FixEvt repairs corrupted Windows event logs.
FixEvt is a tool for automating the recovery and analysis of
Windows NT5 (XP and 2003) event logs, primarily for computer forensics. It is described in the Journal of Digital Investigation article "Automated Windows event log forensics" presented at the Digital Forensics Research Workshop in August 2007. It is based in part on manual method described by Stephen Bunting. The article discusses forensic procedures and discusses log analysis methods in the context of a case study that illustrates the motivation for the tool.
This tool was initially developed to meet immediate needs of computer forensic engagements. It was developed to fill a gap between capabilities of other freely available tools that can be used to recover and correlate large volumes of log events, and thus be used to enhance the search for correlations with various other kinds of Windows artifacts.
Automating recovery, repair, and correlation of multiple logs is intended to make these methods more feasible for consideration in both a wider range of cases and earlier phases of cases, and hopefully, in turn, standard procedures.
The paper examines issues that may be relevant to determinations regarding admissibility of the methods, including accuracy, error rates and scientific basis. In addition, the author is available for consultation and testimony regarding such issues.
Download FixEvt Version 1.12
Fixevt.exe is a native Windows console (command line) application for Windows 98, NT, 2K, XP, 2003, Vista and 7 that repairs a
common form of corruption of Windows event
logs that occurs when the event logging service
stops without properly closing the log file.
Fixevt.exe requires no other files, and no installation. Simply download the executable and run it from the
command line as shown below. To see this documentation, invoke it with no command line arguments.
How FixEvt Works
Note that this utility directly modifies the log file. It does so for performance. If a corrupt log file must also be preserved unmodified, one may make a copy of the log and repair the copy.
FixEvt does not modify the log file except when the log's flag indicates that the log is 'dirty', in which case it searches for duplicate information, and if found, repairs the header.
This utility will repair multiple log
files. The event log filenames are the only arguments.
FixEvt returns a numerical status code to the shell that indicates whether the resulting log is 'clean'.
- zero (0) indicates either that the log file was already 'clean' and did not need repair, or that FixEvt successfully repaired the log file.
- non-zero indicates FixEvt failed. FixEvt can fail when the specified log file does not exist, or the file needs repair but the up-to-date copy of the offsets cannot not be found.
To repair all of the log files in a given directory, they may be specified by a wild-card argument on the command line:
% fixevt *.evt
To see a copy of this documentation, run FixEvt with no arguments:
FixEvt writes error and status
messages to standard output as follows.
usage: fixevt SysEvent.evt
The message above means that there was more or less than one argument
on the command line.
...all of this documentation....
Repair not needed: SysEvent.evt
The message above means that the flag in the header showed
that the log was already 'clean' and did not need
No trailer found in: SysEvent.evt
The message above means that the search for the up-to-date copy of the offsets failed, so the
header could not be repaired.
The message above means that the header was successfully repaired.