読者です 読者をやめる 読者になる 読者になる

Windows XPで新しいイベントログ(*.evtx)を読むツール(動作した)

Windows Perl

4. 依存ライブラリをインストール(つづき)

Windowsを再起動して

cpan>force clean DateTime::TimeZone
cpan>install DateTime::TimeZone
---->8 ばっさり 8<----
Installing C:\usr\opt\perl\site\lib\DateTime\TimeZone\Pacific\Wallis.pm
Appending installation info to C:\usr\opt\perl\lib/perllocal.pod
  DROLSKY/DateTime-TimeZone-1.22.tar.gz
  C:\PROGRA~1\MICROS~1.0\VC\BIN\nmake.exe install  -- OK

正常にインストールできた。

5. 実行

evtxdump
[D:\MyDoc\work\eventlog]evtxdump.pl apps.evtx >apps.xml
apps.xmlの抜粋
<?xml version="1.0" encoding="utf-8" standalone="yes" ?>
<Events>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-SPP" Guid="{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}" EventSourceName="Software Protection Platform Service" />
<EventID Qualifiers="16384">900</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x0080000000000000</Keywords>
<TimeCreated SystemTime="2010-01-27T00:45:51.0Z" />
<EventRecordID>539</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>WIN-MN3PD6748UB</Computer>
<Security /></System>
<EventData>
<Data></Data>
<Binary></Binary></EventData></Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="ESENT" />
<EventID Qualifiers="0">103</EventID>
<Level>4</Level>
<Task>1</Task>
<Keywords>0x0080000000000000</Keywords>
<TimeCreated SystemTime="2010-01-27T00:45:54.0Z" />
<EventRecordID>540</EventRecordID>
<Channel>Application</Channel>
<Computer>WIN-MN3PD6748UB</Computer>
<Security /></System>
<EventData>
<Data>[0] Windows
[1] 3512
[2] Windows: 
[3] 0</Data>
<Binary></Binary></EventData></Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Search" Guid="{CA4E628D-8567-4896-AB6B-835B221F373F}" EventSourceName="Windows Search Service" />
<EventID Qualifiers="16384">1013</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x0080000000000000</Keywords>
<TimeCreated SystemTime="2010-01-27T00:45:54.0Z" />
<EventRecordID>541</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>WIN-MN3PD6748UB</Computer>
<Security /></System>
<EventData>
<Data Name="ExtraInfo">
</Data></EventData></Event>
evtxinfo
[D:\MyDoc\work\eventlog]evtxinfo.pl apps.evtx

Information from file header:
Format version  : 3.1
Flags           : 0x00000000
         File is: clean
     Log is full: no
Current chunk   : 22 of 22
Next Record#    : 2041
Check sum       : pass

Information from chunks:
Chunk file (first/last)     log (first/last)      Header Data
----- --------------------- --------------------- ------ ------
    1          1        100          1        100   pass   pass
    2        101        192        101        192   pass   pass
    3        193        281        193        281   pass   pass
    4        282        367        282        367   pass   pass
    5        368        455        368        455   pass   pass
    6        456        558        456        558   pass   pass
    7        559        648        559        648   pass   pass
    8        649        749        649        749   pass   pass
    9        750        855        750        855   pass   pass
   10        856        971        856        971   pass   pass
   11        972       1066        972       1066   pass   pass
   12       1067       1160       1067       1160   pass   pass
   13       1161       1245       1161       1245   pass   pass
   14       1246       1342       1246       1342   pass   pass
   15       1343       1443       1343       1443   pass   pass
   16       1444       1543       1444       1543   pass   pass
   17       1544       1637       1544       1637   pass   pass
   18       1638       1719       1638       1719   pass   pass
   19       1720       1816       1720       1816   pass   pass
   20       1817       1914       1817       1914   pass   pass
   21       1915       2007       1915       2007   pass   pass
   22       2008       2040       2008       2040   pass   pass
evtxtemplates
[D:\MyDoc\work\eventlog]evtxtemplates.pl apps.evtx >apps_templates.xml
apps_templates.xmlの抜粋
Template {DE23100B-D102-8051-E784-08BD5CD08463} at chunk 0, offset 0x0226:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-SPP" Guid="{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}" EventSourceName="Software Protection Platform Service" />
<EventID Qualifiers="#4 (type 0x06, optional)#">#3 (type 0x06, optional)#</EventID>
<Version>#11 (type 0x04, optional)#</Version>
<Level>#0 (type 0x04, optional)#</Level>
<Task>#2 (type 0x06, optional)#</Task>
<Opcode>#1 (type 0x04, optional)#</Opcode>
<Keywords>#5 (type 0x15, optional)#</Keywords>
<TimeCreated SystemTime="#6 (type 0x11, optional)#" />
<EventRecordID>#10 (type 0x0a, optional)#</EventRecordID>
<Correlation ActivityID="#7 (type 0x0f, optional)#" RelatedActivityID="#18 (type 0x0f, optional)#" />
<Execution ProcessID="#8 (type 0x08, optional)#" ThreadID="#9 (type 0x08, optional)#" />
<Channel>Application</Channel>
<Computer>WIN-MN3PD6748UB</Computer>
<Security UserID="#12 (type 0x13, optional)#" /></System>#19 (type 0x21, optional)#</Event>

Template {ECD34601-0225-3E67-B639-D77B70281CE9} at chunk 0, offset 0x0876:
<EventData>
<Data>#0 (type 0x81, optional)#</Data>
<Binary>#2 (type 0x0e, optional)#</Binary></EventData>

Template {7C8967DB-08FD-9590-9C00-6F575DDC8CD9} at chunk 0, offset 0x0946:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="ESENT" />
<EventID Qualifiers="#4 (type 0x06, optional)#">#3 (type 0x06, optional)#</EventID>
<Level>#0 (type 0x04, optional)#</Level>
<Task>#2 (type 0x06, optional)#</Task>
<Keywords>#5 (type 0x15, optional)#</Keywords>
<TimeCreated SystemTime="#6 (type 0x11, optional)#" />
<EventRecordID>#10 (type 0x0a, optional)#</EventRecordID>
<Channel>Application</Channel>
<Computer>WIN-MN3PD6748UB</Computer>
<Security UserID="#12 (type 0x13, optional)#" /></System>#19 (type 0x21, optional)#</Event>

Template {9CA3DC99-BBC3-925C-8830-D921090EB391} at chunk 0, offset 0x0c06:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Search" Guid="{CA4E628D-8567-4896-AB6B-835B221F373F}" EventSourceName="Windows Search Service" />
<EventID Qualifiers="#4 (type 0x06, optional)#">#3 (type 0x06, optional)#</EventID>
<Version>#11 (type 0x04, optional)#</Version>
<Level>#0 (type 0x04, optional)#</Level>
<Task>#2 (type 0x06, optional)#</Task>
<Opcode>#1 (type 0x04, optional)#</Opcode>
<Keywords>#5 (type 0x15, optional)#</Keywords>
<TimeCreated SystemTime="#6 (type 0x11, optional)#" />
<EventRecordID>#10 (type 0x0a, optional)#</EventRecordID>
<Correlation ActivityID="#7 (type 0x0f, optional)#" RelatedActivityID="#18 (type 0x0f, optional)#" />
<Execution ProcessID="#8 (type 0x08, optional)#" ThreadID="#9 (type 0x08, optional)#" />
<Channel>Application</Channel>
<Computer>WIN-MN3PD6748UB</Computer>
<Security UserID="#12 (type 0x13, optional)#" /></System>#19 (type 0x21, optional)#</Event>


うーん( ̄  ̄;)