Rich Murphey Home News Site Map Contact

Blackbox Lite
GNU Graphics
Scouting Resources
Recent Talks:

AAFS 2009

IAFS 2008

HTCIA Intl. 2008

DoD CyberCrime 08

DFRWS 2007

Defcon 2007

HTCIA Intl. 2007

GMU Forensics 2007

CEIC 2007

Information Security Magazine

Defcon 11

FixEvt repairs corrupted Windows event logs.

FixEvt is a tool for automating the recovery and analysis of Windows NT5 (XP and 2003) event logs, primarily for computer forensics. It is described in the Journal of Digital Investigation article "Automated Windows event log forensics" presented at the Digital Forensics Research Workshop in August 2007. It is based in part on manual method described by Stephen Bunting. The article discusses forensic procedures and discusses log analysis methods in the context of a case study that illustrates the motivation for the tool.

This tool was initially developed to meet immediate needs of computer forensic engagements. It was developed to fill a gap between capabilities of other freely available tools that can be used to recover and correlate large volumes of log events, and thus be used to enhance the search for correlations with various other kinds of Windows artifacts.

Automating recovery, repair, and correlation of multiple logs is intended to make these methods more feasible for consideration in both a wider range of cases and earlier phases of cases, and hopefully, in turn, standard procedures.

The paper examines issues that may be relevant to determinations regarding admissibility of the methods, including accuracy, error rates and scientific basis. In addition, the author is available for consultation and testimony regarding such issues.

Download FixEvt Version 1.12

Fixevt.exe is a native Windows console (command line) application for Windows 98, NT, 2K, XP, 2003, Vista and 7 that repairs a common form of corruption of Windows event logs that occurs when the event logging service stops without properly closing the log file.

Fixevt.exe requires no other files, and no installation. Simply download the executable and run it from the command line as shown below. To see this documentation, invoke it with no command line arguments.

How FixEvt Works

Note that this utility directly modifies the log file. It does so for performance. If a corrupt log file must also be preserved unmodified, one may make a copy of the log and repair the copy.

FixEvt does not modify the log file except when the log's flag indicates that the log is 'dirty', in which case it searches for duplicate information, and if found, repairs the header.

This utility will repair multiple log files. The event log filenames are the only arguments.

FixEvt returns a numerical status code to the shell that indicates whether the resulting log is 'clean'.

  • zero (0) indicates either that the log file was already 'clean' and did not need repair, or that FixEvt successfully repaired the log file.
  • non-zero indicates FixEvt failed. FixEvt can fail when the specified log file does not exist, or the file needs repair but the up-to-date copy of the offsets cannot not be found.

Using FixEvt

To repair all of the log files in a given directory, they may be specified by a wild-card argument on the command line:

% fixevt *.evt
To see a copy of this documentation, run FixEvt with no arguments:
% fixevt

Error Messages

FixEvt writes error and status messages to standard output as follows.

usage: fixevt SysEvent.evt
...all of this documentation....
The message above means that there was more or less than one argument on the command line.

Repair not needed: SysEvent.evt
The message above means that the flag in the header showed that the log was already 'clean' and did not need repair.

No trailer found in: SysEvent.evt
The message above means that the search for the up-to-date copy of the offsets failed, so the header could not be repaired.

Repaired: SysEvent.evt
The message above means that the header was successfully repaired.

Copyright © 2007 Carey Richard Murphey. All Rights Reserved.