Skip to content

Scripts

Jump to bottom
Joachim Metz edited this page Mar 15, 2015 · 39 revisions

extract.py

The script extract.py extracts the Windows Event Log message resources from the various resource files. It will:

  • determine the Windows Event Log provides from the Registry
  • read the messages tables from the PE/COFF resource files

By default extract.py will output the extracted data to stdout. To store the Windows Event Log message resources in SQLite databases run:

python extract.py --db ./winevt-db/ ~/Images/win7.qcow2

The SQLite databases are intended as an intermediate storage that can be used to analyze Windows Event Log message resources of different versions of Windows and the export.py script should be used to create a portable version of the data.

Intermediate storage

The extract.py script will create multiple types of SQLite database files, namely:

  • winevt-db/winevt-kb.db; the main database that contains information about the Event Log providers and message (resource) files;
  • winevt-db/*.db; the message resource databases that contain the Windows Event Log message resources extracted from the resource files.

The main database: winevt-db

The main database: winevt-db contains the following tables:

  • event_log_providers; the table that contains information about the Event Log providers;
  • message_files; the table that contains information about the message (resource) files;
  • message_file_per_event_log_provider; the table that links message (resource) files to Event Log providers.
SELECT event_log_providers.log_source, event_log_providers.log_type, message_files.message_filename \
FROM event_log_providers, message_file_per_event_log_provider, message_files \
WHERE event_log_providers.event_log_provider_key == message_file_per_event_log_provider.event_log_provider_key  \
AND message_file_per_event_log_provider.message_file_key == message_files.message_file_key;

The message resource database

The message resource database database: winevt-db contains the following tables:

  • message_files; the table that contains information about the message (resource) files;
  • message_table_$LCID_$VERSION; the table that contains a language and message file specific message-table resource;
  • message_table_languages; the table that contains the languages of the message-tables available in a message file;
  • string_table_$LCID_$VERSION; the table that contains a language and message file specific string-table resource;
  • string_table_languages; the table that contains the languages of the string-tables available in a message file.

Where $LCID is the language code identifier and $VERSION is the file version of the message.

export.py

The script export.py exports the Windows Event Log message resources from the intermediate storage to different output formats. It currently supports the following output formats:

  • text dump to stdout (default);
  • asciidoc reference documentation;
  • portable message resource database;

By default export.py will output the extracted data to stdout. To create a portable message resource database run:

python export.py --db winevt-rc.db ./winevt-db/

Portable message resource database

The export.py script will create a single SQLite database file: winevt-rc.db. This message resource database contains the following tables:

  • metadata; the table that contains information about the Portable message resource database;
  • event_log_providers; the table that contains information about the Event Log providers;
  • message_files; the table that contains information about the message (resource) files;
  • message_table_$ID_$LCID; the table that contains a language and message file specific message-table resource;
  • message_table_languages; the table that contains the languages of the message-tables available in a message file;
  • string_table_$ID_$LCID; the table that contains a language and message file specific string-table resource;
  • string_table_languages; the table that contains the languages of the string-tables available in a message file.

Where $ID is the message_file_key in the message_files table and $LCID is the language code identifier.

Metadata

Attribute name Description
string_format indicates the format in which the message strings are stored.
version indicates the version of the database

String format

Attribute value Description
pep3101 the message strings are stored in Python format() style (PEP 3013)
wrc the message strings are stored in "native" Windows Resource format

Earlier versions did not include a string format indicator and use the wrc format.

Versions

Attribute value Description
20150215 The first version of Portable message resource database with a metadata table.

Earlier versions did not include a version indicator.

Clone this wiki locally