Is there any way to accommodate separate maps where Channel and EventID are the same across both, but Provider is different? I have a very rough workaround using separate \maps directories or renaming System_1.map in between runs, but would love to map both instances in one shot if possible.

Example:

EventId: 1
Channel: "System"
Provider: "Microsoft-Windows-Power-Troubleshooter"

EventId: 1
Channel: "System"
Provider: "Microsoft-Windows-Kernel-General"

Thanks!

encountered this error while parsing evtx files.

Syntax error in 'C:\ZimmermanTools\EvtxExplorer\Maps\Microsoft-Windows-WMI-Activity-Operational_Microsoft-Windows-WMI-Activity_5860.map':
Message: (Line: 2, Col: 37, Idx: 85) - (Line: 2, Col: 37, Idx: 85): While scanning a plain scalar value, found invalid mapping.

Author: Eric Zimmerman [email protected]
Description: Remote Desktop Services: Session logoff succeeded
EventId: 5860
Channel: WMI Registration of Temporary Event Consumer
Provider: Microsoft-Windows-WMI-Activity
Maps:
  -
    Property: PayloadData1
    PropertyValue: "Query: %Query%"
    Values:
      -
        Name: Query
        Value: "/Event/UserData/Operation_TemporaryEssStarted/Query"
  -
    Property: PayloadData2
    PropertyValue: "PID: %Processid%"
    Values:
      -
        Name: Processid
        Value: "/Event/UserData/Operation_TemporaryEssStarted/Processid"
  -
    Property: PayloadData3
    PropertyValue: "Client machine: %ClientMachine%"
    Values:
      -
        Name: ClientMachine
        Value: "/Event/UserData/Operation_TemporaryEssStarted/ClientMachine"
      -
    Property: PayloadData4
    PropertyValue: "User: %User%"
    Values:
      -
        Name: User
        Value: "/Event/UserData/Operation_TemporaryEssStarted/User"

# Documentation:
# https://www.darkoperator.com/blog/2017/10/14/basics-of-tracking-wmi-activity
# WMI Registration of Temporary Event Consumer
#
# Example Event Data:
#<Event>
#  <System>
#    <Provider Name="Microsoft-Windows-WMI-Activity" Guid="1418ef04-b0b4-4623-bf7e-d74ab47bbdaa" />
#    <EventID>5860</EventID>
#    <Version>0</Version>
#    <Level>0</Level>
#    <Task>0</Task>
#    <Opcode>0</Opcode>
#    <Keywords>0x4000000000000000</Keywords>
#    <TimeCreated SystemTime="2018-08-06 19:22:10.9433075" />
#    <EventRecordID>5156</EventRecordID>
#    <Correlation ActivityID="7e5ddd23-2dba-0000-96ec-5d7eba2dd401" />
#    <Execution ProcessID="1484" ThreadID="5592" />
#    <Channel>Microsoft-Windows-WMI-Activity/Operational</Channel>
#    <Computer>base-rd-01.shieldbase.lan</Computer>
#    <Security UserID="S-1-5-18" />
#  </System>
#  <UserData>
#    <Operation_TemporaryEssStarted>
#      <NamespaceName>ROOT\CIMV2</NamespaceName>
#      <Query>SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = 'wsmprovhost.exe'</Query>
#      <User></User>
#      <Processid>1484</Processid>
#      <ClientMachine>BASE-RD-01</ClientMachine>
#      <PossibleCause>Temporary</PossibleCause>
#    </Operation_TemporaryEssStarted>
#  </UserData>
#</Event>


Verify all properties against example files or manual and try again.

The following maps had errors. Scroll up to review errors, correct them, and try again.
Microsoft-Windows-WMI-Activity-Operational_Microsoft-Windows-WMI-Activity_5860.map

Author: Hyun Yi @hyuunnn
Description: A program was installed.
EventId: 1033
Channel: "Application"
Provider: "MsiInstaller"
Maps:
  -
    Property: PayloadData1
    PropertyValue: "Name: %Name%"
    Values:
      -
        Name: Name
        Value: "/Event/EventData/Data[1]"
  -
    Property: PayloadData2
    PropertyValue: "Version: %Version%"
    Values:
      -
        Name: Version
        Value: "/Event/EventData/Data[2]"
  -
    Property: PayloadData3
    PropertyValue: "Lang: %Lang%"
    Values:
      -
        Name: Lang
        Value: "/Event/EventData/Data[3]"
  -
    Property: PayloadData4
    PropertyValue: "Status: %Status%"
    Values:
      -
        Name: Status
        Value: "/Event/EventData/Data[4]"
  -
    Property: PayloadData5
    PropertyValue: "Manufacturer: %Manufacturer%"
    Values:
      -
        Name: Manufacturer
        Value: "/Event/EventData/Data[5]"

# Valid properties include:

# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
#   <System>
#     <Provider Name="MsiInstaller" /> 
#     <EventID Qualifiers="0">1033</EventID> 
#     <Version>0</Version> 
#     <Level>4</Level> 
#     <Task>0</Task> 
#     <Opcode>0</Opcode> 
#     <Keywords>0x80000000000000</Keywords> 
#     <TimeCreated SystemTime="2020-11-29T19:30:51.7375522Z" /> 
#     <EventRecordID>18388</EventRecordID> 
#     <Correlation /> 
#     <Execution ProcessID="0" ThreadID="0" /> 
#     <Channel>Application</Channel> 
#     <Computer>ComputerName</Computer> 
#     <Security UserID="{UserID}" /> 
#   </System>
#   <EventData>
#     <Data>Python 3.9.0 Utility Scripts (64-bit)</Data> 
#     <Data>3.9.150.0</Data> 
#     <Data>1033</Data> 
#     <Data>0</Data> 
#     <Data>Python Software Foundation</Data> 
#     <Data>(NULL)</Data> 
#     <Data /> 
#     <Binary>{Binary}</Binary> 
#   </EventData>
# </Event>

This is my map file.

but all data were saved in PayloadData1.

Suggest removing any field that has a null or empty string for a value from the JSON output.

Current:

{
  "PayloadData1": null,
  "PayloadData2": null,
  "PayloadData3": null,
  "PayloadData4": null,
  "PayloadData5": null,
  "PayloadData6": null,
  "UserName": null,
  "RemoteHost": null,
  "ExecutableInfo": null,
  "MapDescription": null,
  "Computer": "Phil-Win10-VM",
  "Payload": "{\"EventData\":{\"Data\":\"‎Tuesday, ‎April ‎16, ‎2019 6:23:36 PM\",\"Binary\":\"\"}}",
  "UserId": "",
  "Channel": "Application",
  "Provider": "Microsoft-Windows-CAPI2",
  "EventId": 4111,
  "EventRecordId": "41651",
  "ProcessId": 1384,
  "ThreadId": 1888,
  "Level": 4,
  "SourceFile": "C:\\Windows\\System32\\winevt\\Logs\\Application.evtx",
  "TimeCreated": "2019-05-04T05:53:31.0651977+00:00",
  "RecordNumber": 41651
}

Suggested:

{
  "Computer": "Phil-Win10-VM",
  "Payload": "{\"EventData\":{\"Data\":\"‎Tuesday, ‎April ‎16, ‎2019 6:23:36 PM\",\"Binary\":\"\"}}",
  "Channel": "Application",
  "Provider": "Microsoft-Windows-CAPI2",
  "EventId": 4111,
  "EventRecordId": "41651",
  "ProcessId": 1384,
  "ThreadId": 1888,
  "Level": 4,
  "SourceFile": "C:\\Windows\\System32\\winevt\\Logs\\Application.evtx",
  "TimeCreated": "2019-05-04T05:53:31.0651977+00:00",
  "RecordNumber": 41651
}

I have a bunch of event logs (a couple of terabytes uncompressed) to search through for a specific event. Event logs deduplicate pretty well, so I've stored them on a Server 2019 machine with Windows deduplication turned on for one drive. (Deduplication reduces 1 TB logs down to ~150 GB, which is nice.)

When I run evtxecmd -d D:\path it exits with no results. If I run evtxecmd -f d:\path\file.evtx, it successfully parses the file, so it's something with giving it a directory rather than a file.

In Program.cs, if I remove DirectoryEnumerationOptions.SkipReparsePoints from dirEnumOptions (line 606) it succeeds. IIRC deduplication uses reparse points, so this makes sense. Is there a specific reason to exclude reparse points?

Unrelated, but you may want to output an error/warning if any unexpected options are provided on the command line. Otherwise, typos can drive you nuts.

Thanks!

im getting the following error when parse win evt as some logs are empty

Correct the errors and try again. Exiting

C:\Forensic Program Files\Zimmerman\EvtxExplorer\Maps\WindowsDefender_5007.map had validation errors:
'Provider' must not be empty.

Correct the errors and try again. Exiting

The following maps had errors. Scroll up to review errors, correct them, and try again.

C:\Forensic Program Files\Zimmerman\EvtxExplorer\Maps\System-Audit-CVE_2.map had validation errors:
'Provider' must not be empty.

Hi, running into problems with syntax errors for System1 and System42 maps with similar error message shown below.
`Syntax error in 'C:\Zimmerman\EvtxExplorer\Maps\System_1.map':
Author: Eric Zimmerman
Description: Sleep/wake events
EventId: 1
Channel: "System"
Provider: "Microsoft-Windows-Power-Troubleshooter"
Maps:

Property: PayloadData1
PropertyValue: Sleep duration "%SleepDuration%"
Values:
  -
    Name: SleepDuration
    Value: "/Event/EventData/Data[@Name=\"SleepDuration\"]"

• Property: PayloadData2
  PropertyValue: Wake source "%WakeSourceType%"
  Values:

  Name: WakeSourceType
  Value: "/Event/EventData/Data[@Name=\"WakeSourceType\"]"
  

• Property: PayloadData3
  PropertyValue: Wake source text "%WakeSourceText%"
  Values:

  Name: WakeSourceText
  Value: "/Event/EventData/Data[@Name=\"WakeSourceText\"]"
  

Lookups:

Name: WakeSourceType
Default: Unknown code
Values:
    0: Unknown
    1: Power button
    3: Waking from sleep to hibernate
    5: Device (See WakeSourceText for details)
    6: Timer (See WakeSourceText for details)

Valid properties include:

UserName

RemoteHost

ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.

PayloadData1 through PayloadData6

#Sample Event - derived from the event template.
#
#
#
#1
#3
#4
#0
#0
#0x8000000000000000
#
#2671
#
#
#System
#win-gist
#
#
#
#2020-09-18 03:18:35.0664609
#2020-09-18 03:28:35.8899669
#1029
#6389
#5716
#1042
#0
#0
#0
#1912628224
#4
#4
#6
#128
#Windows will execute 'NT TASK\Microsoft\Windows\UpdateOrchestrator\Reboot_AC' scheduled task that requested waking the computer.
#52
#18
#0
#\Device\HarddiskVolume3\Windows\System32\svchost.exe
#SystemEventsBroker
#98
#
#
Property 'Provider' not found on type 'evtx.EventLogMap'.

Verify all properties against example files or manual and try again.`

40961 - Microsoft-Windows-PowerShell%4Operational.evtx

Powershell console is starting - This is a sign of a user starting a powershell console for input

https://www.blackhat.com/docs/us-14/materials/us-14-Kazanciyan-Investigating-Powershell-Attacks-WP.pdf

(Assign to me if possible and I'll get to it when i have a spare 5!)

Events 1-27 already exist

<Event>
<Id>28</Id>
<Version>5</Version>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Level>Information</Level>
<Task>File Block Shredding (rule: FileBlockShredding)</Task>
<Message>
<![CDATA[ File Block Shredding: RuleName: %1 UtcTime: %2 ProcessGuid: %3 ProcessId: %4 User: %5 Image: %6 TargetFilename: %7 Hashes: %8 IsExecutable: %9 ]]>
</Message>
<Template>
<![CDATA[ <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> <data name="RuleName" inType="win:UnicodeString" outType="xs:string"/> <data name="UtcTime" inType="win:UnicodeString" outType="xs:string"/> <data name="ProcessGuid" inType="win:GUID" outType="xs:GUID"/> <data name="ProcessId" inType="win:UInt32" outType="win:PID"/> <data name="User" inType="win:UnicodeString" outType="xs:string"/> <data name="Image" inType="win:UnicodeString" outType="xs:string"/> <data name="TargetFilename" inType="win:UnicodeString" outType="xs:string"/> <data name="Hashes" inType="win:UnicodeString" outType="xs:string"/> <data name="IsExecutable" inType="win:Boolean" outType="xs:boolean"/> </template> ]]>
</Template>
</Event>
<Event>
<Id>29</Id>
<Version>5</Version>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Level>Information</Level>
<Task>File Executable Detected (rule: FileExecutableDetected)</Task>
<Message>
<![CDATA[ File Executable Detected: RuleName: %1 UtcTime: %2 ProcessGuid: %3 ProcessId: %4 User: %5 Image: %6 TargetFilename: %7 Hashes: %8 ]]>
</Message>
<Template>
<![CDATA[ <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> <data name="RuleName" inType="win:UnicodeString" outType="xs:string"/> <data name="UtcTime" inType="win:UnicodeString" outType="xs:string"/> <data name="ProcessGuid" inType="win:GUID" outType="xs:GUID"/> <data name="ProcessId" inType="win:UInt32" outType="win:PID"/> <data name="User" inType="win:UnicodeString" outType="xs:string"/> <data name="Image" inType="win:UnicodeString" outType="xs:string"/> <data name="TargetFilename" inType="win:UnicodeString" outType="xs:string"/> <data name="Hashes" inType="win:UnicodeString" outType="xs:string"/> </template> ]]>
</Template>
</Event>

Is there a way to consider a value as integer instead of string? My goal is to write a map that shows the remaining battery percentage (RemainingCapacity/FullChargeCapacity)*100 based on the following event:

<Event>
  <System>
    <Provider Name="Microsoft-Windows-Kernel-Power" Guid="331c3b3a-2005-44c2-ac5e-77220c37d6b4" />
    <EventID>105</EventID>
    <Version>1</Version>
    <Level>4</Level>
    <Task>100</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000404</Keywords>
    <TimeCreated SystemTime="2020-09-22 16:23:18.0478843" />
    <EventRecordID>5495</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="17436" />
    <Channel>System</Channel>
    <Computer>MYPC</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="AcOnline">False</Data>
    <Data Name="RemainingCapacity">56293</Data>
    <Data Name="FullChargeCapacity">62654</Data>
  </EventData>
</Event>

You have done the community a huge service... This is a great utility.

I have, however, found what may be an interesting edge case. In rolling out a Windows Event Collection/Forwarding (WEC/WEF) infrastructure, I attempted to use your utility to dump the contents of an exemplar forwarded events log. Logging was set to archive and roll the ForwardedEvents log. The file size was manipulated so that I could produce a reasonably sized archive file and eliminate the possibility of me corrupting the event log file. The attached file was created and rolled by the system as part of normal log processing.
I run the following:
PS C:\bin\EvtxExplorer> ./evtxecmd.exe -f e:\workspace\Archive-ForwardedEvents-test.evtx --csv e:\workspace --debug
Version is: EvtxECmd version 0.5.2.0
I am getting the following error:
Record error at offset 0x1200, record #: 127638931 error: Specified argument was out of the range of valid values.
Parameter name: Value Type NullType is not handled! Handle it!
Record error at offset 0x2CE0, record #: 127638932 error: Index was out of range. Must be non-negative and less than the size of the collection.

I have attached the file in question.
Archive-ForwardedEvents-test.zip

Thanks!

Dave Crawford
D.S. Crawford
Information Security Office
California State University, Sacramento
6000 J Street, Sacramento CA 95819
Phone: (916) 278-1998
[email protected]

EvtxECmd version
Latest

Is your feature request related to a problem? Please describe.
I wanted to use the library in .NET 5, but it only supports .NET Framework 4

Describe the solution you'd like
.NET 5 support & nuget package for it

Hello to everybody, I am trying to extract the events 4626 from a really big database EVTX.
The tool is working really great but for each Logon I have 3 events. Is possible collect 3 events in 1?

The events are like :

User1 - Logon - 15:01:02
User1 - Logon - 15:01:05
User1 - Logon - 15:01:08

I tried to use the option tdt to collepse them, but I think I didn't really understand the meaning of this option. If it is the right way to group the event in one, can I have an example to use it?

Thank you to everybody.

EvtxECmd.exe -f ..\evtx\Application.evtx -sd 2016-08-16 12:54:00.0000000 -ed 2016-08-16 14:50:00.0000000 --xml evtx-app-time --debug

evtx-app-time contains events from the month July.

Application.evtx.log

Is there a way to consider a value as integer instead of string? My goal is to write a map that shows the remaining battery percentage (RemainingCapacity/FullChargeCapacity)*100 based on the following event:

<Event>
  <System>
    <Provider Name="Microsoft-Windows-Kernel-Power" Guid="331c3b3a-2005-44c2-ac5e-77220c37d6b4" />
    <EventID>105</EventID>
    <Version>1</Version>
    <Level>4</Level>
    <Task>100</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000404</Keywords>
    <TimeCreated SystemTime="2020-09-22 16:23:18.0478843" />
    <EventRecordID>5495</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="17436" />
    <Channel>System</Channel>
    <Computer>MYPC</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="AcOnline">False</Data>
    <Data Name="RemainingCapacity">56293</Data>
    <Data Name="FullChargeCapacity">62654</Data>
  </EventData>
</Event>

@hyuunnn @forensenellanebbia and anyone else looking for something to contribute. I want to make sure all the events covered in the link below have maps. These are very common attackers TTPs so the goal is to have the Map Description and as much relevant information mapped out so these events are not overlooked.

https://jpcertcc.github.io/ToolAnalysisResultSheet/

It's simple enough to find an event the site lists for a specific tool and cross reference to see if a map already exists. We also need to make sure this site is listed in Documentation for any event maps that it covers, which is probably a lot of them, but that can happen over time.

I'm always looking for new maps to create but this project should at least give some direction until they are all covered. Not that the maps that've been added lately don't add value, but I figure it might be smart to make sure the ones this project identified as having recorded information relating to common attacker TTPs are covered.

When parsing a Security.evtx, I get the following error:

Error processing '.\Security.evtx'! 
Message: Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.

The size of Security.evtx is 128 MB and counts 216.000 events.

EvtxECmd version #
EvtxECmd version 1.0.0.0

Describe the bug
Runnig EvtxECmd.exe -f .\audit_ncstcifs_D2022-08-17-T15-19-18_0000000000.evtx --inc 4663
Produces an Error and 0 records are processed:
Error processing C:\PATH\audit_ncstcifs_D2022-08-17-T15-19-18_0000000000.evtx! Message: unknown tag to build for opCode: TokenCharRef2 (0x00000048) at position 0xCC

To Reproduce
Steps to reproduce the behavior:

1. Run the command, regardless of arguments, against a NetApp evtx file

Expected behavior
Either to work as expected or Continue converting with warning about missing parts

Screenshots
Error processing C:\PATH\audit_ncstcifs_D2022-08-17-T15-19-18_0000000000.evtx! Message: unknown tag to build for opCode: TokenCharRef2 (0x00000048) at position 0xCC
.

Additional context
Those Logs are generated on NetApp

Hi,

When running: EvtxCmd.exe -d c:\Temp\tester --csv c:\temp\evt via the cmd prompt I get the following errors:

EvtxECmd version 0.6.5.0

Author: Eric Zimmerman ([email protected])
https://github.com/EricZimmerman/evtx

Command line: -d c:\Temp\tester --csv c:\temp\evt

Warning: Administrator privileges not found!

CSV output will be saved to 'c:\temp\evt\20210310212646_EvtxECmd_Output.csv'

C:\Temp\KAPE\Modules\bin\EvtxECmd\Maps\Application-Audit-CVE_1.map had validation errors:
'Provider' must not be empty.

Correct the errors and try again. Exiting

C:\Temp\KAPE\Modules\bin\EvtxECmd\Maps\Application-HitmanPro-Alert_911.map had validation errors:
'Provider' must not be empty.

Correct the errors and try again. Exiting

C:\Temp\KAPE\Modules\bin\EvtxECmd\Maps\Application-Sophos-Alert_32.map had validation errors:
'Provider' must not be empty.

Correct the errors and try again. Exiting

C:\Temp\KAPE\Modules\bin\EvtxECmd\Maps\Application-Sophos-Alert_42.map had validation errors:
'Provider' must not be empty.

Correct the errors and try again. Exiting

C:\Temp\KAPE\Modules\bin\EvtxECmd\Maps\Cisco-AnyConnect-Secure-Mobility-Client-2048.map had validation errors:
'Provider' must not be empty.

Correct the errors and try again. Exiting

C:\Temp\KAPE\Modules\bin\EvtxECmd\Maps\Cisco-AnyConnect-Secure-Mobility-Client-2086.map had validation errors:
'Provider' must not be empty.

Correct the errors and try again. Exiting

C:\Temp\KAPE\Modules\bin\EvtxECmd\Maps\Cisco-AnyConnect-Secure-Mobility-Client-2127.map had validation errors:
'Provider' must not be empty.

Correct the errors and try again. Exiting

C:\Temp\KAPE\Modules\bin\EvtxECmd\Maps\Cisco-AnyConnect-Secure-Mobility-Client-5005.map had validation errors:
'Provider' must not be empty.

EvtxECmd version
The version of EvtxECmd you are currently using
1.5.0.0

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
Sometimes I want to look at 100 or so event ID's. I don't want to take the time to make a list. It would be much faster to say 700-800 instead of 700,701,702,...,800

Describe the solution you'd like
A clear and concise description of what you want to happen.
Allow event ID ranges to be added inline with the normal event id's

1,2,3,70-90,105,106,200-210

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
powershell script, creating my list in excel and copying it in

Additional context
Add any other context or screenshots about the feature request here.

EvtxECmd version #
I am running EvtxCmd version 1.0.0.0

Describe the bug
If I run EvtxCmd at 12:00 without specifying an output file name, the generated file has a name such as 20220615100000_EvtxECmd_Output.csv. If I run it with others EZTools in a powershell loop, all others default output file names are like 20220615120101_LECmd_Output.csv. @ro-olivier identified the same behavior on its end.

To Reproduce
The exact command executed is .\EvtxECmd.exe -d .\C\Windows\System32\winevt\Logs\ --csv .\output\EventLogs with a fresh install of all EZTools.

Expected behavior
I expect the timestamp to be 20220615100000_EvtxECmd_Output.csv

Additional context
My timezone is GMT + 2 / UTC+1

Possible explanation
I suspect there are some time conversion between UTC and local timezone that somehow affected also the file name ?

Hi, whats the license for this code?

EvtxECmd version
Latest

Is your feature request related to a problem? Please describe.
I wanted to use the evtx library via Nuget, but it is not published there

Describe the solution you'd like
A nuget package for the evtx library

In the process of creating evtxcmd maps I found this
<EventID Qualifiers="32768">4105</EventID>
when I searched for 4105. I normally search for <EventID>4105</EventID>. evtxecmd does not see this string as an event id 410. I used --inc 4105 in the cli.

Is this expected behavior?

Logging this without the example files just so it does not slip through the cracks. I will get you a sample file(s).

-Mark

When processing Windows event logs with evtxecmd I frequently see a notice that time just went backwards, but when reviewing the event logs there is not a gap in logs observed. An example provided below. Can you help to explain what this is indicating?

Chunk count: 15,625, Iterating records...
Record #: 172349710 (timestamp: 2024-01-16 13:13:01.3026785): Warning! Time just went backwards! Last seen time before change: 2024-02-16 21:22:16.6101064

Also frequently observe a message stating that a value is not found and is replaced with an empty string. An example provided below. Can you help to explain what this is indicating?

Record # 75146 (Event Record Id: 75146): In map for event 1150, Property /Event/EventData/Data[@Name="Signature version"] not found! Replacing with empty string

EvtxECmd version
Latest

Is your feature request related to a problem? Please describe.
Following the .NET 5 support, I wanted to use this library in linux, but it seems that some of the dependencies do not support it.

Describe the solution you'd like
The library working in linux.

Thought there was a map for this previously.
Note for me to build
Windows PowerShell.evtx event ids

• 400
• 403
• 600

EvtxECmd version #
0.6.5.0

Describe the bug
'Process Id' pulls incorrect process id from 'System/Execution ProcessID="4" ' values, instead of EventData. I believe this field can not be edited manually.

To Reproduce
Steps to reproduce the behavior:

1. Enable 5152 events: Object Access > Filtering Platform Packet Drop > Set to "failure"
2. Enable FW rule to drop packets, i.e. Port 80,443 > navigate to any site. Should generate several 5152 events.
3. Export 5152 events to 5152.evtx
4. .\EvtxECmd.exe -f "C:\Path\EVTX Examples\5152.evtx" --csv "C:\Path\EVTX Examples" --csvf 5152-withMap.csv
5. Load in TLE

Expected behavior
Allow maps to properly parse process id and populate 'Process Id' field in csv output. This would remove the need to use an additional 'Payload Data' field, which has a limit.

Screenshots

Additional context
I am working on the map for 5152 events, but this is similar to 5156, which exists and has similar behavior.

EvtxECmd version
Current

Is your feature request related to a problem? Please describe.
Regex support for the Provider field

Describe the solution you'd like
Regex support for the Provider field

Describe alternatives you've considered
For Providers like ScreenConnect, there is no alternative. It's ScreenConnect Client (random values here)

Additional context
Would be great to add regex support so we could make Maps for a very popular remote access tools commonly used by threat actors

Hey this looks awesome , We currently use a python based tool (python-evtx) with maps we generated from https://github.com/nsacyber/Windows-Event-Log-Messages and https://github.com/nsacyber/Windows-Event-Log-Messages/blob/master/docs/Datasets.md as a starting point. Do you have any plans for maps at the moment?

Looking forward to trying this parser as python performance has always been an issue.

hi, trying to run it on security.etvx and get an error:
unhandled exception: system.missingmethodexception: method not found systrem.array.empty
at evtx.eventlogmapvalidator..ctor
at evtx.eventlog.loadmaps(string mappath) in d:\code\evtx\evtx\eventlog.cs:line 133

Under wine it partially work. It can read the evtx file and parse it.
Loading the map file fails.

# wine /tmp/ericzimmerman/EvtxExplorer/EvtxECmd.exe -f Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx -csvf test.csv
EvtxECmd version 0.5.2.0

Author: Eric Zimmerman ([email protected])
https://github.com/EricZimmerman/evtx

Command line: -f Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx -debug -csvf a.csv

Error loading map file 'Z:\tmp\ericzimmerman\EvtxExplorer\Maps\Microsoft-Windows-Application-Experience_Program-Telemetry_500.map': Type Microsoft.Win32.SafeHandles.SafeHandleZeroOrMinusOneIsInvalid which is passed to unmanaged code must have a StructLayout attribute.
Error loading map file 'Z:\tmp\ericzimmerman\EvtxExplorer\Maps\Microsoft-Windows-Application-Experience_Program-Telemetry_505.map': Type Microsoft.Win32.SafeHandles.SafeHandleZeroOrMinusOneIsInvalid which is passed to unmanaged code must have a StructLayout attribute.
Error loading map file 'Z:\tmp\ericzimmerman\EvtxExplorer\Maps\Microsoft-Windows-Bits-Client_Operational_59.map': Type Microsoft.Win32.SafeHandles.SafeHandleZeroOrMinusOneIsInvalid which is passed to unmanaged code must have a StructLayout attribute.
...
Maps loaded: 0

Processing 'Z:\tmp\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx'...
Chunk count: 1, Iterating records...

Event log details
Flags: None
Chunk count: 1
Stored/Calculated CRC: EE8D56C7/EE8D56C7
Earliest timestamp: 2015-09-09 19:25:14.6092179
Latest timestamp:   2015-09-10 05:30:53.8815253
Total event log records found: 34

Records included: 34 Errors: 0 Events dropped: 0

Metrics (including dropped events)
Event Id        Count
21              1
22              1
23              1
32              2
34              25
41              1
42              1
54              2

Processed 1 file in 0.4607 seconds