Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

resource_file_get_provider: invalid resource file (runing on linux) #3

Open
thinrope opened this issue Mar 8, 2016 · 5 comments
Open

resource_file_get_provider: invalid resource file (runing on linux) #3

thinrope opened this issue Mar 8, 2016 · 5 comments
Assignees
@joachimmetz
Labels
needs a closer look question

Comments

@thinrope
Copy link

thinrope commented Mar 8, 2016

I have been poking at the code, trying to parse various EVTX logs, using latest github releases.
Works very good for the 4 standard logs, compiles as static, GREAT!

The one thing that stumbled me is using resource providers. I couldn't figure a way to point evtxexport to the right path of the (dll in this case) provider.

I am trying to parse "Microsoft-Windows-Application-Experience/Program-Telemetry.evtx" from a mounted image of Win2008(ja) server, mounted under mnt/host/C

/tmp/evtxexport -c windows-932 -r "mnt/host/C/Windows/System32/config" -p "mnt/host/C/Windows/System32" mnt/host/C/Windows/System32/winevt/Logs/Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx

The (head) of the result being:

evtxexport 20160107

Event number                    : 1
Written time                    : Aug 11, 2013 13:12:06.2323313900 UTC
Event level                     : Information (4)
User security identifier        : S-1-5-18
Computer name                   : MASKED
Provider identifier             : {EEF54E71-0661-422D-9A98-82FD4940B820}
Source name                     : Microsoft-Windows-Application-Experience
Event identifier                : 0x000002bd (701)
Resource filename               : %SystemRoot%\system32\aeevts.dll
Unable to export record: 0.

What can be a proper way to handle the %SystemRoot% and/or the whole path to the resource, in this case mnt/host/C/Windows/System32/aeevts.dll ? Is this supposed to be working in Windows (sorry, no testing win environment)?

I guess one way is to add option to replace envvars like %SystemRoot%, or just take the filename and append to -p resource_files_path provided path.
@joachimmetz
Copy link
Member

Is this supposed to be working in Windows (sorry, no testing win environment)?

Should work in both Windows and Linux

I guess one way is to add option to replace envvars like %SystemRoot%

Not sure why you guess that but %SystemRoot% should b expanded by evtxexport:

libevtx/evtxtools/message_handle.c

Line 967 in 9bd9432

/* Get the value of %SystemRoot% from:

Also see: https://github.com/libyal/libevtx/wiki/Tools

@joachimmetz joachimmetz self-assigned this Mar 8, 2016
@joachimmetz
Copy link
Member

Any indication to why Unable to export record: 0. is reported?

@thinrope
Copy link
Author

thinrope commented Mar 9, 2016

OK, I did some more testing, and managed to make it work better. I recompiled libevtx with verbose/debug messages and here is (the non-verbose) STDERR for the above command:

resource_file_get_provider: invalid resource file.
message_handle_get_resource_file_by_provider_identifier: unable to retrieve provider.
export_handle_export_record_event_message: unable to retrieve resource file.
export_handle_export_record_text: unable to export event message.
export_handle_export_record: unable to export record in text.
export_handle_export_records: unable to export record: 0.

I later fixed the value for search PATH to point to the C-root -p "mnt/host/C" and I got better result:

Event number            : 1
Written time            : MASKED
Event level         : Information (4)
User security identifier    : S-1-5-18
Computer name           : MASKED
Provider identifier     : {EEF54E71-0661-422D-9A98-82FD4940B820}
Source name         : Microsoft-Windows-Application-Experience
Event identifier        : 0x000002bd (701)
Resource filename       : %SystemRoot%\system32\aeevts.dll
Message filename        : %SystemRoot%\system32\aeevts.dll
Message identifier      : 0xb00002bd
Number of strings       : 0

Event number            : 2
....

That Number of strings: 0 bothers me... looking at the -f xml output it is just <EventData/>. Looking back I might have selected a bad (edge case) candidate evtx file for testing...

Or may be I still don't understand the usage, sorry. Is there a way to include the parsed/substituted message string, e.g. https://github.com/libyal/libevtx/blame/master/documentation/Windows%20XML%20Event%20Log%20%28EVTX%29.asciidoc#L1414 in the fml output?

@joachimmetz
Copy link
Member

in the fml output?

If by fml you mean XML, no.

Number of strings

I need to double check but the message string should be still printed if there are no strings.

@thinrope
Copy link
Author

thinrope commented Mar 9, 2016

Yes, sorry for the typo :-|
I was hoping for something along <message_string>bla bla</message/string> in the XML, but I should be able to parse the -f text output and add to -f xml when that is needed.

I confirmed that -f text prints correctly the expanded Message string when parsing Security.evtx even when Numebr of strings:0 (e.g. for eventID: 408).

Same command, same server does not print any Message string for the Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx when there are strings (eventID: 500) or there are zero strings (eventID: 701), for example:

....

Event number                    : 9
Written time                    : MASKED
Event level                     : Information (4)
User security identifier        : S-1-5-18
Computer name                   : MASKED
Provider identifier             : {EEF54E71-0661-422D-9A98-82FD4940B820}
Source name                     : Microsoft-Windows-Application-Experience
Event identifier                : 0x000002bd (701)
Resource filename               : %SystemRoot%\system32\aeevts.dll
Message filename                : %SystemRoot%\system32\aeevts.dll
Message identifier              : 0xb00002bd
Number of strings               : 0

Event number                    : 10
Written time                    : MASKED
Event level                     : Information (4)
User security identifier        : MASKED
Computer name                   : MASKED
Provider identifier             : {EEF54E71-0661-422D-9A98-82FD4940B820}
Source name                     : Microsoft-Windows-Application-Experience
Event identifier                : 0x000001f4 (500)
Resource filename               : %SystemRoot%\system32\aeevts.dll
Message filename                : %SystemRoot%\system32\aeevts.dll
Message identifier              : 0xb00001f4
Number of strings               : 6
String: 1                       : 60
String: 2                       : MASKED
String: 3                       : MASKED
String: 4                       : 0x00010101
String: 5                       : MASKED-fullfile-ja-jp.exe
String: 6                       : Service Pack

Event number                    : 11
....

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joachimmetz joachimmetz

Labels
needs a closer look question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thinrope @joachimmetz