Jump to content











Photo
- - - - -

Offline Event Viewer


  • Please log in to reply
12 replies to this topic

#1 darkman738

darkman738

    Frequent Member

  • Advanced user
  • 134 posts
  • Location:MA, US
  •  
    United States

Posted 22 April 2012 - 09:15 PM

Hi all,
I'm looking for an offline event viewer than I can use in a PE to analyze the host OS logs. From my testing MyEventViewer from Nirsoft won't open the live files, just the backup files. Does anyone have any suggestions?

#2 homes32

homes32

    Silver Member

  • .script developer
  • 987 posts
  • Location:Minnesota
  •  
    United States

Posted 23 April 2012 - 01:43 AM

Event log explorer works pretty good.

http://reboot.pro/6957/

the script hasn't been updated in awhile but should still work.

#3 darkman738

darkman738

    Frequent Member

  • Advanced user
  • 134 posts
  • Location:MA, US
  •  
    United States

Posted 23 April 2012 - 03:24 AM

Event log explorer works pretty good.

http://reboot.pro/6957/

the script hasn't been updated in awhile but should still work.


Thanks, I was looking for something that a business could use though, their EULA is restrictive to personal use only. I may have a budget for purchasing software in the future but not at the moment.

#4 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 10,814 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 23 April 2012 - 09:23 AM

I am not sure to get it. :dubbio:

Myeventviewer defaults to "online" event logs (but can be "induced" to read an "offline file"):
http://reboot.pro/16540/

In other words, if you need to read ONLINE event logs, Myeventviewer does it, if you want to read OFFLINE event logs, Myevevntviewer can do it as well....

:cheers:
Wonko

#5 darkman738

darkman738

    Frequent Member

  • Advanced user
  • 134 posts
  • Location:MA, US
  •  
    United States

Posted 23 April 2012 - 01:39 PM

I am not sure to get it. :dubbio:

Myeventviewer defaults to "online" event logs (but can be "induced" to read an "offline file"):
http://reboot.pro/16540/

In other words, if you need to read ONLINE event logs, Myeventviewer does it, if you want to read OFFLINE event logs, Myevevntviewer can do it as well....

:cheers:
Wonko


Thanks Wonko, always helpful! I did try MyEventView but have not yet been able to successfully open an offline event log with it. Not sure what I'm missing but I'm running the command lines per their documentation but it only ever loads a blank page. Have you seen it work offline correctly? Perhaps I'm doing something wrong.

Edit: I was just able to load a file but I needed to open event viewer and save the log for it to be readable, I'm looking for something to load what would be the live files from the disk. Viewing saved events don't help much, I need to be able to see current (rather more current) than when I would have last cleared the log files.

#6 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 10,814 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 23 April 2012 - 02:43 PM

I guess we are having some form of miscommunication. :dubbio:

When you are running an OS, the built-in event viewer (MMC) connects to the ONLINE Event log files.
When you are running the SAME OS , the Nirsoft Event viewer connects to the SAME ONLINE Event log files.
(if you prefer you are accessing EXACTLY the SAME ONLINE files)

When you are running ANOTHER OS, the Nirsoft Event viewer (via Command line) can connect to the OFFLINE Event log files.

Can you try to describe in other words what you are trying to do?

:cheers:
Wonko

#7 darkman738

darkman738

    Frequent Member

  • Advanced user
  • 134 posts
  • Location:MA, US
  •  
    United States

Posted 23 April 2012 - 03:17 PM

I guess we are having some form of miscommunication. :dubbio:

When you are running an OS, the built-in event viewer (MMC) connects to the ONLINE Event log files.
When you are running the SAME OS , the Nirsoft Event viewer connects to the SAME ONLINE Event log files.
(if you prefer you are accessing EXACTLY the SAME ONLINE files)

When you are running ANOTHER OS, the Nirsoft Event viewer (via Command line) can connect to the OFFLINE Event log files.

Can you try to describe in other words what you are trying to do?

:cheers:
Wonko


Put simply, boot to a PE and view the events from the host OS, say in the event of a bad driver that caused the computer to restart before I can get to the event viewer on the host OS. I understand how MyEventViewer works in a live environment and in the PE it will load SAVED log files (which are .evt files), but not the actual Windows .evt files themselves (located at c:windowssystem32configAppEvent.evt for example) Feel free to copy that file and attempt to open it with MyEventViewer it will be blank, but open your local event viewer right click on say "Applications" log and save, then it will open that file just fine. Does that explain it more?

#8 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 10,814 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 23 April 2012 - 03:45 PM

Put simply, boot to a PE and view the events from the host OS, say in the event of a bad driver that caused the computer to restart before I can get to the event viewer on the host OS. I understand how MyEventViewer works in a live environment and in the PE it will load SAVED log files (which are .evt files), but not the actual Windows .evt files themselves (located at c:\windows\system32\config\AppEvent.evt for example) Feel free to copy that file and attempt to open it with MyEventViewer it will be blank, but open your local event viewer right click on say "Applications" log and save, then it will open that file just fine. Does that explain it more?

Now I see. :)

Then you may need this other tool:
http://www.tzworks.n....php?proto_id=4
(less friendly output)
Or Harlan Carvey's PERL thingy:
http://www.cpan.org/...d/H/HC/HCARVEY/

The misunderstanding derives form the fact that "ONLINE" .evt files are actually a sort of database which connects to other resources (whilst ONLINE) whilst saved (OFFLINE) event logs are a "plain" sort of "dump".
Scratch that :blush:.

Post a sample Appevent.evt that you cannot load with MyEventViewer.
(I am presuming that it will have the "dirty" bit set)
Or check directly, open it in a hex editor and check byte at offset 0x24 (36 dec).
If it is 01, change it to 00 and try loading again the file in Myeventviewer.


:cheers:
Wonko

#9 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 10,814 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 23 April 2012 - 04:38 PM

Bump! (to let darkman738 know that I updated my previous post)

:cheers:
Wonko

#10 darkman738

darkman738

    Frequent Member

  • Advanced user
  • 134 posts
  • Location:MA, US
  •  
    United States

Posted 23 April 2012 - 06:21 PM

Bump! (to let darkman738 know that I updated my previous post)

:cheers:
Wonko


Thanks I'll check for the "dirty" bit when I get home. The problem though is that I would need to make this adjustment each time I run the program, I'm not sure that would work. But I am interested to see if that is the cause.

#11 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 10,814 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 23 April 2012 - 06:47 PM

Thanks I'll check for the "dirty" bit when I get home. The problem though is that I would need to make this adjustment each time I run the program, I'm not sure that would work. But I am interested to see if that is the cause.

IF this is the case, we can try notifying the good guy at Nirsoft, so that he updates the app. ;)

:cheers:
Wonko

#12 darkman738

darkman738

    Frequent Member

  • Advanced user
  • 134 posts
  • Location:MA, US
  •  
    United States

Posted 23 April 2012 - 09:49 PM

Post a sample Appevent.evt that you cannot load with MyEventViewer.
(I am presuming that it will have the "dirty" bit set)
Or check directly, open it in a hex editor and check byte at offset 0x24 (36 dec).
If it is 01, change it to 00 and try loading again the file in Myeventviewer.


:cheers:
Wonko


So I looked into this per your suggestion and you sir were dead on accurate! That was EXACTLY the problem. I will put together a request now and send over to Nirsoft! Thanks for the help. How did you possibly come up with that?

#13 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 10,814 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 24 April 2012 - 07:46 AM

How did you possibly come up with that?

I did the "obvious" things, standard troubleshooting:
  • made a few searches on the topic
  • made a copy of "online" Appevent.evt
  • saved a copy of it through MMC snap-in
  • compared the two in a Hex editor (they were VERY similar)
  • read the info about the .evt header: http://www.forensicswiki.org/wiki/EVT
  • compared with the Appevent.evt's of a few "offline" system images
  • found out that in all of them (and in the "online" copy") the "dirty bit" was set
  • made an "educated" guess ;)

If you prefer in three steps:
  • find what other people said on the topic
  • NOT trust them blindly and make a few experiments
  • come to a tentative solution




What is "queer" is that I remember having checked an "offline" .evt viewer with that app (some time ago) successfully, though cannot say which OS it was (maybe 2K :dubbio:), it is possible that this "dirty" bit behaviour has changed with XP or with a SP :unsure:.

In the meantime (and should the good Nir Sofer :worship: have issues with updating the thingy or not enough time) you could use a batch like:

@Echo off



SETLOCAL ENABLEEXTENSIONS

SETLOCAL ENABLEDELAYEDEXPANSION



::get the source directory

IF %1.==. GOTO ;ERROR1

SET Sourcedir=

SET Sourcedir=%dp~1



SET Params=

SET /A NotFound=0

FOR %%A IN (

Application

System

Security

) DO (



SET FUll=%%A

SET Prefix=!Full:~0,3!

IF EXIST %~dp1!Prefix!Event.evt (CALL :DO_Copy_and_Patch %~dp1!Prefix!Event.evt) ELSE (SET /A NotFound+=1)

)

IF %NotFound% lss 3 (

ECHO.

ECHO Press any key to launch Myeventviewer as follows:

ECHO Myeventviewer.exe /LoadFiles %Params%

ECHO ...

PAUSE >NUL

Myeventviewer.exe /LoadFiles %Params%

) ELSE (GOTO :ERROR2)

GOTO :EOF



:DO_Copy_and_Patch

COPY %1 %~n1.bak

Hexalter %~n1.bak 0x24=0

SET Params=%Params% "%~n1.bak" "%Full%"

GOTO :EOF



:ERROR

ECHO You must provide a parameter in the form of a full path to the folder

ECHO containing the .evt event files - terminated by backslash - or to any one of them.

PAUSE

GOTO :EOF



:ERROR2

ECHO No .evt file was found

PAUSE

GOTO :EOF
Needs Hexalter:
http://kuwanger.net/.../hexalter.shtml
Use some common sense (NO spaces in paths).

:cheers:
Wonko




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users