Leverage EventMessageFile/CategoryMessageFile to parse EVTX message fields

[OlafHaalstra]

For some exotic EVTX records it would be very nice to have the "human readable" EVTX message available. The DLLs for translating event codes, fields and other properties to an understandable message are linked under: HKLM\SYSTEM\CurrentControlSet\Services\EventLog\<channel>\<provider>

Some examples:

Did you ever think about adding support for this?

I think there would be some hints availble for this approach looking at resources like:

• https://docs.velociraptor.app/docs/forensic/event_logs/#deriving-event-messages
• https://github.com/libyal/libfwevt/blob/main/documentation/Windows%20Event%20manifest%20binary%20format.asciidoc
• https://stackoverflow.com/questions/24122552/listing-message-ids-and-symbolic-names-stored-in-a-resource-only-library-dll-u
• https://github.com/nsacyber/Windows-Event-Log-Messages/blob/master/welm/WelmLibrary/EventMessageFile.cs

[Schamper]

Yes, this has been a desired feature almost since the inception of dissect.target :) I think we've made a little bit of progress on parsing the template format in dissect.eventlog, but never put the two together.

The dissect.eventlog project is in a little bit of a sad state right now though, and will probably require an initial refactor to nicely add support for this.