Windows XPで新しいイベントログ(*.evtx)を読むツール(動作した)
4. 依存ライブラリをインストール(つづき)
Windowsを再起動して
cpan>force clean DateTime::TimeZone
cpan>install DateTime::TimeZone ---->8 ばっさり 8<---- Installing C:\usr\opt\perl\site\lib\DateTime\TimeZone\Pacific\Wallis.pm Appending installation info to C:\usr\opt\perl\lib/perllocal.pod DROLSKY/DateTime-TimeZone-1.22.tar.gz C:\PROGRA~1\MICROS~1.0\VC\BIN\nmake.exe install -- OK
正常にインストールできた。
5. 実行
evtxdump
[D:\MyDoc\work\eventlog]evtxdump.pl apps.evtx >apps.xml
apps.xmlの抜粋
<?xml version="1.0" encoding="utf-8" standalone="yes" ?> <Events> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-SPP" Guid="{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}" EventSourceName="Software Protection Platform Service" /> <EventID Qualifiers="16384">900</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x0080000000000000</Keywords> <TimeCreated SystemTime="2010-01-27T00:45:51.0Z" /> <EventRecordID>539</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>Application</Channel> <Computer>WIN-MN3PD6748UB</Computer> <Security /></System> <EventData> <Data></Data> <Binary></Binary></EventData></Event> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="ESENT" /> <EventID Qualifiers="0">103</EventID> <Level>4</Level> <Task>1</Task> <Keywords>0x0080000000000000</Keywords> <TimeCreated SystemTime="2010-01-27T00:45:54.0Z" /> <EventRecordID>540</EventRecordID> <Channel>Application</Channel> <Computer>WIN-MN3PD6748UB</Computer> <Security /></System> <EventData> <Data>[0] Windows [1] 3512 [2] Windows: [3] 0</Data> <Binary></Binary></EventData></Event> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Search" Guid="{CA4E628D-8567-4896-AB6B-835B221F373F}" EventSourceName="Windows Search Service" /> <EventID Qualifiers="16384">1013</EventID> <Version>0</Version> <Level>4</Level> <Task>1</Task> <Opcode>0</Opcode> <Keywords>0x0080000000000000</Keywords> <TimeCreated SystemTime="2010-01-27T00:45:54.0Z" /> <EventRecordID>541</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>Application</Channel> <Computer>WIN-MN3PD6748UB</Computer> <Security /></System> <EventData> <Data Name="ExtraInfo"> </Data></EventData></Event>
evtxinfo
[D:\MyDoc\work\eventlog]evtxinfo.pl apps.evtx Information from file header: Format version : 3.1 Flags : 0x00000000 File is: clean Log is full: no Current chunk : 22 of 22 Next Record# : 2041 Check sum : pass Information from chunks: Chunk file (first/last) log (first/last) Header Data ----- --------------------- --------------------- ------ ------ 1 1 100 1 100 pass pass 2 101 192 101 192 pass pass 3 193 281 193 281 pass pass 4 282 367 282 367 pass pass 5 368 455 368 455 pass pass 6 456 558 456 558 pass pass 7 559 648 559 648 pass pass 8 649 749 649 749 pass pass 9 750 855 750 855 pass pass 10 856 971 856 971 pass pass 11 972 1066 972 1066 pass pass 12 1067 1160 1067 1160 pass pass 13 1161 1245 1161 1245 pass pass 14 1246 1342 1246 1342 pass pass 15 1343 1443 1343 1443 pass pass 16 1444 1543 1444 1543 pass pass 17 1544 1637 1544 1637 pass pass 18 1638 1719 1638 1719 pass pass 19 1720 1816 1720 1816 pass pass 20 1817 1914 1817 1914 pass pass 21 1915 2007 1915 2007 pass pass 22 2008 2040 2008 2040 pass pass
evtxtemplates
[D:\MyDoc\work\eventlog]evtxtemplates.pl apps.evtx >apps_templates.xml
apps_templates.xmlの抜粋
Template {DE23100B-D102-8051-E784-08BD5CD08463} at chunk 0, offset 0x0226: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-SPP" Guid="{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}" EventSourceName="Software Protection Platform Service" /> <EventID Qualifiers="#4 (type 0x06, optional)#">#3 (type 0x06, optional)#</EventID> <Version>#11 (type 0x04, optional)#</Version> <Level>#0 (type 0x04, optional)#</Level> <Task>#2 (type 0x06, optional)#</Task> <Opcode>#1 (type 0x04, optional)#</Opcode> <Keywords>#5 (type 0x15, optional)#</Keywords> <TimeCreated SystemTime="#6 (type 0x11, optional)#" /> <EventRecordID>#10 (type 0x0a, optional)#</EventRecordID> <Correlation ActivityID="#7 (type 0x0f, optional)#" RelatedActivityID="#18 (type 0x0f, optional)#" /> <Execution ProcessID="#8 (type 0x08, optional)#" ThreadID="#9 (type 0x08, optional)#" /> <Channel>Application</Channel> <Computer>WIN-MN3PD6748UB</Computer> <Security UserID="#12 (type 0x13, optional)#" /></System>#19 (type 0x21, optional)#</Event> Template {ECD34601-0225-3E67-B639-D77B70281CE9} at chunk 0, offset 0x0876: <EventData> <Data>#0 (type 0x81, optional)#</Data> <Binary>#2 (type 0x0e, optional)#</Binary></EventData> Template {7C8967DB-08FD-9590-9C00-6F575DDC8CD9} at chunk 0, offset 0x0946: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="ESENT" /> <EventID Qualifiers="#4 (type 0x06, optional)#">#3 (type 0x06, optional)#</EventID> <Level>#0 (type 0x04, optional)#</Level> <Task>#2 (type 0x06, optional)#</Task> <Keywords>#5 (type 0x15, optional)#</Keywords> <TimeCreated SystemTime="#6 (type 0x11, optional)#" /> <EventRecordID>#10 (type 0x0a, optional)#</EventRecordID> <Channel>Application</Channel> <Computer>WIN-MN3PD6748UB</Computer> <Security UserID="#12 (type 0x13, optional)#" /></System>#19 (type 0x21, optional)#</Event> Template {9CA3DC99-BBC3-925C-8830-D921090EB391} at chunk 0, offset 0x0c06: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Search" Guid="{CA4E628D-8567-4896-AB6B-835B221F373F}" EventSourceName="Windows Search Service" /> <EventID Qualifiers="#4 (type 0x06, optional)#">#3 (type 0x06, optional)#</EventID> <Version>#11 (type 0x04, optional)#</Version> <Level>#0 (type 0x04, optional)#</Level> <Task>#2 (type 0x06, optional)#</Task> <Opcode>#1 (type 0x04, optional)#</Opcode> <Keywords>#5 (type 0x15, optional)#</Keywords> <TimeCreated SystemTime="#6 (type 0x11, optional)#" /> <EventRecordID>#10 (type 0x0a, optional)#</EventRecordID> <Correlation ActivityID="#7 (type 0x0f, optional)#" RelatedActivityID="#18 (type 0x0f, optional)#" /> <Execution ProcessID="#8 (type 0x08, optional)#" ThreadID="#9 (type 0x08, optional)#" /> <Channel>Application</Channel> <Computer>WIN-MN3PD6748UB</Computer> <Security UserID="#12 (type 0x13, optional)#" /></System>#19 (type 0x21, optional)#</Event>
うーん( ̄  ̄;)