.py -> build\lib.win-amd64-3.7\lxml\html
copying src\lxml\html\_html5builder.py -> build\lib.win-amd64-3.7\lxml\html
copying src\lxml\html\_setmixin.py -> build\lib.win-amd64-3.7\lxml\html
copying src\lxml\html\__init__.py -> build\lib.win-amd64-3.7\lxml\html
creating build\lib.win-amd64-3.7\lxml\isoschematron
copying src\lxml\isoschematron\__init__.py -> build\lib.win-amd64-3.7\lxml\isoschematron
copying src\lxml\etree.h -> build\lib.win-amd64-3.7\lxml
copying src\lxml\etree_api.h -> build\lib.win-amd64-3.7\lxml
copying src\lxml\lxml.etree.h -> build\lib.win-amd64-3.7\lxml
copying src\lxml\lxml.etree_api.h -> build\lib.win-amd64-3.7\lxml
copying src\lxml\includes\c14n.pxd -> build\lib.win-amd64-3.7\lxml\includes
copying src\lxml\includes\config.pxd -> build\lib.win-amd64-3.7\lxml\includes
copying src\lxml\includes\dtdvalid.pxd -> build\lib.win-amd64-3.7\lxml\includes
copying src\lxml\includes\etreepublic.pxd -> build\lib.win-amd64-3.7\lxml\includes
copying src\lxml\includes\htmlparser.pxd -> build\lib.win-amd64-3.7\lxml\includes
copying src\lxml\includes\relaxng.pxd -> build\lib.win-amd64-3.7\lxml\includes
copying src\lxml\includes\schematron.pxd -> build\lib.win-amd64-3.7\lxml\includes
copying src\lxml\includes\tree.pxd -> build\lib.win-amd64-3.7\lxml\includes
copying src\lxml\includes\uri.pxd -> build\lib.win-amd64-3.7\lxml\includes
copying src\lxml\includes\xinclude.pxd -> build\lib.win-amd64-3.7\lxml\includes
copying src\lxml\includes\xmlerror.pxd -> build\lib.win-amd64-3.7\lxml\includes
copying src\lxml\includes\xmlparser.pxd -> build\lib.win-amd64-3.7\lxml\includes
copying src\lxml\includes\xmlschema.pxd -> build\lib.win-amd64-3.7\lxml\includes
copying src\lxml\includes\xpath.pxd -> build\lib.win-amd64-3.7\lxml\includes
copying src\lxml\includes\xslt.pxd -> build\lib.win-amd64-3.7\lxml\includes
copying src\lxml\includes\__init__.pxd -> build\lib.win-amd64-3.7\lxml\includes
copying src\lxml\includes\etree_defs.h -> build\lib.win-amd64-3.7\lxml\includes
copying src\lxml\includes\lxml-version.h -> build\lib.win-amd64-3.7\lxml\includes
creating build\lib.win-amd64-3.7\lxml\isoschematron\resources
creating build\lib.win-amd64-3.7\lxml\isoschematron\resources\rng
copying src\lxml\isoschematron\resources\rng\iso-schematron.rng -> build\lib.win-amd64-3.7\lxml\isoschematron\resources\rng
creating build\lib.win-amd64-3.7\lxml\isoschematron\resources\xsl
copying src\lxml\isoschematron\resources\xsl\RNG2Schtrn.xsl -> build\lib.win-amd64-3.7\lxml\isoschematron\resources\xsl
copying src\lxml\isoschematron\resources\xsl\XSD2Schtrn.xsl -> build\lib.win-amd64-3.7\lxml\isoschematron\resources\xsl
creating build\lib.win-amd64-3.7\lxml\isoschematron\resources\xsl\iso-schematron-xslt1
copying src\lxml\isoschematron\resources\xsl\iso-schematron-xslt1\iso_abstract_expand.xsl -> build\lib.win-amd64-3.7\lxml\isoschematron\resources\xsl\iso-schematron-xslt1
copying src\lxml\isoschematron\resources\xsl\iso-schematron-xslt1\iso_dsdl_include.xsl -> build\lib.win-amd64-3.7\lxml\isoschematron\resources\xsl\iso-schematron-xslt1
copying src\lxml\isoschematron\resources\xsl\iso-schematron-xslt1\iso_schematron_message.xsl -> build\lib.win-amd64-3.7\lxml\isoschematron\resources\xsl\iso-schematron-xslt1
copying src\lxml\isoschematron\resources\xsl\iso-schematron-xslt1\iso_schematron_skeleton_for_xslt1.xsl -> build\lib.win-amd64-3.7\lxml\isoschematron\resources\xsl\iso-schematron-xslt1
copying src\lxml\isoschematron\resources\xsl\iso-schematron-xslt1\iso_svrl_for_xslt1.xsl -> build\lib.win-amd64-3.7\lxml\isoschematron\resources\xsl\iso-schematron-xslt1
copying src\lxml\isoschematron\resources\xsl\iso-schematron-xslt1\readme.txt -> build\lib.win-amd64-3.7\lxml\isoschematron\resources\xsl\iso-schematron-xslt1
running build_ext
building 'lxml.etree' extension
error: Microsoft Visual C++ 14.0 is required. Get it with "Microsoft Visual C++ Build Tools": http://landinghub.visualstudio.com/visual-cpp-build-tools

----------------------------------------

Command "c:\users\lab\appdata\local\programs\python\python37\python.exe -u -c "import setuptools, tokenize;file='C:\Users\lab\AppData\Local\Temp\pip-build-c10f_8a6\lxml\setup.py';f=getattr(tokenize, 'open', open)(file);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, file, 'exec'))" install --record C:\Users\lab\AppData\Local\Temp\pip-eo_uii_y-record\install-record.txt --single-version-externally-managed --compile" failed with error code 1 in C:\Users\lab\AppData\Local\Temp\pip-build-c10f_8a6\lxml\

c:\Users\lab\Downloads\EVTXtract-master\EVTXtract-master>

williballenthin commented 6 years ago

i think this happens because lxml has a native component that needs to be compiled for your system. looks like the build environment is not configured. unfortunately, i don't have enough experience setting it up to be more useful than google. still, please let me know if i can assist.

for supported version of python (2.7-3.6, not including 3.7, since its still in beta), then i believe there are .whl packages on pypi. these will contain the pre-compiled components you need for lxml. so, you may have better luck downgrading python to 3.6 until 3.7 stable is released.

knightkk commented 6 years ago

Good Afternoon, Moving to 3.6 worked. Thank you for pointing me in the right direction.

Ken

williballenthin commented 6 years ago

great!

feel free to reopen this issue if you have any further questions.