Error

Question

Error

Banaanhangwagen opened this issue 6 years ago · 12 comments

When parsing a Security.evtx, I get the following error:

Error processing '.\Security.evtx'! 
Message: Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.

The size of Security.evtx is 128 MB and counts 216.000 events.

Answer 1 · 2019-04-26T20:22:12.000Z

Send me the log or run with debug and or trace. Does it give you the stats at the end? How did you get the log? Is it in use? Etc

Answer 2 · 2019-04-26T20:26:16.000Z

Show the output from the console here too

Answer 3 · 2019-04-26T20:32:31.000Z

Does it give you the stats at the end?

No, it exits before.

Is it in use?

No, Security.evtx is extracted from another system.

This is the command that I typed
.\EvtxECmd.exe -f .\Security.evtx --csv .\ --debug

EvtxECmd version 0.4.1.0

Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/evtx

Command line: -f .\Security.evtx --csv .\ --debug

Warning: Administrator privileges not found!

CSV output will be saved to '.\20190426201354_EvtxECmd_Output.csv'

Loading maps from 'C:\Users\X\TOOLS\EvtxExplorer\Maps'
'Security_4624.map' is valid. Adding to maps...
'Security_4625.map' is valid. Adding to maps...
'Security_4672.map' is valid. Adding to maps...
'Security_4688.map' is valid. Adding to maps...
'Security_4720.map' is valid. Adding to maps...
'Security_5140.map' is valid. Adding to maps...
Maps loaded: 6

Processing '.\Security.evtx'...
Event Log data before processing chunks:
Version: 3.1
Flags: IsDirty
Chunk count: 2048
First/last Chunk #: 1742/1741
Stored CRC: 2E777185
Calculated CRC: 2E777185
Total event log records found: 0

Chunk data before processing records: Chunk absolute offset 0x00001000 Chunk #: 0     FirstEventRecordNumber: 128507193 LastEventRecordNumber: 128507304 FirstEventRecordIdentifier: 128514271 LastEventRecordIdentifier: 128514382
Record position: 0x0200 Record #: 128514271 Timestamp: 2019-03-21 00:45:49.6303134 Event Id: 4625
Record position: 0x0DB8 Record #: 128514272 Timestamp: 2019-03-21 00:45:49.6533306 Event Id: 4625
Record position: 0x0FC8 Record #: 128514273 Timestamp: 2019-03-21 00:45:50.9316773 Event Id: 4625

[...]

Record position: 0xF758 Record #: 128589406 Timestamp: 2019-03-22 02:14:50.0309891 Event Id: 4672
Record position: 0xFA90 Record #: 128589407 Timestamp: 2019-03-22 02:14:50.0309891 Event Id: 4624
Record position: 0xFCE0 Record #: 128589408 Timestamp: 2019-03-22 02:14:50.0379953 Event Id: 4634
Error processing '.\Security.evtx'! 
Message: Offset and length were out of bounds for the array or count is greater than
 the number of elements from index to the end of the source collection.

Processed 0 files in 69,2629 seconds

Answer 4 · 2019-04-26T20:58:14.000Z

Send me the log and I can take a look. I at least can make it continue on that kind of error. Can you zip it and send it?

That file must be huge

Answer 5 · 2019-04-26T20:58:29.000Z

I mean send me the event log not the console. Heh

Answer 6 · 2019-04-26T21:04:45.000Z

First/last Chunk #: 1742/1741

That's strange. Very strange. Last is before first!

Answer 7 · 2019-04-26T21:26:41.000Z

Send me the log and I can take a look. I at least can make it continue on that kind of error.
Can you zip it and send it?

Security.evtx

Answer 8 · 2019-04-26T21:30:32.000Z

Sweet. Will look here in a bit.

Answer 9 · 2019-04-26T21:57:36.000Z

working this now. shouldnt be long

Answer 10 · 2019-04-26T22:05:44.000Z

Fixed! Please redownload or use the Get-Zimmerman script to update. i had my logic out of order for looking for records outside the valid range.

Answer 11 · 2019-04-26T23:08:06.000Z

It works!
You fixed it faster than the speed of light! Thanks and big up for yourself!

Answer 12 · 2019-04-26T23:54:27.000Z

excellent!