Mark Woan

The fix by pakoArtal works for me when using the format of "d/m/Y h:i".

Well the "normal" way of including the flags is when the ExecQuery method is called e.g. Set colNTLogEvents = objSWbemSvc.ExecQuery ("SELECT * FROM Win32_NTLogEvent", , wbemFlagReturnImmediately + wbemFlagForwardOnly) Here are...

Try the "--debug" parameter, see if that provides any extra detail? Are you using a pre-compiled version or the python code directly?

Are you running this against live registry files? Rather than ones copied out/extracted from a forensic image?

OK. Can you just copy out the actual hives e.g. SYSTEM, SOFTWARE, NTUSER etc into another directory, then re-run against that directory, using the debug parameter? If it still comes...

@EugeneSam You are redirecting the output to a file? You need to run the script against some registry hives?

@pcstopper18 Did you ever get it to work? It might be best to run the script rather than the compiled exe?