Offline Event Viewer
#1
Posted 22 April 2012 - 09:15 PM
I'm looking for an offline event viewer than I can use in a PE to analyze the host OS logs. From my testing MyEventViewer from Nirsoft won't open the live files, just the backup files. Does anyone have any suggestions?
#2
Posted 23 April 2012 - 01:43 AM
http://reboot.pro/6957/
the script hasn't been updated in awhile but should still work.
#3
Posted 23 April 2012 - 03:24 AM
Event log explorer works pretty good.
http://reboot.pro/6957/
the script hasn't been updated in awhile but should still work.
Thanks, I was looking for something that a business could use though, their EULA is restrictive to personal use only. I may have a budget for purchasing software in the future but not at the moment.
#4
Posted 23 April 2012 - 09:23 AM
Myeventviewer defaults to "online" event logs (but can be "induced" to read an "offline file"):
http://reboot.pro/16540/
In other words, if you need to read ONLINE event logs, Myeventviewer does it, if you want to read OFFLINE event logs, Myevevntviewer can do it as well....
Wonko
#5
Posted 23 April 2012 - 01:39 PM
I am not sure to get it.
Myeventviewer defaults to "online" event logs (but can be "induced" to read an "offline file"):
http://reboot.pro/16540/
In other words, if you need to read ONLINE event logs, Myeventviewer does it, if you want to read OFFLINE event logs, Myevevntviewer can do it as well....
Wonko
Thanks Wonko, always helpful! I did try MyEventView but have not yet been able to successfully open an offline event log with it. Not sure what I'm missing but I'm running the command lines per their documentation but it only ever loads a blank page. Have you seen it work offline correctly? Perhaps I'm doing something wrong.
Edit: I was just able to load a file but I needed to open event viewer and save the log for it to be readable, I'm looking for something to load what would be the live files from the disk. Viewing saved events don't help much, I need to be able to see current (rather more current) than when I would have last cleared the log files.
#6
Posted 23 April 2012 - 02:43 PM
When you are running an OS, the built-in event viewer (MMC) connects to the ONLINE Event log files.
When you are running the SAME OS , the Nirsoft Event viewer connects to the SAME ONLINE Event log files.
(if you prefer you are accessing EXACTLY the SAME ONLINE files)
When you are running ANOTHER OS, the Nirsoft Event viewer (via Command line) can connect to the OFFLINE Event log files.
Can you try to describe in other words what you are trying to do?
Wonko
#7
Posted 23 April 2012 - 03:17 PM
I guess we are having some form of miscommunication.
When you are running an OS, the built-in event viewer (MMC) connects to the ONLINE Event log files.
When you are running the SAME OS , the Nirsoft Event viewer connects to the SAME ONLINE Event log files.
(if you prefer you are accessing EXACTLY the SAME ONLINE files)
When you are running ANOTHER OS, the Nirsoft Event viewer (via Command line) can connect to the OFFLINE Event log files.
Can you try to describe in other words what you are trying to do?
Wonko
Put simply, boot to a PE and view the events from the host OS, say in the event of a bad driver that caused the computer to restart before I can get to the event viewer on the host OS. I understand how MyEventViewer works in a live environment and in the PE it will load SAVED log files (which are .evt files), but not the actual Windows .evt files themselves (located at c:windowssystem32configAppEvent.evt for example) Feel free to copy that file and attempt to open it with MyEventViewer it will be blank, but open your local event viewer right click on say "Applications" log and save, then it will open that file just fine. Does that explain it more?
#8
Posted 23 April 2012 - 03:45 PM
Now I see.Put simply, boot to a PE and view the events from the host OS, say in the event of a bad driver that caused the computer to restart before I can get to the event viewer on the host OS. I understand how MyEventViewer works in a live environment and in the PE it will load SAVED log files (which are .evt files), but not the actual Windows .evt files themselves (located at c:\windows\system32\config\AppEvent.evt for example) Feel free to copy that file and attempt to open it with MyEventViewer it will be blank, but open your local event viewer right click on say "Applications" log and save, then it will open that file just fine. Does that explain it more?
Then you may need this other tool:
http://www.tzworks.n....php?proto_id=4
(less friendly output)
Or Harlan Carvey's PERL thingy:
http://www.cpan.org/...d/H/HC/HCARVEY/
Scratch that .
Post a sample Appevent.evt that you cannot load with MyEventViewer.
(I am presuming that it will have the "dirty" bit set)
Or check directly, open it in a hex editor and check byte at offset 0x24 (36 dec).
If it is 01, change it to 00 and try loading again the file in Myeventviewer.
Wonko
#9
Posted 23 April 2012 - 04:38 PM
Wonko
#10
Posted 23 April 2012 - 06:21 PM
Bump! (to let darkman738 know that I updated my previous post)
Wonko
Thanks I'll check for the "dirty" bit when I get home. The problem though is that I would need to make this adjustment each time I run the program, I'm not sure that would work. But I am interested to see if that is the cause.
#11
Posted 23 April 2012 - 06:47 PM
IF this is the case, we can try notifying the good guy at Nirsoft, so that he updates the app.Thanks I'll check for the "dirty" bit when I get home. The problem though is that I would need to make this adjustment each time I run the program, I'm not sure that would work. But I am interested to see if that is the cause.
Wonko
#12
Posted 23 April 2012 - 09:49 PM
Post a sample Appevent.evt that you cannot load with MyEventViewer.
(I am presuming that it will have the "dirty" bit set)
Or check directly, open it in a hex editor and check byte at offset 0x24 (36 dec).
If it is 01, change it to 00 and try loading again the file in Myeventviewer.
Wonko
So I looked into this per your suggestion and you sir were dead on accurate! That was EXACTLY the problem. I will put together a request now and send over to Nirsoft! Thanks for the help. How did you possibly come up with that?
#13
Posted 24 April 2012 - 07:46 AM
I did the "obvious" things, standard troubleshooting:How did you possibly come up with that?
- made a few searches on the topic
- made a copy of "online" Appevent.evt
- saved a copy of it through MMC snap-in
- compared the two in a Hex editor (they were VERY similar)
- read the info about the .evt header: http://www.forensicswiki.org/wiki/EVT
- compared with the Appevent.evt's of a few "offline" system images
- found out that in all of them (and in the "online" copy") the "dirty bit" was set
- made an "educated" guess
If you prefer in three steps:
- find what other people said on the topic
- NOT trust them blindly and make a few experiments
- come to a tentative solution
What is "queer" is that I remember having checked an "offline" .evt viewer with that app (some time ago) successfully, though cannot say which OS it was (maybe 2K ), it is possible that this "dirty" bit behaviour has changed with XP or with a SP .
In the meantime (and should the good Nir Sofer have issues with updating the thingy or not enough time) you could use a batch like:
@Echo off SETLOCAL ENABLEEXTENSIONS SETLOCAL ENABLEDELAYEDEXPANSION ::get the source directory IF %1.==. GOTO ;ERROR1 SET Sourcedir= SET Sourcedir=%dp~1 SET Params= SET /A NotFound=0 FOR %%A IN ( Application System Security ) DO ( SET FUll=%%A SET Prefix=!Full:~0,3! IF EXIST %~dp1!Prefix!Event.evt (CALL :DO_Copy_and_Patch %~dp1!Prefix!Event.evt) ELSE (SET /A NotFound+=1) ) IF %NotFound% lss 3 ( ECHO. ECHO Press any key to launch Myeventviewer as follows: ECHO Myeventviewer.exe /LoadFiles %Params% ECHO ... PAUSE >NUL Myeventviewer.exe /LoadFiles %Params% ) ELSE (GOTO :ERROR2) GOTO :EOF :DO_Copy_and_Patch COPY %1 %~n1.bak Hexalter %~n1.bak 0x24=0 SET Params=%Params% "%~n1.bak" "%Full%" GOTO :EOF :ERROR ECHO You must provide a parameter in the form of a full path to the folder ECHO containing the .evt event files - terminated by backslash - or to any one of them. PAUSE GOTO :EOF :ERROR2 ECHO No .evt file was found PAUSE GOTO :EOFNeeds Hexalter:
http://kuwanger.net/.../hexalter.shtml
Use some common sense (NO spaces in paths).
Wonko
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users