event log: format of date and time

[tripleclick]

Hello, I'm new here. Just starting with a question re the event log of Windows 7:

In what format are date and time of logged events in .evtx files? How can I find and translate them when I look at the file content with a hex viewer? (File seems to be corrupt. Can't open it with the Windows event viewer.)

Thanks in advance!

 

[karlsnooks]

Hello, I'm new here. Just starting with a question re the event log of Windows 7:

In what format are date and time of logged events in .evtx files? How can I find and translate them when I look at the file content with a hex viewer? (File seems to be corrupt. Can't open it with the Windows event viewer.)

Thanks in advance!

Welcome to SevenForums.

Let Win 7 open your .evtx files. The default is Event Viewer.

The average user will be using Event Viewer to view the event logs.

True, with a healthy work in time, you can learn to use PowerShell to extract and parse event logs.

I use a powershell script to clear all of my event logs - not for the space savings but to make the job of separating the wheat from the chaff easier.

 

[tripleclick]

Thanks karlsnooks, PowerShell might be just a bit of an overkill for now. I just need to be able to find and read the dates and times at the moment. I can't open the corrupt file with Windows event viewer. (Will look into PowerShell when I have more time on my hands.)

 

[karlsnooks]

The easiest way is to simply with wndows exploer to open the file. The default is the event viwer snap in. The event viewer will show you data nd time.

 

[tripleclick]

Umm... thanks, but as I have written twice: the file is corrupt, thus I cannot open/view it with the event viewer. But I can look at the content with a hex viewer.

 

[karlsnooks]

I'm trying to understand.

You have an event viewer with which you can view events. Events are stored in Event Logs. If the Event Log is on a remote machine, then just export the log , bring the log to your machine and import the log.

Of course iindividual events can be exported, the details can be copied to a text file.

 

[tripleclick]

Thanks for your efforts. I only have a ***corrupt*** .evtx file with already exported events in it. I want to read those events. Because the file is corrupt I cannot view it with the Windows event viewer. When I look into the file with a usual txt editor I can see the ASCII part. But date and time does not seem to be in ASCII format. I therefore look into the file with a hex viewer but still I can't find and decipher dates and times of the events.

I hope you or somebody else understand(s) now. I am sorry if I am not able to describe the situation clear enough.

 

[tripleclick]

I would still appreciate any help from anybody. (I am sorry, if my question was not clear enough. I did my best. But I am open to counter questions.) Thanks in advance!

 

[Heretic]

Hey Tripple,

Having the same issue. Did you ever get a solution?

 

[tripleclick]

No, unfortunately not.