-
Notifications
You must be signed in to change notification settings - Fork 7
Scripts
The script extract.py extracts the Windows Event Log message resources from the various resource files. It will:
- determine the Windows Event Log provides from the Registry
- read the messages tables from the PE/COFF resource files
By default extract.py will output the extracted data to stdout. To store the Windows Event Log message resources in SQLite databases run:
./extract.py --db ./winevt-kb/ ~/Images/win7.qcow2
The SQLite databases are intended as an intermediate storage that can be used to analyze Windows Event Log message resources of different versions of Windows and the export.py script should be used to create a portable version of the data.
The extract.py script will create multiple types of SQLite database files, namely:
- winevt-kb/winevt-kb.db; the main database that contains information about the Event Log providers and message (resource) files;
- winevt-kb/*.db; the message resource databases that contain the Windows Event Log message resources extracted from the resource files.
The main database: winevt-kb contains the following tables:
| Table name | Description |
|---|---|
| metadata | table that contains the attribute container storage metadata. |
| winevtrc_eventlog_provider | table that contains information about the Event Log providers. |
| winevtrc_message_file_database | table that contains information about the message (resource) file databases. |
The message resource database database: winevt-kb contains the following tables:
| Table name | Description |
|---|---|
| metadata | table that contains the attribute container storage metadata. |
| winevtrc_message_file | table that contains information about the message (resource) file. |
| winevtrc_message_string | table that contains the message strings. |
| winevtrc_message_string_mapping | optional table that contains the message string mappings if used. |
| winevtrc_message_table | table that contains information about the message-table resources. |
The script export.py exports the Windows Event Log message resources from the intermediate storage to different output formats. It currently supports the following output formats:
- text dump to stdout (default);
- asciidoc reference documentation;
- portable message resource database;
By default export.py will output the extracted data to stdout. To create a portable message resource database run:
./export.py --db winevt-rc.db ./winevt-kb/
The export.py script will create a single SQLite database file: winevt-rc.db. This message resource database contains the following tables depending on the database version.
| Table name | Description |
|---|---|
| metadata | table that contains information about the Portable message resource database. |
| event_log_providers | table that contains information about the Event Log providers. |
| message_files | table that contains information about the message (resource) files. |
| message_table_$ID_$LCID | table that contains a language and message file specific message-table resource. |
| message_table_languages | table that contains the languages of the message-tables available in a message file. |
| message_file_per_event_log_provider | table that contains information about relationships between message (resource) files and Event Log providers. |
Where $ID is the message_file_key in the message_files table and $LCID is the language code identifier.
| Attribute name | Description |
|---|---|
| string_format | the format in which the message strings are stored |
| version | the database version |
| Table name | Description |
|---|---|
| metadata | table that contains the attribute container storage metadata. |
| winevtrc_eventlog_provider | table that contains information about the Event Log providers. |
| winevtrc_message_file | table that contains information about the message (resource) file. |
| winevtrc_message_string | table that contains the message strings. |
| winevtrc_message_string_mapping | optional table that contains the message string mappings if used. |
| winevtrc_message_table | table that contains information about the message-table resources. |
| Attribute name | Description |
|---|---|
| format_version | attribute container storage format version |
| string_format | the format in which the message strings are stored |
| Attribute value | Description |
|---|---|
| pep3101 | the message strings are stored in Python format() style (PEP 3101) |
| wrc | the message strings are stored in Windows Resource format |
Earlier versions did not include a string format indicator and use the wrc format by default.
| Attribute value | Description |
|---|---|
| 20150315 | The first version of Portable message resource database with a metadata table. Note that this version does not support message string mappings. |
| 20240929 | The second version of Portable message resource database, using attribute container storage, with support for Windows Vista and later Event Log provider identifiers and WEVT_TEMPLATE mapped event identifiers. |
Earlier versions did not include a version indicator, which are recommended not to be used.