syntax errors with System1 and System42 maps

Question

syntax errors with System1 and System42 maps

lawrenpoh opened this issue 4 years ago · 5 comments

Hi, running into problems with syntax errors for System1 and System42 maps with similar error message shown below.
`Syntax error in 'C:\Zimmerman\EvtxExplorer\Maps\System_1.map':
Author: Eric Zimmerman
Description: Sleep/wake events
EventId: 1
Channel: "System"
Provider: "Microsoft-Windows-Power-Troubleshooter"
Maps:

Property: PayloadData1
PropertyValue: Sleep duration "%SleepDuration%"
Values:
  -
    Name: SleepDuration
    Value: "/Event/EventData/Data[@Name=\"SleepDuration\"]"

Property: PayloadData2
PropertyValue: Wake source "%WakeSourceType%"
Values:

Name: WakeSourceType
Value: "/Event/EventData/Data[@Name=\"WakeSourceType\"]"

Property: PayloadData3
PropertyValue: Wake source text "%WakeSourceText%"
Values:

Name: WakeSourceText
Value: "/Event/EventData/Data[@Name=\"WakeSourceText\"]"

Lookups:

Name: WakeSourceType
Default: Unknown code
Values:
    0: Unknown
    1: Power button
    3: Waking from sleep to hibernate
    5: Device (See WakeSourceText for details)
    6: Timer (See WakeSourceText for details)

Valid properties include:

UserName

RemoteHost

ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.

PayloadData1 through PayloadData6

#Sample Event - derived from the event template.
#
#
#
#1
#3
#4
#0
#0
#0x8000000000000000
#
#2671
#
#
#System
#win-gist
#
#
#
#2020-09-18 03:18:35.0664609
#2020-09-18 03:28:35.8899669
#1029
#6389
#5716
#1042
#0
#0
#0
#1912628224
#4
#4
#6
#128
#Windows will execute 'NT TASK\Microsoft\Windows\UpdateOrchestrator\Reboot_AC' scheduled task that requested waking the computer.
#52
#18
#0
#\Device\HarddiskVolume3\Windows\System32\svchost.exe
#SystemEventsBroker
#98
#
#
Property 'Provider' not found on type 'evtx.EventLogMap'.

Verify all properties against example files or manual and try again.`

Answer 1 · 2020-10-19T11:54:23.000Z

Sounds like you need to update to the latest binary version of the executable.

Redownload it and then try again. That property was added when I did my last update but I can't remember if I bumped the version number or not

Answer 2 · 2020-10-19T11:56:40.000Z

I just updated the other day when I had this issue and I believe it went from 0.6.0.1 to 0.6.0.2, with .2 being the one that can properly handle the new added property.

Answer 3 · 2020-10-19T12:16:45.000Z

0602 with SHA1: E8897D8A806F3C1DB477B9A104924F7029AD81F8 syncs fine

i also just processed a system hive without issue. do the ps1 update script again and see what it does

Answer 4 · 2020-10-20T13:20:02.000Z

@lawrenpoh did updating work for you? It worked for me and I had no issues when I had this problem. It seems like updating EVTXECmd is the way to go for this.

Answer 5 · 2020-10-20T13:56:54.000Z

Yes it did. Thanks for the prompt response Eric! Appreciate it.

On Tue, 20 Oct 2020 at 21:20, Andrew Rathbun ***@***.***> wrote: @lawrenpoh <https://github.com/lawrenpoh> did updating work for you? It worked for me and I had no issues when I had this problem. It seems like updating EVTXECmd is the way to go for this. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#28 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABNFZZC2LRH4OO4COBZ5Z73SLWFBHANCNFSM4SV473PA> .

-- Regards, Lawren

Property: PayloadData2 PropertyValue: Wake source "%WakeSourceType%" Values:

Property: PayloadData3 PropertyValue: Wake source text "%WakeSourceText%" Values: