parse_filetime error
jsaspo opened this issue · 6 comments
jsaspo commented
Using evtx_dump.py to dump several .evtx logs successfully. However, I have one System.evtx that produces the following error mid-dump (the XML at the top is the last successful record "1190" before the dump errors out:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-WLAN-AutoConfig" Guid="{9580d7dd-0379-4658-9870-d5be7d52d6de}"></Provider>
<EventID Qualifiers="">10002</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2019-07-23 16:07:17.966570"></TimeCreated>
<EventRecordID>1190</EventRecordID>
<Correlation ActivityID="" RelatedActivityID=""></Correlation>
<Execution ProcessID="2012" ThreadID="10056"></Execution>
<Channel>System</Channel>
<Computer>DESKTOP-LOJVG3N</Computer>
<Security UserID="S-1-5-18"></Security>
</System>
<EventData><Data Name="ExtensibleModulePath">C:\WINDOWS\System32\bcmihvsrv64.dll</Data>
</EventData>
</Event>
Traceback (most recent call last):
File "evtx_dump.py", line 42, in <module>
main()
File "evtx_dump.py", line 37, in main
print(record.xml())
File "C:\Users\Jay Sasportas\AppData\Roaming\Python\Python38\site-packages\Evtx\Evtx.py", line 481, in xml
return e_views.evtx_record_xml_view(self)
File "C:\Users\Jay Sasportas\AppData\Roaming\Python\Python38\site-packages\Evtx\Views.py", line 204, in evtx_record_xml_view
return render_root_node(record.root())
File "C:\Users\Jay Sasportas\AppData\Roaming\Python\Python38\site-packages\Evtx\Views.py", line 191, in render_root_node
return render_root_node_with_subs(root_node, subs)
File "C:\Users\Jay Sasportas\AppData\Roaming\Python\Python38\site-packages\Evtx\Views.py", line 176, in render_root_node_with_subs
rec(c, acc)
File "C:\Users\Jay Sasportas\AppData\Roaming\Python\Python38\site-packages\Evtx\Views.py", line 126, in rec
rec(child, acc)
File "C:\Users\Jay Sasportas\AppData\Roaming\Python\Python38\site-packages\Evtx\Views.py", line 166, in rec
sub = render_root_node(sub.root())
File "C:\Users\Jay Sasportas\AppData\Roaming\Python\Python38\site-packages\Evtx\Views.py", line 191, in render_root_node
return render_root_node_with_subs(root_node, subs)
File "C:\Users\Jay Sasportas\AppData\Roaming\Python\Python38\site-packages\Evtx\Views.py", line 176, in render_root_node_with_subs
rec(c, acc)
File "C:\Users\Jay Sasportas\AppData\Roaming\Python\Python38\site-packages\Evtx\Views.py", line 126, in rec
rec(child, acc)
File "C:\Users\Jay Sasportas\AppData\Roaming\Python\Python38\site-packages\Evtx\Views.py", line 126, in rec
rec(child, acc)
File "C:\Users\Jay Sasportas\AppData\Roaming\Python\Python38\site-packages\Evtx\Views.py", line 159, in rec
sub = escape_value(sub.string())
File "C:\Users\Jay Sasportas\AppData\Roaming\Python\Python38\site-packages\Evtx\Nodes.py", line 1401, in string
return self.filetime().isoformat(' ')
File "C:\Users\Jay Sasportas\AppData\Roaming\Python\Python38\site-packages\Evtx\BinaryParser.py", line 205, in no_length_handler
return f(offset)
File "C:\Users\Jay Sasportas\AppData\Roaming\Python\Python38\site-packages\Evtx\BinaryParser.py", line 518, in unpack_filetime
return parse_filetime(self.unpack_qword(offset))
File "C:\Users\Jay Sasportas\AppData\Roaming\Python\Python38\site-packages\Evtx\BinaryParser.py", line 109, in parse_filetime
return datetime.utcfromtimestamp(float(qword) * 1e-7 - 11644473600)
OSError: [Errno 22] Invalid argument
I'm assuming this is an issue with the following record "1191". Here is the Event Viewer display for that record:
Here is the evtx_record_strcture.py dump of that record:
00000000: 2A 2A 00 00 40 03 00 00 A7 04 00 00 00 00 00 00 **..@...........
00000010: 8A B6 09 B4 70 41 D5 01 0F 01 01 00 0C 01 FE 13 ....pA..........
00000020: 19 70 C6 08 00 00 12 00 00 00 01 00 04 00 01 00 .p..............
00000030: 04 00 02 00 06 00 02 00 06 00 02 00 00 00 08 00 ................
00000040: 15 00 08 00 11 00 10 00 00 00 04 00 08 00 04 00 ................
00000050: 08 00 08 00 0A 00 01 00 04 00 00 00 00 00 00 00 ................
00000060: 00 00 3C 00 01 00 10 00 0F 00 0C 00 01 00 33 02 ..<...........3.
00000070: 21 00 04 00 66 00 6B 00 01 00 44 04 00 00 00 00 !...f.k...D.....
00000080: 00 80 8A B6 09 B4 70 41 D5 01 C0 6B FE 0D 7B 02 ......pA...k..{.
00000090: 00 00 00 A7 57 0F 7B 02 00 00 04 00 00 00 B0 1F ....W.{.........
000000A0: 00 00 A7 04 00 00 00 00 00 00 01 4D 00 69 00 63 ...........M.i.c
000000B0: 00 72 00 6F 00 73 00 6F 00 66 00 74 00 2D 00 57 .r.o.s.o.f.t.-.W
000000C0: 00 69 00 6E 00 64 00 6F 00 77 00 73 00 2D 00 4B .i.n.d.o.w.s.-.K
000000D0: 00 65 00 72 00 6E 00 65 00 6C 00 2D 00 50 00 6F .e.r.n.e.l.-.P.o
000000E0: 00 77 00 65 00 72 00 3A 3B 1C 33 05 20 C2 44 AC .w.e.r.:;.3. .D.
000000F0: 5E 77 22 0C 37 D6 B4 53 00 79 00 73 00 74 00 65 ^w".7..S.y.s.t.e
00000100: 00 6D 00 0C 01 35 30 B6 4B 95 32 00 00 00 00 00 .m...50.K.2.....
00000110: 00 35 30 B6 4B E7 43 00 5C 0B 65 E7 CA 15 48 68 .50.K.C.\.e...Hh
00000120: 71 CC 01 00 00 0F 01 01 00 01 FF FF C0 01 00 00 q...............
00000130: 35 06 00 00 02 41 FF FF 2D 00 00 00 5D 06 00 00 5....A..-...]...
00000140: 1F 00 00 00 06 3D 03 00 00 05 01 0B 00 54 00 61 .....=.......T.a
00000150: 00 72 00 67 00 65 00 74 00 53 00 74 00 61 00 74 .r.g.e.t.S.t.a.t
00000160: 00 65 00 02 0D 00 00 08 04 41 FF FF 33 00 00 00 .e.......A..3...
00000170: 5D 06 00 00 25 00 00 00 06 3D 03 00 00 05 01 0E ]...%....=......
00000180: 00 45 00 66 00 66 00 65 00 63 00 74 00 69 00 76 .E.f.f.e.c.t.i.v
00000190: 00 65 00 53 00 74 00 61 00 74 00 65 00 02 0D 01 .e.S.t.a.t.e....
000001A0: 00 08 04 41 FF FF 31 00 00 00 5D 06 00 00 23 00 ...A..1...]...#.
000001B0: 00 00 06 3D 03 00 00 05 01 0D 00 57 00 61 00 6B ...=.......W.a.k
000001C0: 00 65 00 46 00 72 00 6F 00 6D 00 53 00 74 00 61 .e.F.r.o.m.S.t.a
000001D0: 00 74 00 65 00 02 0D 02 00 08 04 41 FF FF 3F 00 .t.e.......A..?.
000001E0: 00 00 5D 06 00 00 31 00 00 00 06 3D 03 00 00 05 ..]...1....=....
000001F0: 01 14 00 50 00 72 00 6F 00 67 00 72 00 61 00 6D ...P.r.o.g.r.a.m
00000200: 00 6D 00 65 00 64 00 57 00 61 00 6B 00 65 00 54 .m.e.d.W.a.k.e.T
00000210: 00 69 00 6D 00 65 00 41 00 63 00 02 0D 03 00 11 .i.m.e.A.c......
00000220: 04 41 FF FF 3F 00 00 00 5D 06 00 00 31 00 00 00 .A..?...]...1...
00000230: 06 3D 03 00 00 05 01 14 00 50 00 72 00 6F 00 67 .=.......P.r.o.g
00000240: 00 72 00 61 00 6D 00 6D 00 65 00 64 00 57 00 61 .r.a.m.m.e.d.W.a
00000250: 00 6B 00 65 00 54 00 69 00 6D 00 65 00 44 00 63 .k.e.T.i.m.e.D.c
00000260: 00 02 0D 04 00 11 04 41 FF FF 3D 00 00 00 5D 06 .......A..=...].
00000270: 00 00 2F 00 00 00 06 3D 03 00 00 05 01 13 00 57 ../....=.......W
00000280: 00 61 00 6B 00 65 00 52 00 65 00 71 00 75 00 65 .a.k.e.R.e.q.u.e
00000290: 00 73 00 74 00 65 00 72 00 54 00 79 00 70 00 65 .s.t.e.r.T.y.p.e
000002A0: 00 41 00 63 00 02 0D 05 00 08 04 41 FF FF 3D 00 .A.c.......A..=.
000002B0: 00 00 5D 06 00 00 2F 00 00 00 06 3D 03 00 00 05 ..].../....=....
000002C0: 01 13 00 57 00 61 00 6B 00 65 00 52 00 65 00 71 ...W.a.k.e.R.e.q
000002D0: 00 75 00 65 00 73 00 74 00 65 00 72 00 54 00 79 .u.e.s.t.e.r.T.y
000002E0: 00 70 00 65 00 44 00 63 00 02 0D 06 00 08 04 04 .p.e.D.c........
000002F0: 00 07 00 00 00 04 00 08 00 04 00 08 00 04 00 08 ................
00000300: 00 08 00 11 00 08 00 11 00 04 00 08 00 04 00 08 ................
00000310: 00 04 00 00 00 04 00 00 00 04 00 00 00 00 61 C0 ..............a.
00000320: 35 BD 4B D5 01 00 00 00 00 00 00 00 00 02 00 00 5.K.............
00000330: 00 00 00 00 00 00 00 00 2A 2A 00 00 40 03 00 00 ........**..@...
record(absolute_offset=672136)
Traceback (most recent call last):
File "evtx_record_structure.py", line 106, in <module>
main()
File "evtx_record_structure.py", line 101, in main
print(describe_root(record, record.root(), suppress_values=args.suppress_values))
File "evtx_record_structure.py", line 79, in describe_root
ret += rec(root, indent=indent)
File "evtx_record_structure.py", line 74, in rec
ret += "%s\n" % (format_node(sub, indent=indent + 2))
File "evtx_record_structure.py", line 41, in format_node
ret += describe_root(record, n._root, indent=indent + 1)
File "evtx_record_structure.py", line 79, in describe_root
ret += rec(root, indent=indent)
File "evtx_record_structure.py", line 74, in rec
ret += "%s\n" % (format_node(sub, indent=indent + 2))
File "evtx_record_structure.py", line 38, in format_node
ret += " --> %s" % (n.string())
File "C:\Users\Jay Sasportas\AppData\Roaming\Python\Python38\site-packages\Evtx\Nodes.py", line 1401, in string
return self.filetime().isoformat(' ')
File "C:\Users\Jay Sasportas\AppData\Roaming\Python\Python38\site-packages\Evtx\BinaryParser.py", line 205, in no_length_handler
return f(offset)
File "C:\Users\Jay Sasportas\AppData\Roaming\Python\Python38\site-packages\Evtx\BinaryParser.py", line 518, in unpack_filetime
return parse_filetime(self.unpack_qword(offset))
File "C:\Users\Jay Sasportas\AppData\Roaming\Python\Python38\site-packages\Evtx\BinaryParser.py", line 109, in parse_filetime
return datetime.utcfromtimestamp(float(qword) * 1e-7 - 11644473600)
OSError: [Errno 22] Invalid argument
jsaspo commented
I now see that Issue #69 was recently closed with this same log, event ID, and error. Was there a fix?
williballenthin commented
the reporter closed the issue without any further information. im not aware of any fix.
interesting that its the same log/id/error. i'm not able to provide too much support for this parser these days, but perhaps i can take a peek and attempt a fix if its obvious.
williballenthin commented
taking a hint from this post, i've found that Python on Windows handles dates differently than on Linux (i guess thats probably not a surprise to anyone). specifically, a "zero date" (like the 1601-01... one you show above) cannot be represented correctly:
I'll update the date parsing code to better handle this case on Windows
williballenthin commented
jsaspo commented
Thank you for the quick response. The code in master worked great! No issue, buzzed through the entire System.evtx.
I should have looked into this further. I used pip install initially and didn't realize the versions are different. I'm a little green on Git/PyPi.
Awesome, thanks again.
jsaspo commented
Closing as it appears this is resolved in master.