def main():
import argparse
parser = argparse.ArgumentParser(
description="Print the structure of an EVTX record's template.")
parser.add_argument("evtx", type=str, help="Path to the Windows EVTX file")
parser.add_argument("record", type=int, help="Record number")
args = parser.parse_args()
with evtx.Evtx(args.evtx) as log:
r = log.get_record(args.record)
print(e_views.evtx_template_readable_view(r.root()))
def main():
import argparse
parser = argparse.ArgumentParser(
description="Dump templates from a binary EVTX file.")
parser.add_argument("evtx",
type=str,
help="Path to the Windows EVTX event log file")
args = parser.parse_args()
with evtx.Evtx(args.evtx) as log:
for i, chunk in enumerate(log.chunks()):
for template in list(chunk.templates().values()):
print("Template {%s} at chunk %d, offset %s" %
(template.guid(), i, hex(template.absolute_offset(0x0))))
print(e_views.evtx_template_readable_view(template))
def main():
import argparse
parser = argparse.ArgumentParser(
description="Print the structure of an EVTX record's template.")
parser.add_argument("evtx", type=str,
help="Path to the Windows EVTX file")
parser.add_argument("record", type=int,
help="Record number")
args = parser.parse_args()
with evtx.Evtx(args.evtx) as log:
r = log.get_record(args.record)
if r is None:
print("error: record not found")
return -1
else:
print(e_views.evtx_template_readable_view(r.root()))