Windows 7 - event log: format of date and time

tripleclick · 07-24-2011

Hello, I'm new here. Just starting with a question re the event log of Windows 7:

In what format are date and time of logged events in .evtx files? How can I find and translate them when I look at the file content with a hex viewer? (File seems to be corrupt. Can't open it with the Windows event viewer.)

Thanks in advance!

karlsnooks · 07-24-2011

Quote: Originally Posted by tripleclick

Hello, I'm new here. Just starting with a question re the event log of Windows 7:

In what format are date and time of logged events in .evtx files? How can I find and translate them when I look at the file content with a hex viewer? (File seems to be corrupt. Can't open it with the Windows event viewer.)

Thanks in advance!

Welcome to SevenForums.

Let Win 7 open your .evtx files. The default is Event Viewer.

The average user will be using Event Viewer to view the event logs.

True, with a healthy work in time, you can learn to use PowerShell to extract and parse event logs.

I use a powershell script to clear all of my event logs - not for the space savings but to make the job of separating the wheat from the chaff easier.

tripleclick · 07-24-2011

Thanks karlsnooks, PowerShell might be just a bit of an overkill for now. I just need to be able to find and read the dates and times at the moment. I can't open the corrupt file with Windows event viewer. (Will look into PowerShell when I have more time on my hands.)

karlsnooks · 07-24-2011

The easiest way is to simply with wndows exploer to open the file. The default is the event viwer snap in. The event viewer will show you data nd time.

tripleclick · 07-24-2011

Umm... thanks, but as I have written twice: the file is corrupt, thus I cannot open/view it with the event viewer. But I can look at the content with a hex viewer.

karlsnooks · 07-24-2011

I'm trying to understand.

You have an event viewer with which you can view events. Events are stored in Event Logs. If the Event Log is on a remote machine, then just export the log , bring the log to your machine and import the log.

Of course iindividual events can be exported, the details can be copied to a text file.

tripleclick · 07-24-2011

Thanks for your efforts. I only have a ***corrupt*** .evtx file with already exported events in it. I want to read those events. Because the file is corrupt I cannot view it with the Windows event viewer. When I look into the file with a usual txt editor I can see the ASCII part. But date and time does not seem to be in ASCII format. I therefore look into the file with a hex viewer but still I can't find and decipher dates and times of the events.

I hope you or somebody else understand(s) now. I am sorry if I am not able to describe the situation clear enough.

tripleclick · 07-27-2011

I would still appreciate any help from anybody. (I am sorry, if my question was not clear enough. I did my best. But I am open to counter questions.) Thanks in advance!

Heretic · 10-02-2011

Hey Tripple,

Having the same issue. Did you ever get a solution?

tripleclick · 10-03-2011

No, unfortunately not.

Windows 7 - event log: format of date and time

event log: format of date and time problems?