1. The event log file is a binary, which has several record units, where the most in front is the recording head, and the last is the recording end. 2. The head of each record (including the recording head, recording tail) is the length of this record (unit: byte). If the record head is 48 bytes (0x30), the record is 30 00 00 00 4C 66 4C 65 ... 30 00 00 00 Note Here is byte sequence: 30 00 00 W1L W1H W2L W2H3. The second double word each record is a specific code 4C 66 4C 654. Analyze the Windows API log storage data structure. typedef struct _EVENTLOGRECORD {DWORD Length; DWORD Reserved; DWORD RecordNumber; DWORD TimeGenerated; DWORD TimeWritten; DWORD EventID; WORD EventType; WORD NumStrings; WORD EventCategory; WORD ReservedFlags; DWORD ClosingRecordNumber; DWORD StringOffset; DWORD UserSidLength; DWORD UserSidOffset; DWORD DataLength; DWORD DataOffset;} EventLogRecord, * peventlogrecord; 5. Document Analysis When APPEVENT.EVT is empty, the file content is as follows: 00000000h: 30 00 00 00 00 00 00 00 00; 0 ... LFLE ........ 00000010H: 30 00 00 00 30 00 00 00 01 00 00 00 00 00 00 00; 0 ... 0 ........... 00000020h: 00 00 01 00 00 00 00 00 80 3A 09 00 30 00 00 00; ........ €: .. 0 ... 000000030h: 28 00 00 00 11 11 11 11 22 22 22 22 22 33 33 33 33; (....... "" "" 333300000040h: 44 44 44 44 30 00 00 00 30 63 01 00 28 02 00 00; DDDD0 ... 0C .. (... 00000050H: 01 00 00 28 00 00 00
When Appevent.evt is written, Source: CI Event ID: 1001 Type: 4 Information item: Hello; Hello00000000H: 30 00 00 00 00 00 00 00; 0 ... LFLE .. ...... 00000010h: 30 00 00 00 30 00 00 00 01 00 00 00 00 00 00 00; 0 ... 0 ........... 00000020h: 00 00 01 00 01 00 00 00 80 3A 09 00 30 00 00 00 00; ........ €: .. 0 ... 00000030H: 78 00 00 4C 66 4C 65 01 00 00 1F 8B 8A 3E; X ... LFLE ..... Pan> 00000040h:.? 1F 8B 8A 3E E9 03 00 00 04 00 02 00 01 00 00 00; Pan> .......... 00000050h: 00 00 00 00 58 00 00 00 00 00 00 58 00 00; .... x ....... x ... 00000060h: 00 00 00 00 00 00 00 00 00 00 00 00 001; .... p. ..Ci..c.000000070h: 48 00 45 00 4E 00 47 00 4C 00 49 00 41 00 4E 00; henglian00000080H: 4D 00 41 00 4F 00 00 48 00 65 00 6c 00 6c 00; MAO..Hell 00000090h: 6F 00 00 00 48 00 65 00 6C 00 6C 00 6F 00 00 00; o ... Hello..000000a0h: 00 00 00 00 78 00 00 00 28 00 00 00 11 11 11 11; .... x ...... 000000B0H: 22 22 22 22 22 33 33 33 33 44 44 44 44 30 00 00; "" "" "" "" "3333ddddd0 ... 000000C0H: A8 00 00 0 0 02 00 00 00 01 00 00 200 00 00 00; .......... (...
When AppEvent.Evt write one source: Application Management Event id: 1002 Type: 1 item of information: What; What00000000h: 30 00 00 00 4C 66 4C 65 01 00 00 00 01 00 00 00; 0 ... LfLe. ..... 00000010H: 30 00 00 00 00 00 00 00 00 00 00 00; 0 ... 0 ......... 00000020H: 00 00 01 00 01 00 00 000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 € 80 8c 8a 3e;?.. .... € rustic> 00000040h: 80 8C 8A 3E EA 03 00 00 01 00 02 00 01 00 00 00; € rustic> .......... 00000050h: 00 00 00 00 80 00 00 00? 00 00 00 80 00 00; .... € ....... € ... 00000060H: 00 00 00 70 00 70 00 6c 00; .... .Appl00000070h: 69 00 61 00 6e 00 20 00; ICATION.00000080H: 4D 00 61 00 6E 00 61 00 67 00 65 00 6d 00 65 00; ManageMe00000090H: 6E 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 00 48 00 45 00 4E 00 47 00; Nt..cheng000000A0H: 4C 00 49 00 41 00 4E 00 4D 00 41 00 4F 00 00 00 00 00; lianmao..0000B0H: 57 00 68 00 61 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 57 00 68 00 61 00; What..wha00000 0C0H: 74 00 00 00 00 00 00 00 00 00 00 00; T .......? .. (... 00000000D0H: 11 11 11 11 11 22 22 22 22 33 33 33 33 44 44 44 44; .... "" "" "" "" "3333DDDD000000E0H: 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00- ... 00 When Appevent.evt is written to 2.
Article 1 Source: Application Management Event ID: 1002 Type: 1 Information item: What; What Article 2 Source: CI Event ID: 1001 Type: 4 Information item: Hello; Hello0000000000H: 30 00 00 4C 66 4C 65 01 00 00 00 01 00 00 00; 0 ... LFLE ........ 00000010H: 30 00 00 00 00 00 00 00 00 00 00; 0 ... 0 ...... ..... 0000020H: 00 00 01 00 01 00 00 00 00 00 00 00 00 00; ....................................................................................................................................................................................................................................................................................................................................................... 01 00 00 80 8C 8A 3E;? .. lfle .... € €> 00000040H: 80 8C 8A 3e EA 03 00 00 01 00 02 00 01 00 00; € €>? ....... ... 00000050h: 00 00 00 00 80 00 00 00 00 00 00 00 80 00 00 00; .... € ....... € ... 00000060h: 00 00 00 00 94 00 00 00 41 00 70 00 70 00 6C 00; ....? .. appl00000070h: 69 00 61 00 61 00 20 00; Ication .00000080H: 4D 00 61 00 6e 00 61 00 67 00 65 00 6D 00 65 00; Manageme00000090H: 6E 00 74 00 00 47 00 48 00 45 00 4E 00 47 00 4C 00 41 00 4E 00 4d 00 41 00 4F 00 00 00 00 00 00 00; LianMAO. .000000B0H: 57 00 68 00 61 00 74 00 00 57 00 68 00 6 1 00; WHAT..WHA000000C0H: 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 001; t ........... X ... 000000D0H: 4C 66 4C 65 02 00 00 00 90 8D 8A 3e 90 8D 8A 3E; LFLE .... 悕? 悕? 000000E0H: E9 03 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 001 00 00 00 00 00 00 00 00 001;? ........... ... 000000F0H: 58 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00- 43 00 48 00 45 00; P ... ci..che00000110h: 4e 00 47 00 4C 00 49 00 41 00 4E 00 4D 00 41 00; NGLianMa00000120H: 4F 00 00 00 00 65 00 6c 00 6c 00 6f 00 00 00; Hello..00000130h: 48 00 65 00 6C 00 6C 00 6F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00;
Hello ... 000010140H: 78 00 00 00 28 00 00 11 11 11 11 22 22 22 22; x ... (....... "" "" 00000150h: 33 33 33 33 44 44 44 44 30 00 00 00 44 01 00 00; 3333DDDD0 ... D ... 00000160h: 03 00 00 00 01 00 00 00 28 00 00 00 6. results analysis items: 2 when AppEvent.Evt written. Article 1 Source: Application Management Event ID: 1002 Type: 1 Information item: What; What Article 2 Source: CI Event ID: 1001 Type: 4 Information item: Hello; Hello • File header 000000 00 00 00 File head length 30H = 48 4C 66 4C 65 LELF (Start Mark) 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 The offset of a record (arbitrary ) 01 00 00 00 [0014H] Recording number 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 When [0018h] is not a first sentence record, the value here is: 01 00 00 00 is represented as a start record. Cannot Total length 65536 01 00 00 00 00 00 00 000020H 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000-00-00 The next file is made to do special processing. 80 3A 09 00 Regrets in the machine's reserved word 30 00 00 00 file head length 30H = 48 • Record information 0030h 9c 00 00 00 record length 009ch byte DWord Length
4C 66 4C 65 Lelf (Start Mark) DWORD Reserved
01 00 00 00 Record serial number, current is the first record DWord RecordNumber
80 8C 8A 3E Time Code, from 1970 to the current number of seconds DWORD TIMEGENERATED
0040H 80 8C 8A 3E Time Code, from 1970 to the current number of seconds DWORD TIMEWRITTEN
EA 03 00 00 Event ID number, current 1002dword EventID
01 00 02 00 Low position is Type Word EventType
// 1 error (red light) // 2 warning (exclamation) // 4 information (i) // 8 Successful audit (lock) // 10h failed audit ... This example is 01 error (red light) // high: The message is the event that the event contains how many messages. This example is 2 Word Numstrings.
01 00 00 00 Low-length Type Word EventCategory
This example is 1 is the message. Keeping a high level of events Word ReservedFlags
0050H 00 00 00 00 is the end of the event DWord ClosingRecordNumber
80 00 00 00 00 Event Message Offset DWORD STRINGOFFSET
For example, this record starts at 0030H, the beginning of the message information is the length of the 00B0H 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ×
80 00 00 00 00 00 user information offset (because no, record the offset of event messages) DWORD USERSIDOFFSET
0060H 00 00 00 00 00 00 度 DWORD DATALENGTH
The offset of 94 00 00 00 00 00 is as follows, the record starts at 0030 H, the beginning of the data is 00 C4H DWORD DATAOFFSET
0068H 41 00 70 00 starts from here to source information ... (each letter is stored in one word) 0094H 00 00 00 48 00 0090 00 48 00 starting is computer name information ... (one for each letter Word Saved) 00aEH 00 00 00 00 00b0h 57 00 68 00 From here, the message is started at 00 00. ... (Each letter is stored in a Word) 00c2h 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 聽 本 记 下 为 为 另recording
• Document 0144h 28 00 00 00 file end length 28H = 40 This event log file end is 016CH 11 11 11 11 22 22 22 22 33 33 33 33 0154h 44 44 44 44 4 double word identifier 30 00 00 00 00 The offset of the strip 44 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00_ Serial number 28 00 00 00 file end length 28h = 40
