plaso icon indicating copy to clipboard operation
plaso copied to clipboard

Published 20 hours ago verified publisher icon log2timeline

Windows Event Log message strings support enhancements

Open joachimmetz opened this issue 3 years ago • 3 comments

Continuation of https://github.com/log2timeline/plaso/issues/4169

  • [x] Add support for resource files stored as:
    • relative path "system32..."
    • as "$(runtime.system32)" or "$(runtime.windows)"
    • https://github.com/log2timeline/plaso/pull/4773
  • [x] Add support for WEVT_TEMPLATE .mun files (PE/COFF) under C:\Windows\SystemResources\
    • https://github.com/log2timeline/plaso/pull/4774
  • [x] Look into missing message strings (see https://github.com/log2timeline/plaso/issues/163#issuecomment-1191273147)
    • ~~improve WEVT_TEMPLATE support and MUI file lookup - https://github.com/log2timeline/plaso/pull/4194~~
    • ~~normalize path when looking up message file paths in winevt_rc, use environment variables - https://github.com/log2timeline/plaso/pull/4198~~
    • Replacement index # out of range for positional args tuple - https://github.com/log2timeline/plaso/issues/4259#issuecomment-1872978723
    • No message string for message: 0xffffffff - https://github.com/log2timeline/plaso/issues/4259#issuecomment-1872974919
  • [x] Add parameter expansion support
    • observed fallback to event message file - https://github.com/log2timeline/plaso/pull/4776
    • observed fallback to MsObjs.dll and kernel32.dll (Windows 10) - https://github.com/log2timeline/plaso/pull/4777
  • [ ] Allow PE/COFF message table resource more specific language to fallback on less specific language e.g. "en-US" to fallback to "en"
    • is this something more common on older versions of Windows (XP and earlier) ?
  • [ ] clean up: winevt_rc: raise if open fails instead of return false

joachimmetz avatar Sep 23 '22 03:09 joachimmetz 

2023-12-31 15:07:02,439 [WARNING] (MainProcess) PID:109203 <winevt_rc> No message string for message: 0xffffffff (0x00000069) of provider: {315a8872-923e-4ea2-9889-33cd4754bf64}

evtxexport 20231121

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Immersive-Shell" Guid="{315A8872-923E-4EA2-9889-33CD4754BF64}"/>
    <EventID>105</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>104</Task>
    <Opcode>0</Opcode>
    <Keywords>0x4000000000000000</Keywords>
    <TimeCreated SystemTime="2020-12-11T19:11:58.243969300Z"/>
    <EventRecordID>1</EventRecordID>
    <Correlation/>
    <Execution ProcessID="2132" ThreadID="5152"/>
    <Channel>Microsoft-Windows-TWinUI/Operational</Channel>
    <Computer>DESKTOP-SSPQK1B</Computer>
    <Security UserID="S-1-5-21-539969222-1187471189-2727535519-1000"/>
  </System>
  <EventData/>
</Event>

            <provider
                guid="{315A8872-923E-4EA2-9889-33CD4754BF64}">
                <events>
                    ...
                    <event
                        value="105"
                        version="0"
                        message="$(string.MessageTable.0xffffffff)">
                    </event>

Spot check with EventViewer indicates that this is an unresolvable message string.

joachimmetz avatar Dec 31 '23 15:12 joachimmetz 

2023-12-31 15:07:05,933 [ERROR] (MainProcess) PID:109203 <winevt>
Unable to format message: 0x0000f2c0
of provider: {30336ed4-e327-447c-9de0-51b652c86108}
template: "Updating install state of package {0:s} to '{1:s}' with HRESULT {2:s}."
and strings: "MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy, Completed"
with error: Replacement index 2 out of range for positional args tuple

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Shell-Core" Guid="{30336ED4-E327-447C-9DE0-51B652C86108}"/>
    <EventID>62144</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>62132</Task>
    <Opcode>0</Opcode>
    <Keywords>0x2000000000010000</Keywords>
    <TimeCreated SystemTime="2020-12-11T19:09:14.808226700Z"/>
    <EventRecordID>19</EventRecordID>
    <Correlation/>
    <Execution ProcessID="3620" ThreadID="4576"/>
    <Channel>Microsoft-Windows-Shell-Core/Operational</Channel>
    <Computer>DESKTOP-SSPQK1B</Computer>
    <Security UserID="S-1-5-21-539969222-1187471189-2727535519-1000"/>
  </System>
  <EventData>
    <Data Name="PackageFamilyName">MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy</Data>
    <Data Name="InstallState">Completed</Data>
    <Data Name="ErrorCode">0</Data>
  </EventData>
</Event>

                    <event
                        value="62144"
                        version="0"
                        template="{00203874-A3F5-556D-4C97-825EF9FA2AA5}"
                        message="$(string.MessageTable.0xb000f2c0)">
                    </event>
                    ...
                    <template tid="{00203874-A3F5-556D-4C97-825EF9FA2AA5}">
                        <data
                            name="PackageFamilyName"
                            inType="win:UnicodeString"
                            outType="xs:string">
                        </data>
                        <data
                            name="InstallState"
                            inType="win:UnicodeString"
                            outType="xs:string">
                        </data>
                        <data
                            name="ErrorCode"
                            inType="win:UInt32"
                            outType="xs:unsignedInt">
                        </data>
                    <template/>

Spot check with EventViewer indicates that this should be format-able

Updating install state of package MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy to 'Completed' with HRESULT 0.

These appear recovered records where the 3rd string is not included

Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Shell-Core" Guid="{30336ED4-E327-447C-9DE0-51B652C86108}"/>
    <EventID>62144</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>62132</Task>
    <Opcode>0</Opcode>
    <Keywords>0x2000000000010000</Keywords>
    <TimeCreated SystemTime="2020-12-11T19:12:04.250958100Z"/>
    <EventRecordID>476</EventRecordID>
    <Correlation/>
    <Execution ProcessID="3620" ThreadID="5100"/>
    <Channel>Microsoft-Windows-Shell-Core/Operational</Channel>
    <Computer>DESKTOP-SSPQK1B</Computer>
    <Security UserID="S-1-5-21-539969222-1187471189-2727535519-1001"/>
  </System>
  <EventData>
    <Data Name="LogonType">MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy</Data>
    <Data Name="TaskName">Completed</Data>
  </EventData>
</Event>

joachimmetz avatar Dec 31 '23 15:12 joachimmetz

Interesting edge case

5.1.11548.0

0x4008003d | %2: Ecn RP attributes (2) for port %3:%n\r\nEcnRpgMinRate = %4%n\r\nEcnMaxTimeRise = %5%n\r\nEcnMaxByteRise = %6%n\r\nEcnAlphaToRateCoeff = %7%n\r\nEcnMarkedRatioMultiplier = %8%n\r\nEcnMarkedRatioShift = %9%n\r\nEcnRateToSetOnFirstCnp = %10%n\r\nEcnDceTcpG = %11%n\r\nEcnDceTcpRtt = %12%n\r\nEcnDceTcpRttDelay = %13%n\r\nEcnInitialAlphaValue = %14%n\r\nEcnSupportIBStandardCnp = %15%n\r\nEcnCoalesceCnpInRp = %16%n\r\n

EcnRpgMinRate = %4

5.50.14643.0

0x4008003d | %2: Ecn RP attributes (2) for port %3 (%4):%n\r\nEcnRpgMinRate = %5%n\r\nEcnMaxTimeRise = %6%n\r\nEcnMaxByteRise = %7%n\r\nEcnAlphaToRateCoeff = %8%n\r\nEcnMarkedRatioMultiplier = %9%n\r\nEcnMarkedRatioShift = %10%n\r\nEcnRateToSetOnFirstCnp = %11%n\r\nEcnDceTcpG = %12%n\r\nEcnDceTcpRtt = %13%n\r\nEcnDceTcpRttDelay = %14%n\r\nEcnInitialAlphaValue = %15%n\r\nEcnSupportIBStandardCnp = %16%n\r\nEcnCoalesceCnpInRp = %17%n\r\nEcnBurstSize = %18%n\r\nEcnPriorityEnable = %19%n\r\n

EcnRpgMinRate = %5

joachimmetz avatar Jan 07 '24 08:01 joachimmetz