Windows 10 (1803) issue

[limonidisicilia]

Hi Willi, I'm getting the following OSerror when running a script on any Windows 10 PC. The script runs without any issues on MacOS and Windows 8.1. The script occurs when trying to convert a System.evtx. I can provide the event log if needed. Thank you, Raf.

converting problem\Win10_System.evtx please wait...
Traceback (most recent call last):
  File "C:\Python\USB\Win10usb47.py", line 4347, in <module>
    main()
  File "C:\Python\USB\Win10usb47.py", line 398, in main
    evtx_counter, eventlogs_xml, pnp_eventlogs_xml, WinPart_eventlogs_xml = evtx2xml(eventlogs)
  File "C:\Python\USB\Win10usb47.py", line 3281, in evtx2xml
    print(record.xml(), file=dest_xml)
  File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Evtx.py", line 481, in xml
    return e_views.evtx_record_xml_view(self)
  File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Views.py", line 204, in evtx_record_xml_view
    return render_root_node(record.root())
  File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Views.py", line 191, in render_root_node
    return render_root_node_with_subs(root_node, subs)
  File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Views.py", line 176, in render_root_node_with_subs
    rec(c, acc)
  File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Views.py", line 126, in rec
    rec(child, acc)
  File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Views.py", line 166, in rec
    sub = render_root_node(sub.root())
  File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Views.py", line 191, in render_root_node
    return render_root_node_with_subs(root_node, subs)
  File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Views.py", line 176, in render_root_node_with_subs
    rec(c, acc)
  File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Views.py", line 126, in rec
    rec(child, acc)
  File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Views.py", line 126, in rec
    rec(child, acc)
  File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Views.py", line 159, in rec
    sub = escape_value(sub.string())
  File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Nodes.py", line 1401, in string
    return self.filetime().isoformat(' ')
  File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\BinaryParser.py", line 205, in no_length_handler
    return f(offset)
  File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\BinaryParser.py", line 518, in unpack_filetime
    return parse_filetime(self.unpack_qword(offset))
  File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\BinaryParser.py", line 109, in parse_filetime
    return datetime.utcfromtimestamp(float(qword) * 1e-7 - 11644473600)
OSError: [Errno 22] Invalid argument

[williballenthin]

oddly enough, i'm not able to reproduce this issue using the latest version of python-evtx. are you using the source downloaded from this repository, or the library installed via pypi?

user@hostname ~/Documents/code/python-evtx (master)
λ ~/env2/Scripts/python scripts/evtx_dump.py ~/Downloads/win_10System.evtx > ~/Downloads/win_10System.evtx.xml2
user@hostname ~/Documents/code/python-evtx (master)
λ ~/env/Scripts/python scripts/evtx_dump.py ~/Downloads/win_10System.evtx > ~/Downloads/win_10System.evtx.xml
user@hostname ~/Documents/code/python-evtx (master)

[limonidisicilia]

Just wanted to thank Willi for providing a solution: https://github.com/williballenthin/python-evtx/commit/28095cc24fdd972531b67edc8aa80bdf83c403ef

This was the issue: https://bugs.python.org/issue29097

[williballenthin]

great!