Jeff Bryner wrote:
I'm working on a case where I'd like to get time stamp info out of a
windows application event log (AppEvent.evt).
If I copy the file to another windows box and open it via event viewer
I get the dreaded message about the file being corrupted.
Web searches all lead to support articles suggesting deletion of the
file to recover..obvioulsy not my solution.
I can strings -el the file and get the descriptions of the events but I
*really* want the time stamp associated with the entries.
I've tried hex editing the file manually to match the header/footer to
what I'm seeing in other working event log files, but I haven't found
the right combination yet.
Ideally I'd like to be able to open it on another windows box and
capture screen prints of the events.
Any clues from this group?
Taking a guess, the AppEvent.evt is tied to the key on the windows
system. There may be a registry hack to work around this, but the
closest I would be familiar with is to knoppix the box and mount the
NTFS drive and try to string the file from there.
Thanks,
Jeff.
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
--
Best Regards,
Lance James
Secure Science Corporation
www.securescience.com
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
