Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

winevtx parser failing to extract creation time in not well-formed XML string #3595

Closed
joachimmetz opened this issue May 15, 2021 · 2 comments
Closed

winevtx parser failing to extract creation time in not well-formed XML string #3595

joachimmetz opened this issue May 15, 2021 · 2 comments
Assignees
@joachimmetz
Labels
enhancement New or improved functionality parsers Issues related to parsers and parser plug-ins
Milestone
2021 June release

Comments

@joachimmetz
Copy link
Member

As flagged in #442 Windows Event Log XML is not necessary proper (well-formed) XML. This is causing the winevtx to error on certain evtx files. Change the parser to use an alternative approach to extract the TimeCreated value.

******************************** Warning: 12627 ********************************
           Message : unable to parse XML string of event record: 26301 with
                     error: not well-formed (invalid token): line 20, column 55
      Parser chain : winevtx
Path specification : type: OS, location: image.E01
                   : type: EWF
                   : type: NTFS, location:
                     \Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx,
                     MFT attribute: 2, MFT entry: 32230
--------------------------------------------------------------------------------
@joachimmetz joachimmetz self-assigned this May 15, 2021
@joachimmetz joachimmetz added enhancement New or improved functionality parsers Issues related to parsers and parser plug-ins labels May 15, 2021
@joachimmetz
Copy link
Member Author

Related issue #442

joachimmetz added a commit to joachimmetz/plaso that referenced this issue May 15, 2021
@joachimmetz
Changed winevtx parser to not parse XML string log2timeline#3595
df0def7
@joachimmetz
Copy link
Member Author

joachimmetz commented May 15, 2021
edited
Loading 

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Store" Guid="{9C2A37F3-E5FD-5CAE-BCD1-43DAFEEE1FF0}"/>
    <EventID>8001</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>8001</Task>
    <Opcode>14</Opcode>
    <Keywords>0x8000100000000000</Keywords>
    <TimeCreated SystemTime="2018-09-03T01:54:01.996300600Z"/>
    <EventRecordID>218351</EventRecordID>
    <Correlation/>
    <Execution ProcessID="784" ThreadID="4980"/>
    <Channel>Microsoft-Windows-Store/Operational</Channel>
    <Computer>base-wkstn-01.shieldbase.lan</Computer>
    <Security UserID="S-1-5-19"/>
  </System>
  <EventData>
    <Data Name="Message">[1374] [000001B9730DC1F0:558F5D32-0827-EB7B-6AD6-D5DB4138B3AA] StopProcessing : Key:NegotiatingUnleased</Data>
    <Data Name="Function">StateMachine<class KeyMachine,class KeyState>::PumpEvents</Data>
    <Data Name="Source">onecoreuap\enduser\winstore\licensemanager\lib\statemachine.h</Data>
    <Data Name="Line Number">173</Data>
  </EventData>
</Event>

The culprit <Data Name="Function">StateMachine<class KeyMachine,class KeyState>::PumpEvents</Data>. AFAIK well-formed XML should not contain < in the XML element data. Confirmed this with Windows EventViewer.

@joachimmetz joachimmetz added the close after review Issue as outstanding pull request(s) and can be closed once these have been reviewed and merged label May 15, 2021
@joachimmetz joachimmetz added this to the 2021 June release milestone May 15, 2021
@joachimmetz joachimmetz mentioned this issue May 15, 2021
Merged
joachimmetz added a commit to joachimmetz/plaso that referenced this issue May 15, 2021
@joachimmetz
Changed winevtx parser to not parse XML string log2timeline#3595
68f87e8
@joachimmetz joachimmetz mentioned this issue May 15, 2021
Open
4 tasks
@joachimmetz joachimmetz changed the title Change winevtx parser to handle not well-formed XML string winevtx parser failing to extract creation time in not well-formed XML string May 15, 2021
joachimmetz added a commit that referenced this issue May 15, 2021
@joachimmetz
Changed winevtx parser to not parse XML string #3595 (#3596)
9d947c8
@joachimmetz joachimmetz removed the close after review Issue as outstanding pull request(s) and can be closed once these have been reviewed and merged label May 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joachimmetz joachimmetz

Labels
enhancement New or improved functionality parsers Issues related to parsers and parser plug-ins
Projects
None yet
Milestone
2021 June release
Development

No branches or pull requests
1 participant
@joachimmetz