// Check whether the evt file is a valid one. private bool Validate(EventLogHeader header) { if (!(header.HeaderLength == 0x00000030 && header.Signature == 0x654C664c && header.Unknown1 == 0x00000001 && header.Unknown2 == 0x00000001)) { return(false); } return(true); }
// Parse the file public unsafe void Parse(string filename) { try { // Open the file using (FileStream fs = new FileStream(filename, FileMode.Open)) { // Use BinaryReader to read the file using (BinaryReader br = new BinaryReader(fs)) { //Read the header of the file byte[] header = new byte[sizeof(EventLogHeader)]; br.Read(header, 0, header.Length); EventLogHeader _h = new EventLogHeader(header); // Validate the file if (!Validate(_h)) { this.OnAction("Invalid file format."); return; } // int totalEvents = (int)(_h.NextIndex - 1); this.OnAction(String.Format("Found {0} events", totalEvents)); // Read the items EventLogEntry e; int cnt = 0; uint offset = _h.FooterOffset; while (true) { byte[] buff = ReadEntry(br, ref offset); e = ReadEntry(buff); cnt++; DateTime dt = GetTime(e.rec.TimeGenerated); this.OnFoundRecord( new object[] { Enum.GetName(typeof(EventLogEntryType),e.rec.EventType), dt.ToShortDateString(), dt.ToShortTimeString(), e.SourceName, e.Strings, e.rec.EventCategory, e.rec.EventID, e.UserSid, e.Computername}); if (cnt % 200 == 0) this.OnProgress(cnt, totalEvents); if (offset == 48) break; } } } } catch (Exception ex) { this.OnAction(String.Format("Error Occured! {0}", ex.Message)); } return; }
// Check whether the evt file is a valid one. private bool Validate(EventLogHeader header) { if (!(header.HeaderLength == 0x00000030 && header.Signature == 0x654C664c && header.Unknown1 == 0x00000001 && header.Unknown2 == 0x00000001)) return false; return true; }
// Parse the file public unsafe void Parse(string filename) { try { // Open the file using (FileStream fs = new FileStream(filename, FileMode.Open)) { // Use BinaryReader to read the file using (BinaryReader br = new BinaryReader(fs)) { //Read the header of the file byte[] header = new byte[sizeof(EventLogHeader)]; br.Read(header, 0, header.Length); EventLogHeader _h = new EventLogHeader(header); // Validate the file if (!Validate(_h)) { this.OnAction("Invalid file format."); return; } // int totalEvents = (int)(_h.NextIndex - 1); this.OnAction(String.Format("Found {0} events", totalEvents)); // Read the items EventLogEntry e; int cnt = 0; uint offset = _h.FooterOffset; while (true) { byte[] buff = ReadEntry(br, ref offset); e = ReadEntry(buff); cnt++; DateTime dt = GetTime(e.rec.TimeGenerated); this.OnFoundRecord( new object[] { Enum.GetName(typeof(EventLogEntryType), e.rec.EventType), dt.ToShortDateString(), dt.ToShortTimeString(), e.SourceName, e.Strings, e.rec.EventCategory, e.rec.EventID, e.UserSid, e.Computername }); if (cnt % 200 == 0) { this.OnProgress(cnt, totalEvents); } if (offset == 48) { break; } } } } } catch (Exception ex) { this.OnAction(String.Format("Error Occured! {0}", ex.Message)); } return; }