search

williballenthin / python-evtx

Pure Python parser for Windows Event Log files (.evtx)
Apache License 2.0
732 stars 166 forks source link

OSError: [Errno 22] Invalid argument #69

Closed dotaky99 closed 4 years ago

dotaky99 commented 4 years ago

Win10 / Pyhton 3.8.5 I got this Error too. This is my test WIN System event log. System.evtx XML


  <Provider Name="Microsoft-Windows-Kernel-Power" Guid="{331c3b3a-2005-44c2-ac5e-77220c37d6b4}" /> 
  <EventID>107</EventID> 
  <Version>1</Version> 
  <Level>4</Level> 
  <Task>102</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8000000000000444</Keywords> 
  <TimeCreated SystemTime="2020-09-02T14:55:20.8001239Z" /> 
  <EventRecordID>833</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="4" ThreadID="11608" /> 
  <Channel>System</Channel> 
  <Security /> 
  </System>
<EventData>
  <Data Name="TargetState">6</Data> 
  <Data Name="EffectiveState">5</Data> 
  <Data Name="WakeFromState">5</Data> 
  <Data Name="ProgrammedWakeTimeAc">1601-01-01T00:00:00.0000000Z</Data> 
  <Data Name="ProgrammedWakeTimeDc">1601-01-01T00:00:00.0000000Z</Data> 
  <Data Name="WakeRequesterTypeAc">0</Data> 
  <Data Name="WakeRequesterTypeDc">0</Data> 
  </EventData>
 </Event>```

Traceback (most recent call last):
  File "D:/Pycharm/Project/evtx/test.py", line 15, in <module>
    soup = BeautifulSoup(record.xml(), "lxml")
  File "D:\Project\lib\site-packages\Evtx\Evtx.py", line 481, in xml
    return e_views.evtx_record_xml_view(self)
  File "D:\Project\lib\site-packages\Evtx\Views.py", line 204, in evtx_record_xml_view
    return render_root_node(record.root())
  File "D:\Project\lib\site-packages\Evtx\Views.py", line 191, in render_root_node
    return render_root_node_with_subs(root_node, subs)
  File "D:\Project\lib\site-packages\Evtx\Views.py", line 176, in render_root_node_with_subs
    rec(c, acc)
  File "D:\Project\lib\site-packages\Evtx\Views.py", line 126, in rec
    rec(child, acc)
  File "D:\Project\lib\site-packages\Evtx\Views.py", line 166, in rec
    sub = render_root_node(sub.root())
  File "D:\Project\lib\site-packages\Evtx\Views.py", line 191, in render_root_node
    return render_root_node_with_subs(root_node, subs)
  File "D:\Project\lib\site-packages\Evtx\Views.py", line 176, in render_root_node_with_subs
    rec(c, acc)
  File "D:\Project\lib\site-packages\Evtx\Views.py", line 126, in rec
    rec(child, acc)
  File "D:\Project\lib\site-packages\Evtx\Views.py", line 126, in rec
    rec(child, acc)
  File "D:\Project\lib\site-packages\Evtx\Views.py", line 159, in rec
    sub = escape_value(sub.string())
  File "D:\Project\lib\site-packages\Evtx\Nodes.py", line 1401, in string
    return self.filetime().isoformat(' ')
  File "D:\Project\lib\site-packages\Evtx\BinaryParser.py", line 205, in no_length_handler
    return f(offset)
  File "D:\Project\lib\site-packages\Evtx\BinaryParser.py", line 518, in unpack_filetime
    return parse_filetime(self.unpack_qword(offset))
  File "D:\Project\lib\site-packages\Evtx\BinaryParser.py", line 109, in parse_filetime
    return datetime.utcfromtimestamp(float(qword) * 1e-7 - 11644473600)
OSError: [Errno 22] Invalid argument

Process finished with exit code 1

I think the problem is ProgrammedWakeTimeAc.
How can I solve it ...?
jsaspo commented 4 years ago

I see this is closed. Was there a fix? I have the exact same error on an Event 107 in System log and am running Python 3.8.5.

dotaky99 commented 4 years ago

yes I fixed that problem. There is a problem in BinaryParser.py :)

2020년 10월 5일 (월) 오전 9:25, jsaspo notifications@github.com님이 작성:

I see this is closed. Was there a fix? I have the exact same error on an Event 107 in System log and am running Python 3.8.5.

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/williballenthin/python-evtx/issues/69#issuecomment-703338521, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQFZLJWR3MI2WWNC2DFWT7TSJEHBLANCNFSM4RZADTAQ .