// Check whether the evt file is a valid one.
private bool Validate(EventLogHeader header)
{
if (!(header.HeaderLength == 0x00000030 &&
header.Signature == 0x654C664c &&
header.Unknown1 == 0x00000001 &&
header.Unknown2 == 0x00000001))
{
return(false);
}
return(true);
}
// Parse the file
public unsafe void Parse(string filename)
{
try
{
// Open the file
using (FileStream fs = new FileStream(filename, FileMode.Open))
{
// Use BinaryReader to read the file
using (BinaryReader br = new BinaryReader(fs))
{
//Read the header of the file
byte[] header = new byte[sizeof(EventLogHeader)];
br.Read(header, 0, header.Length);
EventLogHeader _h = new EventLogHeader(header);
// Validate the file
if (!Validate(_h))
{
this.OnAction("Invalid file format.");
return;
}
//
int totalEvents = (int)(_h.NextIndex - 1);
this.OnAction(String.Format("Found {0} events", totalEvents));
// Read the items
EventLogEntry e;
int cnt = 0;
uint offset = _h.FooterOffset;
while (true)
{
byte[] buff = ReadEntry(br, ref offset);
e = ReadEntry(buff);
cnt++;
DateTime dt = GetTime(e.rec.TimeGenerated);
this.OnFoundRecord(
new object[] {
Enum.GetName(typeof(EventLogEntryType),e.rec.EventType),
dt.ToShortDateString(),
dt.ToShortTimeString(),
e.SourceName,
e.Strings,
e.rec.EventCategory,
e.rec.EventID,
e.UserSid,
e.Computername});
if (cnt % 200 == 0) this.OnProgress(cnt, totalEvents);
if (offset == 48)
break;
}
}
}
}
catch (Exception ex)
{
this.OnAction(String.Format("Error Occured! {0}", ex.Message));
}
return;
}
// Check whether the evt file is a valid one.
private bool Validate(EventLogHeader header)
{
if (!(header.HeaderLength == 0x00000030 &&
header.Signature == 0x654C664c &&
header.Unknown1 == 0x00000001 &&
header.Unknown2 == 0x00000001))
return false;
return true;
}
// Parse the file
public unsafe void Parse(string filename)
{
try
{
// Open the file
using (FileStream fs = new FileStream(filename, FileMode.Open))
{
// Use BinaryReader to read the file
using (BinaryReader br = new BinaryReader(fs))
{
//Read the header of the file
byte[] header = new byte[sizeof(EventLogHeader)];
br.Read(header, 0, header.Length);
EventLogHeader _h = new EventLogHeader(header);
// Validate the file
if (!Validate(_h))
{
this.OnAction("Invalid file format.");
return;
}
//
int totalEvents = (int)(_h.NextIndex - 1);
this.OnAction(String.Format("Found {0} events", totalEvents));
// Read the items
EventLogEntry e;
int cnt = 0;
uint offset = _h.FooterOffset;
while (true)
{
byte[] buff = ReadEntry(br, ref offset);
e = ReadEntry(buff);
cnt++;
DateTime dt = GetTime(e.rec.TimeGenerated);
this.OnFoundRecord(
new object[] {
Enum.GetName(typeof(EventLogEntryType), e.rec.EventType),
dt.ToShortDateString(),
dt.ToShortTimeString(),
e.SourceName,
e.Strings,
e.rec.EventCategory,
e.rec.EventID,
e.UserSid,
e.Computername
});
if (cnt % 200 == 0)
{
this.OnProgress(cnt, totalEvents);
}
if (offset == 48)
{
break;
}
}
}
}
}
catch (Exception ex)
{
this.OnAction(String.Format("Error Occured! {0}", ex.Message));
}
return;
}
