Windows 10 (1803) issue
limonidisicilia opened this issue · 3 comments
limonidisicilia commented
Hi Willi,
I'm getting the following OSerror when running a script on any Windows 10 PC. The script runs without any issues on MacOS and Windows 8.1. The script occurs when trying to convert a System.evtx. I can provide the event log if needed. Thank you, Raf.
converting problem\Win10_System.evtx please wait...
Traceback (most recent call last):
File "C:\Python\USB\Win10usb47.py", line 4347, in <module>
main()
File "C:\Python\USB\Win10usb47.py", line 398, in main
evtx_counter, eventlogs_xml, pnp_eventlogs_xml, WinPart_eventlogs_xml = evtx2xml(eventlogs)
File "C:\Python\USB\Win10usb47.py", line 3281, in evtx2xml
print(record.xml(), file=dest_xml)
File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Evtx.py", line 481, in xml
return e_views.evtx_record_xml_view(self)
File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Views.py", line 204, in evtx_record_xml_view
return render_root_node(record.root())
File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Views.py", line 191, in render_root_node
return render_root_node_with_subs(root_node, subs)
File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Views.py", line 176, in render_root_node_with_subs
rec(c, acc)
File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Views.py", line 126, in rec
rec(child, acc)
File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Views.py", line 166, in rec
sub = render_root_node(sub.root())
File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Views.py", line 191, in render_root_node
return render_root_node_with_subs(root_node, subs)
File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Views.py", line 176, in render_root_node_with_subs
rec(c, acc)
File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Views.py", line 126, in rec
rec(child, acc)
File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Views.py", line 126, in rec
rec(child, acc)
File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Views.py", line 159, in rec
sub = escape_value(sub.string())
File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Nodes.py", line 1401, in string
return self.filetime().isoformat(' ')
File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\BinaryParser.py", line 205, in no_length_handler
return f(offset)
File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\BinaryParser.py", line 518, in unpack_filetime
return parse_filetime(self.unpack_qword(offset))
File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\BinaryParser.py", line 109, in parse_filetime
return datetime.utcfromtimestamp(float(qword) * 1e-7 - 11644473600)
OSError: [Errno 22] Invalid argument
williballenthin commented
oddly enough, i'm not able to reproduce this issue using the latest version of python-evtx. are you using the source downloaded from this repository, or the library installed via pypi?
user@hostname ~/Documents/code/python-evtx (master)
λ ~/env2/Scripts/python scripts/evtx_dump.py ~/Downloads/win_10System.evtx > ~/Downloads/win_10System.evtx.xml2
user@hostname ~/Documents/code/python-evtx (master)
λ ~/env/Scripts/python scripts/evtx_dump.py ~/Downloads/win_10System.evtx > ~/Downloads/win_10System.evtx.xml
user@hostname ~/Documents/code/python-evtx (master)
limonidisicilia commented
Just wanted to thank Willi for providing a solution:
28095cc
This was the issue:
https://bugs.python.org/issue29097
williballenthin commented
great!