Showing preview only (2,366K chars total). Download the full file or copy to clipboard to get everything.
Repository: libyal/libevtx
Branch: main
Commit: e70e035a00a5
Files: 333
Total size: 2.2 MB
Directory structure:
gitextract_30yz1f74/
├── .codecov.yml
├── .github/
│ └── workflows/
│ ├── build.yml
│ ├── build_freebsd.yml
│ ├── build_macos.yml
│ ├── build_ossfuzz.yml
│ ├── build_shared.yml
│ └── build_wheel.yml
├── .gitignore
├── AUTHORS
├── COPYING
├── COPYING.LESSER
├── ChangeLog
├── Makefile.am
├── NEWS
├── README
├── acinclude.m4
├── appveyor.yml
├── autogen.ps1
├── autogen.sh
├── build.ps1
├── common/
│ ├── Makefile.am
│ ├── byte_stream.h
│ ├── common.h
│ ├── config_borlandc.h
│ ├── config_msc.h
│ ├── config_winapi.h
│ ├── file_stream.h
│ ├── memory.h
│ ├── narrow_string.h
│ ├── system_string.h
│ ├── types.h.in
│ └── wide_string.h
├── configure.ac
├── documentation/
│ └── Windows XML Event Log (EVTX).asciidoc
├── dpkg/
│ ├── changelog.in
│ ├── compat
│ ├── control
│ ├── copyright
│ ├── libevtx-dev.install
│ ├── libevtx-python3.install
│ ├── libevtx-tools.install
│ ├── libevtx.install
│ ├── rules
│ └── source/
│ └── format
├── dtfabric.yaml
├── evtxtools/
│ ├── Makefile.am
│ ├── evtxexport.c
│ ├── evtxinfo.c
│ ├── evtxinput.c
│ ├── evtxinput.h
│ ├── evtxtools_getopt.c
│ ├── evtxtools_getopt.h
│ ├── evtxtools_i18n.h
│ ├── evtxtools_libbfio.h
│ ├── evtxtools_libcdirectory.h
│ ├── evtxtools_libcerror.h
│ ├── evtxtools_libclocale.h
│ ├── evtxtools_libcnotify.h
│ ├── evtxtools_libcpath.h
│ ├── evtxtools_libcsplit.h
│ ├── evtxtools_libevtx.h
│ ├── evtxtools_libexe.h
│ ├── evtxtools_libfcache.h
│ ├── evtxtools_libfdatetime.h
│ ├── evtxtools_libfguid.h
│ ├── evtxtools_libfvalue.h
│ ├── evtxtools_libfwevt.h
│ ├── evtxtools_libfwnt.h
│ ├── evtxtools_libregf.h
│ ├── evtxtools_libuna.h
│ ├── evtxtools_libwrc.h
│ ├── evtxtools_output.c
│ ├── evtxtools_output.h
│ ├── evtxtools_signal.c
│ ├── evtxtools_signal.h
│ ├── evtxtools_system_split_string.h
│ ├── evtxtools_unused.h
│ ├── evtxtools_wide_string.c
│ ├── evtxtools_wide_string.h
│ ├── export_handle.c
│ ├── export_handle.h
│ ├── info_handle.c
│ ├── info_handle.h
│ ├── log_handle.c
│ ├── log_handle.h
│ ├── message_handle.c
│ ├── message_handle.h
│ ├── message_string.c
│ ├── message_string.h
│ ├── path_handle.c
│ ├── path_handle.h
│ ├── registry_file.c
│ ├── registry_file.h
│ ├── resource_file.c
│ └── resource_file.h
├── include/
│ ├── Makefile.am
│ ├── libevtx/
│ │ ├── codepage.h
│ │ ├── definitions.h.in
│ │ ├── error.h
│ │ ├── extern.h
│ │ ├── features.h.in
│ │ └── types.h.in
│ └── libevtx.h.in
├── libevtx/
│ ├── Makefile.am
│ ├── evtx_chunk.h
│ ├── evtx_event_record.h
│ ├── evtx_file_header.h
│ ├── libevtx.c
│ ├── libevtx.rc.in
│ ├── libevtx_byte_stream.c
│ ├── libevtx_byte_stream.h
│ ├── libevtx_checksum.c
│ ├── libevtx_checksum.h
│ ├── libevtx_chunk.c
│ ├── libevtx_chunk.h
│ ├── libevtx_chunks_table.c
│ ├── libevtx_chunks_table.h
│ ├── libevtx_codepage.c
│ ├── libevtx_codepage.h
│ ├── libevtx_debug.c
│ ├── libevtx_debug.h
│ ├── libevtx_definitions.h.in
│ ├── libevtx_error.c
│ ├── libevtx_error.h
│ ├── libevtx_extern.h
│ ├── libevtx_file.c
│ ├── libevtx_file.h
│ ├── libevtx_i18n.c
│ ├── libevtx_i18n.h
│ ├── libevtx_io_handle.c
│ ├── libevtx_io_handle.h
│ ├── libevtx_libbfio.h
│ ├── libevtx_libcdata.h
│ ├── libevtx_libcerror.h
│ ├── libevtx_libclocale.h
│ ├── libevtx_libcnotify.h
│ ├── libevtx_libfcache.h
│ ├── libevtx_libfdata.h
│ ├── libevtx_libfdatetime.h
│ ├── libevtx_libfguid.h
│ ├── libevtx_libfwevt.h
│ ├── libevtx_libuna.h
│ ├── libevtx_notify.c
│ ├── libevtx_notify.h
│ ├── libevtx_record.c
│ ├── libevtx_record.h
│ ├── libevtx_record_values.c
│ ├── libevtx_record_values.h
│ ├── libevtx_support.c
│ ├── libevtx_support.h
│ ├── libevtx_template_definition.c
│ ├── libevtx_template_definition.h
│ ├── libevtx_types.h
│ └── libevtx_unused.h
├── libevtx.ini
├── libevtx.pc.in
├── libevtx.spec.in
├── m4/
│ ├── common.m4
│ ├── libbfio.m4
│ ├── libcdata.m4
│ ├── libcdirectory.m4
│ ├── libcerror.m4
│ ├── libcfile.m4
│ ├── libclocale.m4
│ ├── libcnotify.m4
│ ├── libcpath.m4
│ ├── libcsplit.m4
│ ├── libcthreads.m4
│ ├── libexe.m4
│ ├── libfcache.m4
│ ├── libfdata.m4
│ ├── libfdatetime.m4
│ ├── libfguid.m4
│ ├── libfvalue.m4
│ ├── libfwevt.m4
│ ├── libfwnt.m4
│ ├── libregf.m4
│ ├── libuna.m4
│ ├── libwrc.m4
│ ├── pthread.m4
│ ├── python.m4
│ ├── tests.m4
│ └── types.m4
├── manuals/
│ ├── Makefile.am
│ ├── evtxexport.1
│ ├── evtxinfo.1
│ └── libevtx.3
├── msvscpp/
│ ├── Makefile.am
│ ├── evtx_test_chunk/
│ │ └── evtx_test_chunk.vcproj
│ ├── evtx_test_chunks_table/
│ │ └── evtx_test_chunks_table.vcproj
│ ├── evtx_test_error/
│ │ └── evtx_test_error.vcproj
│ ├── evtx_test_file/
│ │ └── evtx_test_file.vcproj
│ ├── evtx_test_io_handle/
│ │ └── evtx_test_io_handle.vcproj
│ ├── evtx_test_notify/
│ │ └── evtx_test_notify.vcproj
│ ├── evtx_test_record/
│ │ └── evtx_test_record.vcproj
│ ├── evtx_test_record_values/
│ │ └── evtx_test_record_values.vcproj
│ ├── evtx_test_support/
│ │ └── evtx_test_support.vcproj
│ ├── evtx_test_template_definition/
│ │ └── evtx_test_template_definition.vcproj
│ ├── evtx_test_tools_info_handle/
│ │ └── evtx_test_tools_info_handle.vcproj
│ ├── evtx_test_tools_message_handle/
│ │ └── evtx_test_tools_message_handle.vcproj
│ ├── evtx_test_tools_message_string/
│ │ └── evtx_test_tools_message_string.vcproj
│ ├── evtx_test_tools_output/
│ │ └── evtx_test_tools_output.vcproj
│ ├── evtx_test_tools_path_handle/
│ │ └── evtx_test_tools_path_handle.vcproj
│ ├── evtx_test_tools_registry_file/
│ │ └── evtx_test_tools_registry_file.vcproj
│ ├── evtx_test_tools_resource_file/
│ │ └── evtx_test_tools_resource_file.vcproj
│ ├── evtx_test_tools_signal/
│ │ └── evtx_test_tools_signal.vcproj
│ ├── evtxexport/
│ │ └── evtxexport.vcproj
│ ├── evtxinfo/
│ │ └── evtxinfo.vcproj
│ ├── libbfio/
│ │ └── libbfio.vcproj
│ ├── libcdata/
│ │ └── libcdata.vcproj
│ ├── libcdirectory/
│ │ └── libcdirectory.vcproj
│ ├── libcerror/
│ │ └── libcerror.vcproj
│ ├── libcfile/
│ │ └── libcfile.vcproj
│ ├── libclocale/
│ │ └── libclocale.vcproj
│ ├── libcnotify/
│ │ └── libcnotify.vcproj
│ ├── libcpath/
│ │ └── libcpath.vcproj
│ ├── libcsplit/
│ │ └── libcsplit.vcproj
│ ├── libcthreads/
│ │ └── libcthreads.vcproj
│ ├── libevtx/
│ │ └── libevtx.vcproj
│ ├── libevtx.sln
│ ├── libexe/
│ │ └── libexe.vcproj
│ ├── libfcache/
│ │ └── libfcache.vcproj
│ ├── libfdata/
│ │ └── libfdata.vcproj
│ ├── libfdatetime/
│ │ └── libfdatetime.vcproj
│ ├── libfguid/
│ │ └── libfguid.vcproj
│ ├── libfvalue/
│ │ └── libfvalue.vcproj
│ ├── libfwevt/
│ │ └── libfwevt.vcproj
│ ├── libfwnt/
│ │ └── libfwnt.vcproj
│ ├── libregf/
│ │ └── libregf.vcproj
│ ├── libuna/
│ │ └── libuna.vcproj
│ ├── libwrc/
│ │ └── libwrc.vcproj
│ └── pyevtx/
│ └── pyevtx.vcproj
├── ossfuzz/
│ ├── Makefile.am
│ ├── file_fuzzer.cc
│ ├── ossfuzz_libbfio.h
│ ├── ossfuzz_libevtx.h
│ └── record_fuzzer.cc
├── po/
│ ├── ChangeLog
│ ├── Makevars.in
│ └── POTFILES.in
├── pyevtx/
│ ├── Makefile.am
│ ├── pyevtx.c
│ ├── pyevtx.h
│ ├── pyevtx_codepage.c
│ ├── pyevtx_codepage.h
│ ├── pyevtx_datetime.c
│ ├── pyevtx_datetime.h
│ ├── pyevtx_error.c
│ ├── pyevtx_error.h
│ ├── pyevtx_event_levels.c
│ ├── pyevtx_event_levels.h
│ ├── pyevtx_file.c
│ ├── pyevtx_file.h
│ ├── pyevtx_file_flags.c
│ ├── pyevtx_file_flags.h
│ ├── pyevtx_file_object_io_handle.c
│ ├── pyevtx_file_object_io_handle.h
│ ├── pyevtx_integer.c
│ ├── pyevtx_integer.h
│ ├── pyevtx_libbfio.h
│ ├── pyevtx_libcerror.h
│ ├── pyevtx_libclocale.h
│ ├── pyevtx_libevtx.h
│ ├── pyevtx_libfwnt.h
│ ├── pyevtx_python.h
│ ├── pyevtx_record.c
│ ├── pyevtx_record.h
│ ├── pyevtx_records.c
│ ├── pyevtx_records.h
│ ├── pyevtx_strings.c
│ ├── pyevtx_strings.h
│ └── pyevtx_unused.h
├── pyproject.toml
├── runtests.ps1
├── runtests.sh
├── setup.cfg.in
├── setup.py
├── synclibs.ps1
├── synclibs.sh
├── synctestdata.ps1
├── synctestdata.sh
├── tests/
│ ├── Makefile.am
│ ├── build.sh
│ ├── evtx_test_chunk.c
│ ├── evtx_test_chunks_table.c
│ ├── evtx_test_error.c
│ ├── evtx_test_file.c
│ ├── evtx_test_functions.c
│ ├── evtx_test_functions.h
│ ├── evtx_test_getopt.c
│ ├── evtx_test_getopt.h
│ ├── evtx_test_io_handle.c
│ ├── evtx_test_libbfio.h
│ ├── evtx_test_libcerror.h
│ ├── evtx_test_libclocale.h
│ ├── evtx_test_libcnotify.h
│ ├── evtx_test_libevtx.h
│ ├── evtx_test_libuna.h
│ ├── evtx_test_macros.h
│ ├── evtx_test_memory.c
│ ├── evtx_test_memory.h
│ ├── evtx_test_notify.c
│ ├── evtx_test_record.c
│ ├── evtx_test_record_values.c
│ ├── evtx_test_support.c
│ ├── evtx_test_template_definition.c
│ ├── evtx_test_tools_info_handle.c
│ ├── evtx_test_tools_message_handle.c
│ ├── evtx_test_tools_message_string.c
│ ├── evtx_test_tools_output.c
│ ├── evtx_test_tools_path_handle.c
│ ├── evtx_test_tools_registry_file.c
│ ├── evtx_test_tools_resource_file.c
│ ├── evtx_test_tools_signal.c
│ ├── evtx_test_unused.h
│ ├── lsan.suppressions
│ ├── pkgbuild.sh
│ ├── pyevtx_test_file.py
│ ├── pyevtx_test_support.py
│ ├── runtests.py
│ ├── runtests.sh
│ ├── syncsharedlibs.sh
│ ├── test_evtxexport.sh
│ ├── test_evtxinfo.ps1
│ ├── test_evtxinfo.sh
│ ├── test_library.ps1
│ ├── test_library.sh
│ ├── test_manpage.sh
│ ├── test_python_module.sh
│ ├── test_runner.sh
│ ├── test_tools.ps1
│ └── test_tools.sh
└── tox.ini
================================================
FILE CONTENTS
================================================
================================================
FILE: .codecov.yml
================================================
coverage:
precision: 2
round: down
range: 70...100
status:
project: true
patch: true
changes: false
ignore:
- "libbfio/*"
- "libcdata/*"
- "libcdirectory/*"
- "libcerror/*"
- "libcfile/*"
- "libclocale/*"
- "libcnotify/*"
- "libcpath/*"
- "libcsplit/*"
- "libcthreads/*"
- "libexe/*"
- "libfcache/*"
- "libfdata/*"
- "libfdatetime/*"
- "libfguid/*"
- "libfvalue/*"
- "libfwevt/*"
- "libfwnt/*"
- "libregf/*"
- "libuna/*"
- "libwrc/*"
- "tests/*"
================================================
FILE: .github/workflows/build.yml
================================================
# Build from source.
name: build
on: [push, pull_request]
permissions: read-all
jobs:
build_ubuntu:
runs-on: ubuntu-latest
strategy:
matrix:
include:
- architecture: 'x86'
compiler: 'clang'
configure_options: ''
- architecture: 'x64'
compiler: 'clang'
configure_options: ''
- architecture: 'x86'
compiler: 'gcc'
configure_options: ''
- architecture: 'x64'
compiler: 'gcc'
configure_options: ''
- architecture: 'x64'
compiler: 'gcc'
configure_options: '--with-pthread=no'
- architecture: 'x64'
compiler: 'gcc'
configure_options: '--enable-wide-character-type'
- architecture: 'x64'
compiler: 'gcc'
configure_options: '--enable-static-executables=yes --enable-multi-threading-support=no'
steps:
- uses: actions/checkout@v5
- name: Install build dependencies
run: |
sudo apt-get -y install autoconf automake autopoint build-essential git libtool pkg-config
- name: Download test data
run: |
if test -x "synctestdata.sh"; then ./synctestdata.sh; fi
- name: Building from source
env:
CC: ${{ matrix.compiler }}
run: |
tests/build.sh ${{ matrix.configure_options }}
- name: Run tests
run: |
tests/runtests.sh
build_dist:
runs-on: ubuntu-latest
strategy:
matrix:
include:
- architecture: 'x64'
compiler: 'gcc'
configure_options: ''
steps:
- uses: actions/checkout@v5
- name: Install build dependencies
run: |
sudo apt-get -y install autoconf automake autopoint build-essential git libtool pkg-config
- name: Download test data
run: |
if test -x "synctestdata.sh"; then ./synctestdata.sh; fi
- name: Building from source
env:
CC: ${{ matrix.compiler }}
run: |
tests/build.sh ${{ matrix.configure_options }}
- name: Run tests
run: |
make distcheck
build_python_ubuntu:
runs-on: ubuntu-latest
strategy:
matrix:
include:
- architecture: 'x64'
compiler: 'gcc'
configure_options: '--enable-python'
python_version: ''
steps:
- uses: actions/checkout@v5
- name: Install build dependencies
run: |
sudo add-apt-repository universe &&
sudo apt-get update &&
sudo apt-get -y install autoconf automake autopoint build-essential git libtool pkg-config python3-dev python-dev-is-python3
- name: Download test data
run: |
if test -x "synctestdata.sh"; then ./synctestdata.sh; fi
- name: Building from source
env:
CC: ${{ matrix.compiler }}
run: |
tests/build.sh ${{ matrix.configure_options }}
- name: Run tests
env:
PYTHON_VERSION: ${{ matrix.python_version }}
run: |
tests/runtests.sh
build_setup_py_ubuntu:
runs-on: ubuntu-latest
strategy:
matrix:
include:
- architecture: 'x64'
compiler: 'gcc'
configure_options: ''
python-version: '3.10'
steps:
- uses: actions/checkout@v5
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Install build dependencies
run: |
sudo add-apt-repository universe &&
sudo apt-get update &&
sudo apt-get -y install autoconf automake autopoint build-essential git libtool pkg-config python3-dev python-dev-is-python3
- name: Building from source
env:
CC: ${{ matrix.compiler }}
run: |
tests/build.sh ${{ matrix.configure_options }}
- name: Build Python module
run: |
python setup.py build
coverage_ubuntu:
runs-on: ubuntu-latest
strategy:
matrix:
include:
- architecture: 'x86'
compiler: 'gcc'
configure_options: '--enable-wide-character-type'
- architecture: 'x64'
compiler: 'gcc'
configure_options: '--enable-wide-character-type'
steps:
- uses: actions/checkout@v5
- name: Install build dependencies
run: |
sudo apt-get -y install autoconf automake autopoint build-essential git libtool pkg-config
- name: Download test data
run: |
if test -x "synctestdata.sh"; then ./synctestdata.sh; fi
- name: Building from source
env:
CC: ${{ matrix.compiler }}
run: |
tests/build.sh ${{ matrix.configure_options }} --enable-shared=no CFLAGS="--coverage -O0" CPPFLAGS="-DOPTIMIZATION_DISABLED" LDFLAGS="--coverage"
- name: Run tests
run: |
make check CHECK_WITH_STDERR=1 SKIP_TOOLS_END_TO_END_TESTS=1
- name: Generate coverage data
run: |
for DIRECTORY in `find . -maxdepth 1 -type d`; do \
(cd ${DIRECTORY} && find . -maxdepth 1 -name \*.gcno -type f -exec gcov -pb {} \;) \
done
- name: Upload coverage report to Codecov
uses: codecov/codecov-action@v5
with:
name: linux-${{ matrix.architecture }}-gcc-no-optimization
token: ${{ secrets.CODECOV_TOKEN }}
================================================
FILE: .github/workflows/build_freebsd.yml
================================================
# Build from source on FreeBSD.
name: build_freebsd
on: [push]
permissions: read-all
jobs:
build_freebsd:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- name: Building from source
id: build_freebsd
uses: vmactions/freebsd-vm@v1
with:
usesh: true
mem: 4096
# Note that the test scripts require bash
prepare: |
pkg install -y autoconf automake bash gettext git libtool pkgconf
run: |
tests/build.sh
tests/runtests.sh
================================================
FILE: .github/workflows/build_macos.yml
================================================
# Build from source.
name: build_macos
on: [push, pull_request]
permissions: read-all
jobs:
build_macos:
runs-on: ${{ matrix.os }}
strategy:
matrix:
include:
- os: macos-14
configure_options: ''
- os: macos-15
configure_options: ''
- os: macos-15-intel
configure_options: ''
- os: macos-26
configure_options: ''
steps:
- uses: actions/checkout@v5
- name: Install build dependencies
run: |
brew update -q
brew install -q autoconf automake gettext gnu-sed libtool pkg-config || true
brew link --force gettext
ln -s /usr/local/bin/glibtoolize /usr/local/bin/libtoolize
- name: Download test data
run: |
if test -x "synctestdata.sh"; then ./synctestdata.sh; fi
- name: Building from source
env:
CC: ${{ matrix.compiler }}
run: |
tests/build.sh ${{ matrix.configure_options }}
- name: Run tests
run: |
tests/runtests.sh
================================================
FILE: .github/workflows/build_ossfuzz.yml
================================================
# Build OSSFuzz fuzz targets from source.
name: build_ossfuzz
on:
push:
branches: [main]
permissions: read-all
jobs:
build_ossfuzz:
runs-on: ubuntu-latest
strategy:
matrix:
include:
- architecture: 'x64'
compiler: 'gcc'
configure_options: ''
steps:
- name: Install build dependencies
run: |
sudo apt-get -y install git
- uses: actions/checkout@v5
with:
repository: google/oss-fuzz
path: oss-fuzz
- name: Build OSSFuzz fuzz targets
working-directory: oss-fuzz
run: |
mkdir -p projects/libevtx
cp projects/libyal/build.sh projects/libevtx/
cp projects/libyal/project.yaml projects/libevtx/
head -n 20 projects/libyal/Dockerfile > projects/libevtx/Dockerfile
echo "RUN git clone --depth 1 https://github.com/libyal/libevtx.git libevtx" >> projects/libevtx/Dockerfile
tail -n 3 projects/libyal/Dockerfile >> projects/libevtx/Dockerfile
python3 infra/helper.py build_image --pull libevtx
python3 infra/helper.py build_fuzzers --sanitizer address libevtx
python3 infra/helper.py check_build libevtx
================================================
FILE: .github/workflows/build_shared.yml
================================================
# Build from source with libyal dependencies as shared libraries.
name: build_shared
on:
push:
branches: [main]
permissions: read-all
jobs:
build_shared_ubuntu:
runs-on: ubuntu-latest
strategy:
matrix:
include:
- architecture: 'x64'
compiler: 'gcc'
configure_options: ''
- architecture: 'x64'
compiler: 'gcc'
configure_options: '--enable-wide-character-type'
steps:
- uses: actions/checkout@v5
- name: Install build dependencies
run: |
sudo apt-get -y install autoconf automake autopoint build-essential git libtool pkg-config
- name: Download test data
run: |
if test -x "synctestdata.sh"; then ./synctestdata.sh; fi
- name: Prepare shared libraries
run: |
tests/syncsharedlibs.sh --use-head
- name: Building from source
env:
CC: ${{ matrix.compiler }}
run: |
tests/build.sh ${{ matrix.configure_options }}
- name: Run tests
run: |
tests/runtests.sh
================================================
FILE: .github/workflows/build_wheel.yml
================================================
# Build Python wheels from source using cibuildwheel.
name: build_wheels
on: [push, pull_request]
permissions: read-all
jobs:
build_wheels_linux:
name: Build wheels on ${{ matrix.os }}
runs-on: ${{ matrix.os }}
strategy:
matrix:
include:
- os: ubuntu-24.04-arm
- os: ubuntu-latest
steps:
- uses: actions/checkout@v5
- name: Install build dependencies
run: |
sudo apt-get -y install autoconf automake autopoint build-essential git libtool pkg-config
- name: Prepare build
run: |
./synclibs.sh
./autogen.sh
./configure
make sources >/dev/null
- name: Build Python wheels
uses: pypa/cibuildwheel@v3.3.0
env:
CIBW_TEST_COMMAND: python tests/runtests.py
CIBW_TEST_SOURCES: tests
with:
package-dir: .
output-dir: dist
- uses: actions/upload-artifact@v4
with:
name: cibw-wheels-${{ matrix.os }}-${{ strategy.job-index }}
path: dist/*.whl
build_wheels_macos:
name: Build wheels on ${{ matrix.os }}
runs-on: ${{ matrix.os }}
strategy:
matrix:
include:
- os: macos-14
- os: macos-15-intel
steps:
- uses: actions/checkout@v5
- name: Install build dependencies
run: |
brew update -q
brew install -q autoconf automake gettext gnu-sed libtool pkg-config || true
brew link --force gettext
ln -s /usr/local/bin/glibtoolize /usr/local/bin/libtoolize
- name: Prepare build
run: |
./synclibs.sh
./autogen.sh
./configure
make sources >/dev/null
- name: Build Python wheels
uses: pypa/cibuildwheel@v3.3.0
env:
CIBW_TEST_COMMAND: python tests/runtests.py
CIBW_TEST_SOURCES: tests
with:
package-dir: .
output-dir: dist
- uses: actions/upload-artifact@v4
with:
name: cibw-wheels-${{ matrix.os }}-${{ strategy.job-index }}
path: dist/*.whl
build_wheels_windows:
name: Build wheels on ${{ matrix.os }}
runs-on: ${{ matrix.os }}
strategy:
matrix:
include:
- os: windows-11-arm
- os: windows-latest
steps:
- uses: actions/checkout@v5
- name: Prepare build
run: |
.\synclibs.ps1
.\autogen.ps1
- name: Build Python wheels
uses: pypa/cibuildwheel@v3.3.0
env:
CIBW_TEST_COMMAND: python tests/runtests.py
CIBW_TEST_SOURCES: tests
with:
package-dir: .
output-dir: dist
- uses: actions/upload-artifact@v4
with:
name: cibw-wheels-${{ matrix.os }}-${{ strategy.job-index }}
path: dist/*.whl
================================================
FILE: .gitignore
================================================
# Files to ignore by git
#
# Version: 20231119
# Generic auto-generated build files
*~
*.a
*.gcda
*.gcno
*.gcov
*.la
*.lai
*.lib
*.lineno
*.lo
*.log
*.loT
*.o
*.obj
*.Plo
*.Po
*.so
*.so.[0-9][0-9]*
*.so.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*
*.swp
*.Tpo
*.trs
*.whl
/*.egg-info/
__pycache__
.deps
.dirstamp
.libs
.tox
INSTALL
Makefile
Makefile.bcc
Makefile.in
stamp-h[1-9]
# Specific auto-generated build files
/ABOUT-NLS
/aclocal.m4
/autom4te.cache/
/build
/compile
/confdefs.h
/config.cache
/config.guess
/config.log
/config.rpath
/config.status
/config.sub
/configure
/conftest.c
/depcomp
/dist
/install-sh
/libtool
/ltmain.sh
/m4/codeset.m4
/m4/extern-inline.m4
/m4/fcntl-o.m4
/m4/gettext.m4
/m4/glibc21.m4
/m4/glibc2.m4
/m4/host-cpu-c-abi.m4
/m4/iconv.m4
/m4/intdiv0.m4
/m4/intldir.m4
/m4/intl.m4
/m4/intlmacosx.m4
/m4/intmax.m4
/m4/inttypes_h.m4
/m4/inttypes-pri.m4
/m4/lcmessage.m4
/m4/lib-ld.m4
/m4/lib-link.m4
/m4/lib-prefix.m4
/m4/libtool.m4
/m4/lock.m4
/m4/longlong.m4
/m4/lt~obsolete.m4
/m4/ltoptions.m4
/m4/ltsugar.m4
/m4/ltversion.m4
/m4/nls.m4
/m4/pkg.m4
/m4/po.m4
/m4/printf-posix.m4
/m4/progtest.m4
/m4/size_max.m4
/m4/stdint_h.m4
/m4/threadlib.m4
/m4/uintmax_t.m4
/m4/visibility.m4
/m4/wchar_t.m4
/m4/wint_t.m4
/m4/xsize.m4
/MANIFEST
/missing
/po/boldquot.sed
/po/en@boldquot.header
/po/en@quot.header
/po/insert-header.sin
/po/Makefile.in.in
/po/Makevars
/po/Makevars.template
/po/POTFILES
/po/quot.sed
/po/remove-potcdate.sed
/po/remove-potcdate.sin
/po/Rules-quot
/test-driver
/ylwrap
# Project specific files
/common/config.h
/common/config.h.in
/common/types.h
/dpkg/changelog
/include/libevtx.h
/include/libevtx/definitions.h
/include/libevtx/features.h
/include/libevtx/types.h
/libevtx.pc
/libevtx.spec
/libevtx/libevtx.rc
/libevtx/libevtx_definitions.h
/setup.cfg
/evtxtools/*.exe
/evtxtools/evtxexport
/evtxtools/evtxinfo
/tests/*.exe
/tests/evtx_test_chunk
/tests/evtx_test_chunks_table
/tests/evtx_test_error
/tests/evtx_test_file
/tests/evtx_test_io_handle
/tests/evtx_test_notify
/tests/evtx_test_record
/tests/evtx_test_record_values
/tests/evtx_test_support
/tests/evtx_test_template_definition
/tests/evtx_test_tools_info_handle
/tests/evtx_test_tools_message_handle
/tests/evtx_test_tools_message_string
/tests/evtx_test_tools_output
/tests/evtx_test_tools_path_handle
/tests/evtx_test_tools_registry_file
/tests/evtx_test_tools_resource_file
/tests/evtx_test_tools_signal
/tests/input
/tests/notify_stream.log
/tests/tmp*
# Local library dependencies specific files
/libbfio
/libcdata
/libcdirectory
/libcerror
/libcfile
/libclocale
/libcnotify
/libcpath
/libcsplit
/libcthreads
/libexe
/libfcache
/libfdata
/libfdatetime
/libfguid
/libfvalue
/libfwevt
/libfwnt
/libregf
/libuna
/libwrc
================================================
FILE: AUTHORS
================================================
Acknowledgements: libevtx
Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>
================================================
FILE: COPYING
================================================
GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The GNU General Public License is a free, copyleft license for
software and other kinds of works.
The licenses for most software and other practical works are designed
to take away your freedom to share and change the works. By contrast,
the GNU General Public License is intended to guarantee your freedom to
share and change all versions of a program--to make sure it remains free
software for all its users. We, the Free Software Foundation, use the
GNU General Public License for most of our software; it applies also to
any other work released this way by its authors. You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
them if you wish), that you receive source code or can get it if you
want it, that you can change the software or use pieces of it in new
free programs, and that you know you can do these things.
To protect your rights, we need to prevent others from denying you
these rights or asking you to surrender the rights. Therefore, you have
certain responsibilities if you distribute copies of the software, or if
you modify it: responsibilities to respect the freedom of others.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must pass on to the recipients the same
freedoms that you received. You must make sure that they, too, receive
or can get the source code. And you must show them these terms so they
know their rights.
Developers that use the GNU GPL protect your rights with two steps:
(1) assert copyright on the software, and (2) offer you this License
giving you legal permission to copy, distribute and/or modify it.
For the developers' and authors' protection, the GPL clearly explains
that there is no warranty for this free software. For both users' and
authors' sake, the GPL requires that modified versions be marked as
changed, so that their problems will not be attributed erroneously to
authors of previous versions.
Some devices are designed to deny users access to install or run
modified versions of the software inside them, although the manufacturer
can do so. This is fundamentally incompatible with the aim of
protecting users' freedom to change the software. The systematic
pattern of such abuse occurs in the area of products for individuals to
use, which is precisely where it is most unacceptable. Therefore, we
have designed this version of the GPL to prohibit the practice for those
products. If such problems arise substantially in other domains, we
stand ready to extend this provision to those domains in future versions
of the GPL, as needed to protect the freedom of users.
Finally, every program is threatened constantly by software patents.
States should not allow patents to restrict development and use of
software on general-purpose computers, but in those that do, we wish to
avoid the special danger that patents applied to a free program could
make it effectively proprietary. To prevent this, the GPL assures that
patents cannot be used to render the program non-free.
The precise terms and conditions for copying, distribution and
modification follow.
TERMS AND CONDITIONS
0. Definitions.
"This License" refers to version 3 of the GNU General Public License.
"Copyright" also means copyright-like laws that apply to other kinds of
works, such as semiconductor masks.
"The Program" refers to any copyrightable work licensed under this
License. Each licensee is addressed as "you". "Licensees" and
"recipients" may be individuals or organizations.
To "modify" a work means to copy from or adapt all or part of the work
in a fashion requiring copyright permission, other than the making of an
exact copy. The resulting work is called a "modified version" of the
earlier work or a work "based on" the earlier work.
A "covered work" means either the unmodified Program or a work based
on the Program.
To "propagate" a work means to do anything with it that, without
permission, would make you directly or secondarily liable for
infringement under applicable copyright law, except executing it on a
computer or modifying a private copy. Propagation includes copying,
distribution (with or without modification), making available to the
public, and in some countries other activities as well.
To "convey" a work means any kind of propagation that enables other
parties to make or receive copies. Mere interaction with a user through
a computer network, with no transfer of a copy, is not conveying.
An interactive user interface displays "Appropriate Legal Notices"
to the extent that it includes a convenient and prominently visible
feature that (1) displays an appropriate copyright notice, and (2)
tells the user that there is no warranty for the work (except to the
extent that warranties are provided), that licensees may convey the
work under this License, and how to view a copy of this License. If
the interface presents a list of user commands or options, such as a
menu, a prominent item in the list meets this criterion.
1. Source Code.
The "source code" for a work means the preferred form of the work
for making modifications to it. "Object code" means any non-source
form of a work.
A "Standard Interface" means an interface that either is an official
standard defined by a recognized standards body, or, in the case of
interfaces specified for a particular programming language, one that
is widely used among developers working in that language.
The "System Libraries" of an executable work include anything, other
than the work as a whole, that (a) is included in the normal form of
packaging a Major Component, but which is not part of that Major
Component, and (b) serves only to enable use of the work with that
Major Component, or to implement a Standard Interface for which an
implementation is available to the public in source code form. A
"Major Component", in this context, means a major essential component
(kernel, window system, and so on) of the specific operating system
(if any) on which the executable work runs, or a compiler used to
produce the work, or an object code interpreter used to run it.
The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities. However, it does not include the work's
System Libraries, or general-purpose tools or generally available free
programs which are used unmodified in performing those activities but
which are not part of the work. For example, Corresponding Source
includes interface definition files associated with source files for
the work, and the source code for shared libraries and dynamically
linked subprograms that the work is specifically designed to require,
such as by intimate data communication or control flow between those
subprograms and other parts of the work.
The Corresponding Source need not include anything that users
can regenerate automatically from other parts of the Corresponding
Source.
The Corresponding Source for a work in source code form is that
same work.
2. Basic Permissions.
All rights granted under this License are granted for the term of
copyright on the Program, and are irrevocable provided the stated
conditions are met. This License explicitly affirms your unlimited
permission to run the unmodified Program. The output from running a
covered work is covered by this License only if the output, given its
content, constitutes a covered work. This License acknowledges your
rights of fair use or other equivalent, as provided by copyright law.
You may make, run and propagate covered works that you do not
convey, without conditions so long as your license otherwise remains
in force. You may convey covered works to others for the sole purpose
of having them make modifications exclusively for you, or provide you
with facilities for running those works, provided that you comply with
the terms of this License in conveying all material for which you do
not control copyright. Those thus making or running the covered works
for you must do so exclusively on your behalf, under your direction
and control, on terms that prohibit them from making any copies of
your copyrighted material outside their relationship with you.
Conveying under any other circumstances is permitted solely under
the conditions stated below. Sublicensing is not allowed; section 10
makes it unnecessary.
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
No covered work shall be deemed part of an effective technological
measure under any applicable law fulfilling obligations under article
11 of the WIPO copyright treaty adopted on 20 December 1996, or
similar laws prohibiting or restricting circumvention of such
measures.
When you convey a covered work, you waive any legal power to forbid
circumvention of technological measures to the extent such circumvention
is effected by exercising rights under this License with respect to
the covered work, and you disclaim any intention to limit operation or
modification of the work as a means of enforcing, against the work's
users, your or third parties' legal rights to forbid circumvention of
technological measures.
4. Conveying Verbatim Copies.
You may convey verbatim copies of the Program's source code as you
receive it, in any medium, provided that you conspicuously and
appropriately publish on each copy an appropriate copyright notice;
keep intact all notices stating that this License and any
non-permissive terms added in accord with section 7 apply to the code;
keep intact all notices of the absence of any warranty; and give all
recipients a copy of this License along with the Program.
You may charge any price or no price for each copy that you convey,
and you may offer support or warranty protection for a fee.
5. Conveying Modified Source Versions.
You may convey a work based on the Program, or the modifications to
produce it from the Program, in the form of source code under the
terms of section 4, provided that you also meet all of these conditions:
a) The work must carry prominent notices stating that you modified
it, and giving a relevant date.
b) The work must carry prominent notices stating that it is
released under this License and any conditions added under section
7. This requirement modifies the requirement in section 4 to
"keep intact all notices".
c) You must license the entire work, as a whole, under this
License to anyone who comes into possession of a copy. This
License will therefore apply, along with any applicable section 7
additional terms, to the whole of the work, and all its parts,
regardless of how they are packaged. This License gives no
permission to license the work in any other way, but it does not
invalidate such permission if you have separately received it.
d) If the work has interactive user interfaces, each must display
Appropriate Legal Notices; however, if the Program has interactive
interfaces that do not display Appropriate Legal Notices, your
work need not make them do so.
A compilation of a covered work with other separate and independent
works, which are not by their nature extensions of the covered work,
and which are not combined with it such as to form a larger program,
in or on a volume of a storage or distribution medium, is called an
"aggregate" if the compilation and its resulting copyright are not
used to limit the access or legal rights of the compilation's users
beyond what the individual works permit. Inclusion of a covered work
in an aggregate does not cause this License to apply to the other
parts of the aggregate.
6. Conveying Non-Source Forms.
You may convey a covered work in object code form under the terms
of sections 4 and 5, provided that you also convey the
machine-readable Corresponding Source under the terms of this License,
in one of these ways:
a) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by the
Corresponding Source fixed on a durable physical medium
customarily used for software interchange.
b) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by a
written offer, valid for at least three years and valid for as
long as you offer spare parts or customer support for that product
model, to give anyone who possesses the object code either (1) a
copy of the Corresponding Source for all the software in the
product that is covered by this License, on a durable physical
medium customarily used for software interchange, for a price no
more than your reasonable cost of physically performing this
conveying of source, or (2) access to copy the
Corresponding Source from a network server at no charge.
c) Convey individual copies of the object code with a copy of the
written offer to provide the Corresponding Source. This
alternative is allowed only occasionally and noncommercially, and
only if you received the object code with such an offer, in accord
with subsection 6b.
d) Convey the object code by offering access from a designated
place (gratis or for a charge), and offer equivalent access to the
Corresponding Source in the same way through the same place at no
further charge. You need not require recipients to copy the
Corresponding Source along with the object code. If the place to
copy the object code is a network server, the Corresponding Source
may be on a different server (operated by you or a third party)
that supports equivalent copying facilities, provided you maintain
clear directions next to the object code saying where to find the
Corresponding Source. Regardless of what server hosts the
Corresponding Source, you remain obligated to ensure that it is
available for as long as needed to satisfy these requirements.
e) Convey the object code using peer-to-peer transmission, provided
you inform other peers where the object code and Corresponding
Source of the work are being offered to the general public at no
charge under subsection 6d.
A separable portion of the object code, whose source code is excluded
from the Corresponding Source as a System Library, need not be
included in conveying the object code work.
A "User Product" is either (1) a "consumer product", which means any
tangible personal property which is normally used for personal, family,
or household purposes, or (2) anything designed or sold for incorporation
into a dwelling. In determining whether a product is a consumer product,
doubtful cases shall be resolved in favor of coverage. For a particular
product received by a particular user, "normally used" refers to a
typical or common use of that class of product, regardless of the status
of the particular user or of the way in which the particular user
actually uses, or expects or is expected to use, the product. A product
is a consumer product regardless of whether the product has substantial
commercial, industrial or non-consumer uses, unless such uses represent
the only significant mode of use of the product.
"Installation Information" for a User Product means any methods,
procedures, authorization keys, or other information required to install
and execute modified versions of a covered work in that User Product from
a modified version of its Corresponding Source. The information must
suffice to ensure that the continued functioning of the modified object
code is in no case prevented or interfered with solely because
modification has been made.
If you convey an object code work under this section in, or with, or
specifically for use in, a User Product, and the conveying occurs as
part of a transaction in which the right of possession and use of the
User Product is transferred to the recipient in perpetuity or for a
fixed term (regardless of how the transaction is characterized), the
Corresponding Source conveyed under this section must be accompanied
by the Installation Information. But this requirement does not apply
if neither you nor any third party retains the ability to install
modified object code on the User Product (for example, the work has
been installed in ROM).
The requirement to provide Installation Information does not include a
requirement to continue to provide support service, warranty, or updates
for a work that has been modified or installed by the recipient, or for
the User Product in which it has been modified or installed. Access to a
network may be denied when the modification itself materially and
adversely affects the operation of the network or violates the rules and
protocols for communication across the network.
Corresponding Source conveyed, and Installation Information provided,
in accord with this section must be in a format that is publicly
documented (and with an implementation available to the public in
source code form), and must require no special password or key for
unpacking, reading or copying.
7. Additional Terms.
"Additional permissions" are terms that supplement the terms of this
License by making exceptions from one or more of its conditions.
Additional permissions that are applicable to the entire Program shall
be treated as though they were included in this License, to the extent
that they are valid under applicable law. If additional permissions
apply only to part of the Program, that part may be used separately
under those permissions, but the entire Program remains governed by
this License without regard to the additional permissions.
When you convey a copy of a covered work, you may at your option
remove any additional permissions from that copy, or from any part of
it. (Additional permissions may be written to require their own
removal in certain cases when you modify the work.) You may place
additional permissions on material, added by you to a covered work,
for which you have or can give appropriate copyright permission.
Notwithstanding any other provision of this License, for material you
add to a covered work, you may (if authorized by the copyright holders of
that material) supplement the terms of this License with terms:
a) Disclaiming warranty or limiting liability differently from the
terms of sections 15 and 16 of this License; or
b) Requiring preservation of specified reasonable legal notices or
author attributions in that material or in the Appropriate Legal
Notices displayed by works containing it; or
c) Prohibiting misrepresentation of the origin of that material, or
requiring that modified versions of such material be marked in
reasonable ways as different from the original version; or
d) Limiting the use for publicity purposes of names of licensors or
authors of the material; or
e) Declining to grant rights under trademark law for use of some
trade names, trademarks, or service marks; or
f) Requiring indemnification of licensors and authors of that
material by anyone who conveys the material (or modified versions of
it) with contractual assumptions of liability to the recipient, for
any liability that these contractual assumptions directly impose on
those licensors and authors.
All other non-permissive additional terms are considered "further
restrictions" within the meaning of section 10. If the Program as you
received it, or any part of it, contains a notice stating that it is
governed by this License along with a term that is a further
restriction, you may remove that term. If a license document contains
a further restriction but permits relicensing or conveying under this
License, you may add to a covered work material governed by the terms
of that license document, provided that the further restriction does
not survive such relicensing or conveying.
If you add terms to a covered work in accord with this section, you
must place, in the relevant source files, a statement of the
additional terms that apply to those files, or a notice indicating
where to find the applicable terms.
Additional terms, permissive or non-permissive, may be stated in the
form of a separately written license, or stated as exceptions;
the above requirements apply either way.
8. Termination.
You may not propagate or modify a covered work except as expressly
provided under this License. Any attempt otherwise to propagate or
modify it is void, and will automatically terminate your rights under
this License (including any patent licenses granted under the third
paragraph of section 11).
However, if you cease all violation of this License, then your
license from a particular copyright holder is reinstated (a)
provisionally, unless and until the copyright holder explicitly and
finally terminates your license, and (b) permanently, if the copyright
holder fails to notify you of the violation by some reasonable means
prior to 60 days after the cessation.
Moreover, your license from a particular copyright holder is
reinstated permanently if the copyright holder notifies you of the
violation by some reasonable means, this is the first time you have
received notice of violation of this License (for any work) from that
copyright holder, and you cure the violation prior to 30 days after
your receipt of the notice.
Termination of your rights under this section does not terminate the
licenses of parties who have received copies or rights from you under
this License. If your rights have been terminated and not permanently
reinstated, you do not qualify to receive new licenses for the same
material under section 10.
9. Acceptance Not Required for Having Copies.
You are not required to accept this License in order to receive or
run a copy of the Program. Ancillary propagation of a covered work
occurring solely as a consequence of using peer-to-peer transmission
to receive a copy likewise does not require acceptance. However,
nothing other than this License grants you permission to propagate or
modify any covered work. These actions infringe copyright if you do
not accept this License. Therefore, by modifying or propagating a
covered work, you indicate your acceptance of this License to do so.
10. Automatic Licensing of Downstream Recipients.
Each time you convey a covered work, the recipient automatically
receives a license from the original licensors, to run, modify and
propagate that work, subject to this License. You are not responsible
for enforcing compliance by third parties with this License.
An "entity transaction" is a transaction transferring control of an
organization, or substantially all assets of one, or subdividing an
organization, or merging organizations. If propagation of a covered
work results from an entity transaction, each party to that
transaction who receives a copy of the work also receives whatever
licenses to the work the party's predecessor in interest had or could
give under the previous paragraph, plus a right to possession of the
Corresponding Source of the work from the predecessor in interest, if
the predecessor has it or can get it with reasonable efforts.
You may not impose any further restrictions on the exercise of the
rights granted or affirmed under this License. For example, you may
not impose a license fee, royalty, or other charge for exercise of
rights granted under this License, and you may not initiate litigation
(including a cross-claim or counterclaim in a lawsuit) alleging that
any patent claim is infringed by making, using, selling, offering for
sale, or importing the Program or any portion of it.
11. Patents.
A "contributor" is a copyright holder who authorizes use under this
License of the Program or a work on which the Program is based. The
work thus licensed is called the contributor's "contributor version".
A contributor's "essential patent claims" are all patent claims
owned or controlled by the contributor, whether already acquired or
hereafter acquired, that would be infringed by some manner, permitted
by this License, of making, using, or selling its contributor version,
but do not include claims that would be infringed only as a
consequence of further modification of the contributor version. For
purposes of this definition, "control" includes the right to grant
patent sublicenses in a manner consistent with the requirements of
this License.
Each contributor grants you a non-exclusive, worldwide, royalty-free
patent license under the contributor's essential patent claims, to
make, use, sell, offer for sale, import and otherwise run, modify and
propagate the contents of its contributor version.
In the following three paragraphs, a "patent license" is any express
agreement or commitment, however denominated, not to enforce a patent
(such as an express permission to practice a patent or covenant not to
sue for patent infringement). To "grant" such a patent license to a
party means to make such an agreement or commitment not to enforce a
patent against the party.
If you convey a covered work, knowingly relying on a patent license,
and the Corresponding Source of the work is not available for anyone
to copy, free of charge and under the terms of this License, through a
publicly available network server or other readily accessible means,
then you must either (1) cause the Corresponding Source to be so
available, or (2) arrange to deprive yourself of the benefit of the
patent license for this particular work, or (3) arrange, in a manner
consistent with the requirements of this License, to extend the patent
license to downstream recipients. "Knowingly relying" means you have
actual knowledge that, but for the patent license, your conveying the
covered work in a country, or your recipient's use of the covered work
in a country, would infringe one or more identifiable patents in that
country that you have reason to believe are valid.
If, pursuant to or in connection with a single transaction or
arrangement, you convey, or propagate by procuring conveyance of, a
covered work, and grant a patent license to some of the parties
receiving the covered work authorizing them to use, propagate, modify
or convey a specific copy of the covered work, then the patent license
you grant is automatically extended to all recipients of the covered
work and works based on it.
A patent license is "discriminatory" if it does not include within
the scope of its coverage, prohibits the exercise of, or is
conditioned on the non-exercise of one or more of the rights that are
specifically granted under this License. You may not convey a covered
work if you are a party to an arrangement with a third party that is
in the business of distributing software, under which you make payment
to the third party based on the extent of your activity of conveying
the work, and under which the third party grants, to any of the
parties who would receive the covered work from you, a discriminatory
patent license (a) in connection with copies of the covered work
conveyed by you (or copies made from those copies), or (b) primarily
for and in connection with specific products or compilations that
contain the covered work, unless you entered into that arrangement,
or that patent license was granted, prior to 28 March 2007.
Nothing in this License shall be construed as excluding or limiting
any implied license or other defenses to infringement that may
otherwise be available to you under applicable patent law.
12. No Surrender of Others' Freedom.
If conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot convey a
covered work so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you may
not convey it at all. For example, if you agree to terms that obligate you
to collect a royalty for further conveying from those to whom you convey
the Program, the only way you could satisfy both those terms and this
License would be to refrain entirely from conveying the Program.
13. Use with the GNU Affero General Public License.
Notwithstanding any other provision of this License, you have
permission to link or combine any covered work with a work licensed
under version 3 of the GNU Affero General Public License into a single
combined work, and to convey the resulting work. The terms of this
License will continue to apply to the part which is the covered work,
but the special requirements of the GNU Affero General Public License,
section 13, concerning interaction through a network will apply to the
combination as such.
14. Revised Versions of this License.
The Free Software Foundation may publish revised and/or new versions of
the GNU General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the
Program specifies that a certain numbered version of the GNU General
Public License "or any later version" applies to it, you have the
option of following the terms and conditions either of that numbered
version or of any later version published by the Free Software
Foundation. If the Program does not specify a version number of the
GNU General Public License, you may choose any version ever published
by the Free Software Foundation.
If the Program specifies that a proxy can decide which future
versions of the GNU General Public License can be used, that proxy's
public statement of acceptance of a version permanently authorizes you
to choose that version for the Program.
Later license versions may give you additional or different
permissions. However, no additional obligations are imposed on any
author or copyright holder as a result of your choosing to follow a
later version.
15. Disclaimer of Warranty.
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
16. Limitation of Liability.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.
17. Interpretation of Sections 15 and 16.
If the disclaimer of warranty and limitation of liability provided
above cannot be given local legal effect according to their terms,
reviewing courts shall apply local law that most closely approximates
an absolute waiver of all civil liability in connection with the
Program, unless a warranty or assumption of liability accompanies a
copy of the Program in return for a fee.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
state the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
Also add information on how to contact you by electronic and paper mail.
If the program does terminal interaction, make it output a short
notice like this when it starts in an interactive mode:
<program> Copyright (C) <year> <name of author>
This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, your program's commands
might be different; for a GUI interface, you would use an "about box".
You should also get your employer (if you work as a programmer) or school,
if any, to sign a "copyright disclaimer" for the program, if necessary.
For more information on this, and how to apply and follow the GNU GPL, see
<https://www.gnu.org/licenses/>.
The GNU General Public License does not permit incorporating your program
into proprietary programs. If your program is a subroutine library, you
may consider it more useful to permit linking proprietary applications with
the library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License. But first, please read
<https://www.gnu.org/licenses/why-not-lgpl.html>.
================================================
FILE: COPYING.LESSER
================================================
GNU LESSER GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
This version of the GNU Lesser General Public License incorporates
the terms and conditions of version 3 of the GNU General Public
License, supplemented by the additional permissions listed below.
0. Additional Definitions.
As used herein, "this License" refers to version 3 of the GNU Lesser
General Public License, and the "GNU GPL" refers to version 3 of the GNU
General Public License.
"The Library" refers to a covered work governed by this License,
other than an Application or a Combined Work as defined below.
An "Application" is any work that makes use of an interface provided
by the Library, but which is not otherwise based on the Library.
Defining a subclass of a class defined by the Library is deemed a mode
of using an interface provided by the Library.
A "Combined Work" is a work produced by combining or linking an
Application with the Library. The particular version of the Library
with which the Combined Work was made is also called the "Linked
Version".
The "Minimal Corresponding Source" for a Combined Work means the
Corresponding Source for the Combined Work, excluding any source code
for portions of the Combined Work that, considered in isolation, are
based on the Application, and not on the Linked Version.
The "Corresponding Application Code" for a Combined Work means the
object code and/or source code for the Application, including any data
and utility programs needed for reproducing the Combined Work from the
Application, but excluding the System Libraries of the Combined Work.
1. Exception to Section 3 of the GNU GPL.
You may convey a covered work under sections 3 and 4 of this License
without being bound by section 3 of the GNU GPL.
2. Conveying Modified Versions.
If you modify a copy of the Library, and, in your modifications, a
facility refers to a function or data to be supplied by an Application
that uses the facility (other than as an argument passed when the
facility is invoked), then you may convey a copy of the modified
version:
a) under this License, provided that you make a good faith effort to
ensure that, in the event an Application does not supply the
function or data, the facility still operates, and performs
whatever part of its purpose remains meaningful, or
b) under the GNU GPL, with none of the additional permissions of
this License applicable to that copy.
3. Object Code Incorporating Material from Library Header Files.
The object code form of an Application may incorporate material from
a header file that is part of the Library. You may convey such object
code under terms of your choice, provided that, if the incorporated
material is not limited to numerical parameters, data structure
layouts and accessors, or small macros, inline functions and templates
(ten or fewer lines in length), you do both of the following:
a) Give prominent notice with each copy of the object code that the
Library is used in it and that the Library and its use are
covered by this License.
b) Accompany the object code with a copy of the GNU GPL and this license
document.
4. Combined Works.
You may convey a Combined Work under terms of your choice that,
taken together, effectively do not restrict modification of the
portions of the Library contained in the Combined Work and reverse
engineering for debugging such modifications, if you also do each of
the following:
a) Give prominent notice with each copy of the Combined Work that
the Library is used in it and that the Library and its use are
covered by this License.
b) Accompany the Combined Work with a copy of the GNU GPL and this license
document.
c) For a Combined Work that displays copyright notices during
execution, include the copyright notice for the Library among
these notices, as well as a reference directing the user to the
copies of the GNU GPL and this license document.
d) Do one of the following:
0) Convey the Minimal Corresponding Source under the terms of this
License, and the Corresponding Application Code in a form
suitable for, and under terms that permit, the user to
recombine or relink the Application with a modified version of
the Linked Version to produce a modified Combined Work, in the
manner specified by section 6 of the GNU GPL for conveying
Corresponding Source.
1) Use a suitable shared library mechanism for linking with the
Library. A suitable mechanism is one that (a) uses at run time
a copy of the Library already present on the user's computer
system, and (b) will operate properly with a modified version
of the Library that is interface-compatible with the Linked
Version.
e) Provide Installation Information, but only if you would otherwise
be required to provide such information under section 6 of the
GNU GPL, and only to the extent that such information is
necessary to install and execute a modified version of the
Combined Work produced by recombining or relinking the
Application with a modified version of the Linked Version. (If
you use option 4d0, the Installation Information must accompany
the Minimal Corresponding Source and Corresponding Application
Code. If you use option 4d1, you must provide the Installation
Information in the manner specified by section 6 of the GNU GPL
for conveying Corresponding Source.)
5. Combined Libraries.
You may place library facilities that are a work based on the
Library side by side in a single library together with other library
facilities that are not Applications and are not covered by this
License, and convey such a combined library under terms of your
choice, if you do both of the following:
a) Accompany the combined library with a copy of the same work based
on the Library, uncombined with any other library facilities,
conveyed under the terms of this License.
b) Give prominent notice with the combined library that part of it
is a work based on the Library, and explaining where to find the
accompanying uncombined form of the same work.
6. Revised Versions of the GNU Lesser General Public License.
The Free Software Foundation may publish revised and/or new versions
of the GNU Lesser General Public License from time to time. Such new
versions will be similar in spirit to the present version, but may
differ in detail to address new problems or concerns.
Each version is given a distinguishing version number. If the
Library as you received it specifies that a certain numbered version
of the GNU Lesser General Public License "or any later version"
applies to it, you have the option of following the terms and
conditions either of that published version or of any later version
published by the Free Software Foundation. If the Library as you
received it does not specify a version number of the GNU Lesser
General Public License, you may choose any version of the GNU Lesser
General Public License ever published by the Free Software Foundation.
If the Library as you received it specifies that a proxy can decide
whether future versions of the GNU Lesser General Public License shall
apply, that proxy's public statement of acceptance of any version is
permanent authorization for you to choose that version for the
Library.
================================================
FILE: ChangeLog
================================================
TODO
* add parameter expansion support
* evtxexport:
- add add support for .mui files in the same directory
- export EventRecordID in non-XML output
- non-xml export format use evtexport like approach (add functions to get
specific event data)
* add clean IO handle function
* msvscpp:
- check and fix debug output generation
* mark file as corrupted on CRC mismatch ?
* check signal abort
* parse binary data from EventData
* event message file ?
- correctly deal with \\ in C:\Program Files\Common Files\McAfee\SystemCore\\naievent.dll
* improve detecting corrupted recovered event records
* improve dealing with corrupted event records?
* formatted output
- check with test data if output is now correct
* wevt
- improve (template) codepage handling
- improve template definition XML template value handling
* message handle:
- create: message string object
- get %WinDir% from registry
* resource file
- cache message strings
- cache template providers
- cache template events
- cache template definitions
* tests
- evtexport: handle "Provider identifier" in debug ouput
* XML output change
- Keywords add no leading 0's
<Keywords>0x8080000000000000</Keywords>
strings:
- support non-contiguous data elements ?
libfwevt optimization:
- reference value while parsing?
- count number of data elements (strings) while parsing
- reference binary (data) while parsing
* API
- get op code (0 => Info)
- task category (none if not set)
- keywords
* recovery:
- pass what type of chunk is being read
- pass flag to binary xml parsing to ignore parsing errors ?
or make this the default behavior
- move read xml out of init record function ?
* fix message filename retrieval, registry being read wrong ?
* implement libevtx_xml_tag_get_attribute_by_utf8_path (and utf16 equivalent) ?
* implement libevtx_xml_tag_get_element_by_utf8_path (and utf16 equivalent) ?
* store name hash in value identifier
* deal with corruption scenario
* deal with trailing empty data ?
* remove libevtx_libfguid.h once libfvalue wraps the format flags
* add recovery scan
* add debug function for binary XML token types
* codepage support
* flag internally if the file is corrupted (CRC mismatch)
Format:
* what about empty binary xml data in the event record? does it only contain a 0x00 byte?
Debug:
* libfwevt: character reference print trailing data
* handle empty XML document:
libevtx_record_values_read_xml_document: XML document:
libfwevt_xml_tag_debug_print: invalid XML tag.
Recovery:
* scan for records in chunk free space
20110919
* see `git log' for more recent change log
* initial version based on libesedb 20110919
================================================
FILE: Makefile.am
================================================
ACLOCAL_AMFLAGS = -I m4
SUBDIRS = \
include \
common \
libcerror \
libcthreads \
libcdata \
libclocale \
libcnotify \
libcsplit \
libuna \
libcfile \
libcpath \
libbfio \
libfcache \
libfdata \
libfdatetime \
libfguid \
libfvalue \
libfwevt \
libfwnt \
libevtx \
libexe \
libregf \
libwrc \
libcdirectory \
evtxtools \
pyevtx \
po \
manuals \
tests \
ossfuzz \
msvscpp
DPKG_FILES = \
dpkg/changelog \
dpkg/changelog.in \
dpkg/compat \
dpkg/control \
dpkg/copyright \
dpkg/rules \
dpkg/libevtx.install \
dpkg/libevtx-dev.install \
dpkg/libevtx-python3.install \
dpkg/libevtx-tools.install \
dpkg/source/format
GETTEXT_FILES = \
config.rpath \
po/Makevars.in
PKGCONFIG_FILES = \
libevtx.pc.in
SETUP_PY_FILES = \
pyproject.toml \
setup.cfg \
setup.cfg.in \
setup.py
SPEC_FILES = \
libevtx.spec \
libevtx.spec.in
EXTRA_DIST = \
$(DPKG_FILES) \
$(GETTEXT_FILES) \
$(PKGCONFIG_FILES) \
$(SETUP_PY_FILES) \
$(SPEC_FILES)
DISTCLEANFILES = \
config.status \
config.cache \
config.log \
libevtx.pc \
libevtx.spec \
Makefile \
Makefile.in \
po/Makevars
pkgconfigdir = $(libdir)/pkgconfig
pkgconfig_DATA = \
libevtx.pc
libtool:
@LIBTOOL_DEPS@
cd $(srcdir) && $(SHELL) ./config.status --recheck
lib: library
library:
(cd $(srcdir)/common && $(MAKE) $(AM_MAKEFLAGS))
(cd $(srcdir)/libcerror && $(MAKE) $(AM_MAKEFLAGS))
(cd $(srcdir)/libcthreads && $(MAKE) $(AM_MAKEFLAGS))
(cd $(srcdir)/libcdata && $(MAKE) $(AM_MAKEFLAGS))
(cd $(srcdir)/libclocale && $(MAKE) $(AM_MAKEFLAGS))
(cd $(srcdir)/libcnotify && $(MAKE) $(AM_MAKEFLAGS))
(cd $(srcdir)/libcsplit && $(MAKE) $(AM_MAKEFLAGS))
(cd $(srcdir)/libuna && $(MAKE) $(AM_MAKEFLAGS))
(cd $(srcdir)/libcfile && $(MAKE) $(AM_MAKEFLAGS))
(cd $(srcdir)/libcpath && $(MAKE) $(AM_MAKEFLAGS))
(cd $(srcdir)/libbfio && $(MAKE) $(AM_MAKEFLAGS))
(cd $(srcdir)/libfcache && $(MAKE) $(AM_MAKEFLAGS))
(cd $(srcdir)/libfdata && $(MAKE) $(AM_MAKEFLAGS))
(cd $(srcdir)/libfdatetime && $(MAKE) $(AM_MAKEFLAGS))
(cd $(srcdir)/libfguid && $(MAKE) $(AM_MAKEFLAGS))
(cd $(srcdir)/libfvalue && $(MAKE) $(AM_MAKEFLAGS))
(cd $(srcdir)/libfwevt && $(MAKE) $(AM_MAKEFLAGS))
(cd $(srcdir)/libfwnt && $(MAKE) $(AM_MAKEFLAGS))
(cd $(srcdir)/libevtx && $(MAKE) $(AM_MAKEFLAGS))
(cd $(srcdir)/po && $(MAKE) $(AM_MAKEFLAGS))
================================================
FILE: NEWS
================================================
================================================
FILE: README
================================================
libevtx is a library to access the Windows XML Event Log (EVTX) format.
Project information:
* Status: alpha
* Licence: LGPLv3+
Planned:
* Multi-threading support
For more information see:
* Project documentation: https://github.com/libyal/libevtx/wiki/Home
* How to build from source: https://github.com/libyal/libevtx/wiki/Building
================================================
FILE: acinclude.m4
================================================
dnl Checks for required headers and functions
dnl
dnl Version: 20200713
dnl Function to detect if libevtx dependencies are available
AC_DEFUN([AX_LIBEVTX_CHECK_LOCAL],
[dnl Check for internationalization functions in libevtx/libevtx_i18n.c
AC_CHECK_FUNCS([bindtextdomain])
dnl Headers included in libevtx/libevtx_xml_tag.h
AC_CHECK_HEADERS([wctype.h])
dnl Functions used in libevtx/libevtx_xml_tag.h
AC_CHECK_FUNCS([towupper])
AS_IF(
[test "x$ac_cv_func_towupper" != xyes],
[AC_MSG_FAILURE(
[Missing function: towupper],
[1])
])
])
dnl Function to detect if evtxtools dependencies are available
AC_DEFUN([AX_EVTXTOOLS_CHECK_LOCAL],
[AC_CHECK_HEADERS([signal.h sys/signal.h unistd.h])
AC_CHECK_FUNCS([close getopt setvbuf])
AS_IF(
[test "x$ac_cv_func_close" != xyes],
[AC_MSG_FAILURE(
[Missing function: close],
[1])
])
dnl Headers included in evtxtools/log_handle.c
AC_CHECK_HEADERS([stdarg.h varargs.h])
AS_IF(
[test "x$ac_cv_header_stdarg_h" != xyes && test "x$ac_cv_header_varargs_h" != xyes],
[AC_MSG_FAILURE(
[Missing headers: stdarg.h and varargs.h],
[1])
])
])
dnl Function to check if DLL support is needed
AC_DEFUN([AX_LIBEVTX_CHECK_DLL_SUPPORT],
[AS_IF(
[test "x$enable_shared" = xyes && test "x$ac_cv_enable_static_executables" = xno],
[AS_CASE(
[$host],
[*cygwin* | *mingw* | *msys*],
[AC_DEFINE(
[HAVE_DLLMAIN],
[1],
[Define to 1 to enable the DllMain function.])
AC_SUBST(
[HAVE_DLLMAIN],
[1])
AC_SUBST(
[LIBEVTX_DLL_EXPORT],
["-DLIBEVTX_DLL_EXPORT"])
AC_SUBST(
[LIBEVTX_DLL_IMPORT],
["-DLIBEVTX_DLL_IMPORT"])
])
])
])
================================================
FILE: appveyor.yml
================================================
environment:
matrix:
- TARGET: vs2008
BUILD_ENVIRONMENT: msbuild
APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2013
VisualStudioVersion: 9.0
platform: Win32
configuration: Release
PYTHON_PATH: "C:\\Python37"
- TARGET: vs2010
BUILD_ENVIRONMENT: msbuild
APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2013
VisualStudioVersion: 10.0
platform: Win32
configuration: Release
PYTHON_PATH: "C:\\Python37"
- TARGET: vs2012
BUILD_ENVIRONMENT: msbuild
APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2013
VisualStudioVersion: 11.0
platform: Win32
configuration: Release
PYTHON_PATH: "C:\\Python37"
- TARGET: vs2013
BUILD_ENVIRONMENT: msbuild
APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2013
VisualStudioVersion: 12.0
platform: Win32
configuration: Release
PYTHON_PATH: "C:\\Python37"
- TARGET: vs2015
BUILD_ENVIRONMENT: msbuild
APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2015
VisualStudioVersion: 14.0
platform: Win32
configuration: Release
PYTHON_PATH: "C:\\Python38"
- TARGET: vs2017
BUILD_ENVIRONMENT: msbuild
APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2017
VisualStudioVersion: 15.0
platform: Win32
configuration: Release
PYTHON_PATH: "C:\\Python38"
- TARGET: vs2019
BUILD_ENVIRONMENT: msbuild
APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2019
VisualStudioVersion: 16.0
platform: Win32
configuration: Release
PYTHON_PATH: "C:\\Python311"
- TARGET: vs2022
BUILD_ENVIRONMENT: msbuild
APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2022
VisualStudioVersion: 17.0
platform: Win32
configuration: Release
PYTHON_PATH: "C:\\Python311"
- TARGET: vs2022-vsdebug
BUILD_ENVIRONMENT: msbuild
APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2022
VisualStudioVersion: 17.0
platform: Win32
configuration: VSDebug
PYTHON_PATH: "C:\\Python311"
- TARGET: vs2022-x64
BUILD_ENVIRONMENT: msbuild
APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2022
VisualStudioVersion: 17.0
platform: x64
configuration: Release
PYTHON_PATH: "C:\\Python311"
- TARGET: vs2022-python
BUILD_ENVIRONMENT: msbuild
APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2022
VisualStudioVersion: 17.0
platform: x64
configuration: Release
PYTHON_PATH: "C:\\Python311-x64"
- TARGET: macos-x64-clang
BUILD_ENVIRONMENT: xcode
APPVEYOR_BUILD_WORKER_IMAGE: macos-sonoma
HOMEBREW_NO_INSTALL_CLEANUP: 1
CC: clang
CFLAGS: "-I/usr/local/include"
LDFLAGS: "-L/usr/local/lib"
CONFIGURE_OPTIONS: ""
- TARGET: macos-x64-gcc
BUILD_ENVIRONMENT: xcode
APPVEYOR_BUILD_WORKER_IMAGE: macos-sonoma
HOMEBREW_NO_INSTALL_CLEANUP: 1
CC: gcc
CFLAGS: "-I/usr/local/include"
LDFLAGS: "-L/usr/local/lib"
CONFIGURE_OPTIONS: ""
- TARGET: macos-x64-gcc-python
BUILD_ENVIRONMENT: xcode
APPVEYOR_BUILD_WORKER_IMAGE: macos-sonoma
PYTHON: "/usr/local/opt/python@3.11/bin/python3"
PYTHON_CONFIG: "/usr/local/opt/python@3.11/bin/python3-config"
HOMEBREW_NO_INSTALL_CLEANUP: 1
CC: gcc
CFLAGS: "-I/usr/local/include"
LDFLAGS: "-L/usr/local/lib"
CONFIGURE_OPTIONS: "--enable-python"
- TARGET: macos-pkgbuild
BUILD_ENVIRONMENT: xcode
APPVEYOR_BUILD_WORKER_IMAGE: macos-sonoma
PYTHON: "/usr/local/opt/python@3.11/bin/python3"
PYTHON_CONFIG: "/usr/local/opt/python@3.11/bin/python3-config"
HOMEBREW_NO_INSTALL_CLEANUP: 1
CC: gcc
CFLAGS: "-I/usr/local/include"
LDFLAGS: "-L/usr/local/lib"
CONFIGURE_OPTIONS: "--disable-dependency-tracking --prefix=/usr/local --enable-python --with-pyprefix"
- TARGET: cygwin64-gcc
BUILD_ENVIRONMENT: cygwin64
APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2022
CONFIGURE_OPTIONS: ""
- TARGET: cygwin64-gcc-no-optimization
BUILD_ENVIRONMENT: cygwin64
APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2022
CONFIGURE_OPTIONS: "--enable-shared=no"
CFLAGS: "--coverage -O0"
CPPFLAGS: "-DOPTIMIZATION_DISABLED"
LDFLAGS: "--coverage"
- TARGET: cygwin64-gcc-python
BUILD_ENVIRONMENT: cygwin64
APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2022
CONFIGURE_OPTIONS: "--enable-python"
- TARGET: cygwin64-gcc-static-executables
BUILD_ENVIRONMENT: cygwin64
APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2022
CONFIGURE_OPTIONS: "--enable-static-executables"
- TARGET: mingw-w64-gcc
BUILD_ENVIRONMENT: mingw-w64
APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2022
CONFIGURE_OPTIONS: ""
- TARGET: mingw-w64-gcc-no-optimization
BUILD_ENVIRONMENT: mingw-w64
APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2022
CONFIGURE_OPTIONS: "--enable-shared=no"
CFLAGS: "--coverage -O0"
CPPFLAGS: "-DOPTIMIZATION_DISABLED"
LDFLAGS: "--coverage"
- TARGET: mingw-w64-gcc-python
BUILD_ENVIRONMENT: mingw-w64
APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2022
CONFIGURE_OPTIONS: "--enable-python"
- TARGET: mingw-w64-gcc-static-executables
BUILD_ENVIRONMENT: mingw-w64
APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2022
CONFIGURE_OPTIONS: "--enable-static-executables"
matrix:
allow_failures:
- TARGET: mingw-w64-gcc-python
install:
- cmd: if [%BUILD_ENVIRONMENT%]==[msbuild] (
git clone https://github.com/libyal/vstools.git ..\vstools )
- ps: If (($env:BUILD_ENVIRONMENT -eq "msbuild") -And (Test-Path ".\synctestdata.ps1")) {
.\synctestdata.ps1 }
- sh: if ( test ${BUILD_ENVIRONMENT} = "xcode" ) && test -f "./synctestdata.sh"; then ./synctestdata.sh; fi
- sh: if test ${BUILD_ENVIRONMENT} = "xcode"; then brew untap homebrew/homebrew-cask-versions && brew update -q; fi
- sh: if test ${BUILD_ENVIRONMENT} = "xcode"; then brew install -q autoconf automake gettext gnu-sed libtool pkg-config || true; fi
- ps: If ($env:BUILD_ENVIRONMENT -eq "cygwin64") {
(New-Object Net.WebClient).DownloadFile("https://cygwin.com/setup-x86_64.exe", "C:\\cygwin64\\setup-x86_64.exe") }
- cmd: if [%BUILD_ENVIRONMENT%]==[cygwin64] (
C:\cygwin64\setup-x86_64.exe -qgnNdO -l C:\cygwin64\var\cache\setup -R c:\cygwin64 -s http://cygwin.mirror.constant.com -P gettext-devel -P python3-devel -P wget )
- cmd: if [%BUILD_ENVIRONMENT%]==[mingw-w64] (
C:\msys64\usr\bin\pacman -S --noconfirm --needed autoconf automake gettext-devel libtool make mingw-w64-x86_64-gcc mingw-w64-x86_64-python3 pkg-config )
- ps: If ( ( "cygwin64-gcc-no-optimization", "mingw-w64-gcc-no-optimization" ).Contains( $env:TARGET ) ) {
$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://uploader.codecov.io/latest/windows/codecov.exe -Outfile ..\codecov.exe }
build_script:
- ps: If ($env:BUILD_ENVIRONMENT -eq "msbuild") {
.\synclibs.ps1;
.\autogen.ps1 }
- ps: If ($env:TARGET -eq "vs2008") {
.\build.ps1 -VisualStudioVersion 2008 -PythonPath $env:PYTHON_PATH -VSToolsOptions "--no-python-dll" }
- ps: If ( ( "vs2010", "vs2012", "vs2013", "vs2015" ).Contains( $env:TARGET ) ) {
.\build.ps1 -VisualStudioVersion $env:TARGET.Substring(2, 4) -Configuration $env:CONFIGURATION -Platform $env:PLATFORM -PythonPath $env:PYTHON_PATH -VSToolsOptions "--extend-with-x64 --no-python-dll" }
- ps: If ( ( "vs2017", "vs2019", "vs2022", "vs2022-vsdebug", "vs2022-x64" ).Contains( $env:TARGET ) ) {
.\build.ps1 -VisualStudioVersion $env:TARGET.Substring(2, 4) -Configuration $env:CONFIGURATION -Platform $env:PLATFORM -PythonPath $env:PYTHON_PATH -VSToolsOptions "--extend-with-x64 --no-python-dll --with-dokany" }
- ps: If ($env:TARGET -eq "vs2022-python") {
.\build.ps1 -VisualStudioVersion $env:TARGET.Substring(2, 4) -Configuration $env:CONFIGURATION -Platform $env:PLATFORM -PythonPath $env:PYTHON_PATH -VSToolsOptions "--extend-with-x64 --python-path $env:PYTHON_PATH --with-dokany" }
- sh: if test ${BUILD_ENVIRONMENT} = "xcode"; then export PATH="/usr/local/opt/gettext/bin:$PATH"; export SED="/usr/local/bin/gsed"; tests/build.sh ${CONFIGURE_OPTIONS}; fi
- cmd: if [%BUILD_ENVIRONMENT%]==[cygwin64] (
xcopy /i /q /s C:\projects\libevtx C:\cygwin64\home\appveyor\libevtx &&
C:\cygwin64\bin\bash -e -l -c "cd libevtx && wget -q 'http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD' -O './config.guess' && wget -q 'http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD' -O './config.sub'" &&
C:\cygwin64\bin\bash -e -l -c "cd libevtx && tests/build.sh ${CONFIGURE_OPTIONS}" )
- cmd: if [%BUILD_ENVIRONMENT%]==[mingw-w64] (
xcopy /i /q /s C:\projects\libevtx C:\msys64\home\appveyor\libevtx &&
C:\msys64\usr\bin\bash -e -l -c "cd libevtx && tests/build.sh ${CONFIGURE_OPTIONS}" )
test_script:
- cmd: rem Run tests
- ps: If ($env:BUILD_ENVIRONMENT -eq "msbuild") {
.\runtests.ps1 }
- sh: if test ${BUILD_ENVIRONMENT} = "xcode" && test ${TARGET} != "macos-pkgbuild"; then tests/runtests.sh; fi
- sh: if test ${TARGET} = "macos-pkgbuild"; then tests/pkgbuild.sh; fi
- cmd: if [%BUILD_ENVIRONMENT%]==[cygwin64] (
C:\cygwin64\bin\bash -l -c "cd libevtx && tests/runtests.sh" )
- cmd: if [%BUILD_ENVIRONMENT%]==[mingw-w64] (
C:\msys64\usr\bin\bash -l -c "cd libevtx && tests/runtests.sh" )
after_test:
- cmd: if [%TARGET%]==[cygwin64-gcc-no-optimization] (
C:\cygwin64\bin\bash -e -l -c "cd libevtx && for DIRECTORY in `find . -maxdepth 1 -type d`; do (cd ${DIRECTORY} && find . -maxdepth 1 -name \*.gcno -type f -exec gcov -pb {} \;) done" &&
C:\projects\codecov.exe -R \cygwin64\home\appveyor\libevtx --name %TARGET% )
- cmd: if [%TARGET%]==[mingw-w64-gcc-no-optimization] (
C:\msys64\usr\bin\bash -e -l -c "cd libevtx && for DIRECTORY in `find . -maxdepth 1 -type d`; do (cd ${DIRECTORY} && find . -maxdepth 1 -name \*.gcno -type f -exec gcov -pb {} \;) done" &&
C:\projects\codecov.exe -R \msys64\home\appveyor\libevtx --name %TARGET% )
artifacts:
- path: dist\*.whl
deploy_script:
================================================
FILE: autogen.ps1
================================================
# Script to generate the necessary files for a msvscpp build
#
# Version: 20241014
$WinFlex = "..\win_flex_bison\win_flex.exe"
$WinBison = "..\win_flex_bison\win_bison.exe"
$Library = Get-Content -Path configure.ac | select -skip 3 -first 1 | % { $_ -Replace " \[","" } | % { $_ -Replace "\],","" }
$Version = Get-Content -Path configure.ac | select -skip 4 -first 1 | % { $_ -Replace " \[","" } | % { $_ -Replace "\],","" }
$Prefix = ${Library}.Substring(3)
Get-Content -Path "include\${Library}.h.in" | Out-File -Encoding ascii "include\${Library}.h"
Get-Content -Path "include\${Library}\definitions.h.in" | % { $_ -Replace "@VERSION@","${Version}" } | Out-File -Encoding ascii "include\${Library}\definitions.h"
Get-Content -Path "include\${Library}\features.h.in" | % { $_ -Replace "@[A-Z0-9_]*@","0" } | Out-File -Encoding ascii "include\${Library}\features.h"
Get-Content -Path "include\${Library}\types.h.in" | % { $_ -Replace "@[A-Z0-9_]*@","0" } | Out-File -Encoding ascii "include\${Library}\types.h"
Get-Content -Path "common\types.h.in" | % { $_ -Replace "@PACKAGE@","${Library}" } | Out-File -Encoding ascii "common\types.h"
Get-Content -Path "${Library}\${Library}_definitions.h.in" | % { $_ -Replace "@VERSION@","${Version}" } | Out-File -Encoding ascii "${Library}\${Library}_definitions.h"
Get-Content -Path "${Library}\${Library}.rc.in" | % { $_ -Replace "@VERSION@","${Version}" } | Out-File -Encoding ascii "${Library}\${Library}.rc"
If (Test-Path "setup.cfg.in")
{
Get-Content -Path "setup.cfg.in" | % { $_ -Replace "@VERSION@","${Version}" } | Out-File -Encoding ascii "setup.cfg"
}
If (Test-Path "${Prefix}.net")
{
Get-Content -Path "${Prefix}.net\${Prefix}.net.rc.in" | % { $_ -Replace "@VERSION@","${Version}" } | Out-File -Encoding ascii "${Prefix}.net\${Prefix}.net.rc"
}
$NamePrefix = ""
ForEach (${Library} in Get-ChildItem -Directory -Path "lib*")
{
ForEach (${DirectoryElement} in Get-ChildItem -Path "${Library}\*.l")
{
$OutputFile = ${DirectoryElement} -Replace ".l$",".c"
$NamePrefix = Split-Path -path ${DirectoryElement} -leaf
$NamePrefix = ${NamePrefix} -Replace ".l$","_"
Write-Host "Running: ${WinFlex} -Cf ${DirectoryElement}"
# PowerShell will raise NativeCommandError if win_flex writes to stdout or stderr
# therefore 2>&1 is added and the output is stored in a variable.
$Output = Invoke-Expression -Command "& '${WinFlex}' -Cf ${DirectoryElement} 2>&1"
Write-Host ${Output}
# Moving manually since `win_flex -o filename' does not provide the expected behavior.
Move-Item "lex.yy.c" ${OutputFile} -force
}
ForEach (${DirectoryElement} in Get-ChildItem -Path "${Library}\*.y")
{
$OutputFile = ${DirectoryElement} -Replace ".y$",".c"
Write-Host "Running: ${WinBison} -d -v -l -p ${NamePrefix} -o ${OutputFile} ${DirectoryElement}"
# PowerShell will raise NativeCommandError if win_bison writes to stdout or stderr
# therefore 2>&1 is added and the output is stored in a variable.
$Output = Invoke-Expression -Command "& '${WinBison}' -d -v -l -p ${NamePrefix} -o ${OutputFile} ${DirectoryElement} 2>&1"
Write-Host ${Output}
}
}
================================================
FILE: autogen.sh
================================================
#!/bin/sh
# Script to generate configure and Makefile using the autotools.
#
# Version: 20241013
EXIT_SUCCESS=0;
EXIT_FAILURE=1;
BINDIR=`which aclocal`;
BINDIR=`dirname ${BINDIR}`;
if ! test -x "${BINDIR}/aclocal" && test "${BINDIR}" != "/usr/bin";
then
BINDIR="/usr/bin";
fi
if ! test -x "${BINDIR}/aclocal" && test "${BINDIR}" != "/usr/local/bin";
then
BINDIR="/usr/local/bin";
fi
if ! test -x "${BINDIR}/aclocal" && test "${BINDIR}" != "/opt/local/bin";
then
# Default location of MacPorts installed binaries.
BINDIR="/opt/local/bin";
fi
if ! test -x "${BINDIR}/aclocal" && test "${BINDIR}" != "/opt/homebrew/bin";
then
# Default location of Homebrew installed binaries.
BINDIR="/opt/homebrew/bin";
fi
if ! test -x "${BINDIR}/aclocal" && test "${BINDIR}" != "/mingw32/bin";
then
# Default location of 32-bit MSYS2-MinGW installed binaries.
BINDIR="/mingw32/bin";
fi
if ! test -x "${BINDIR}/aclocal" && test "${BINDIR}" != "/mingw64/bin";
then
# Default location of 64-bit MSYS2-MinGW installed binaries.
BINDIR="/mingw64/bin";
fi
if ! test -x "${BINDIR}/aclocal";
then
echo "Unable to find autotools";
exit ${EXIT_FAILURE};
fi
ACLOCAL="${BINDIR}/aclocal";
AUTOCONF="${BINDIR}/autoconf";
AUTOHEADER="${BINDIR}/autoheader";
AUTOMAKE="${BINDIR}/automake";
AUTOPOINT="${BINDIR}/autopoint";
AUTORECONF="${BINDIR}/autoreconf";
LIBTOOLIZE="${BINDIR}/libtoolize";
PKGCONFIG="${BINDIR}/pkg-config";
if test "${OSTYPE}" = "msys";
then
# Work-around for autopoint failing to detect gettext version
# using func_trace (which is not available) on MSYS by writing
# the gettext version to intl/VERSION.
if ! test -d intl;
then
mkdir intl;
fi
GETTEXT_VERSION=`gettext --version | head -n1 | sed 's/^.* //'`;
echo "gettext-${GETTEXT_VERSION}" > intl/VERSION;
elif ! test -x "${PKGCONFIG}";
then
if test "${BINDIR}" != "/usr/bin";
then
# On OpenBSD most of the autotools are located in
# /usr/local/bin while pkg-config is located in /usr/bin
PKGCONFIG="/usr/bin/pkg-config";
fi
if ! test -x "${PKGCONFIG}";
then
echo "Unable to find: pkg-config";
exit ${EXIT_FAILURE};
fi
fi
if test -x "${AUTORECONF}";
then
${AUTORECONF} --force --install
if test $? -ne 0;
then
exit $?;
fi
else
if ! test -x "${ACLOCAL}";
then
echo "Unable to find: aclocal";
exit ${EXIT_FAILURE};
fi
if ! test -x "${AUTOCONF}";
then
echo "Unable to find: autoconf";
exit ${EXIT_FAILURE};
fi
if ! test -x "${AUTOHEADER}";
then
echo "Unable to find: autoheader";
exit ${EXIT_FAILURE};
fi
if ! test -x "${AUTOMAKE}";
then
echo "Unable to find: automake";
exit ${EXIT_FAILURE};
fi
if ! test -x "${AUTOPOINT}";
then
echo "Unable to find: autopoint";
exit ${EXIT_FAILURE};
fi
if ! test -x "${LIBTOOLIZE}";
then
echo "Unable to find: libtoolize";
exit ${EXIT_FAILURE};
fi
${AUTOPOINT} --force;
if test $? -ne 0;
then
exit $?;
fi
${ACLOCAL} --force --install -I m4;
if test $? -ne 0;
then
exit $?;
fi
${LIBTOOLIZE} --force;
if test $? -ne 0;
then
exit $?;
fi
${AUTOHEADER} --force;
if test $? -ne 0;
then
exit $?;
fi
${AUTOCONF} --force;
if test $? -ne 0;
then
exit $?;
fi
${AUTOMAKE} --force --add-missing;
if test $? -ne 0;
then
exit $?;
fi
fi
exit ${EXIT_SUCCESS};
================================================
FILE: build.ps1
================================================
# Script that builds libevtx
#
# Version: 20251125
Param (
[string]$Configuration = ${Env:Configuration},
[string]$Platform = ${Env:Platform},
[string]$PlatformToolset = "",
[string]$PythonPath = "C:\Python311",
[string]$VisualStudioVersion = "",
[string]$VSToolsOptions = "--extend-with-x64",
[string]$VSToolsPath = "..\vstools"
)
$ExitSuccess = 0
$ExitFailure = 1
$Python = "${PythonPath}\python.exe"
$Git = "git"
$GitUrl = "https://github.com/libyal/vstools.git"
$MSVSCppConvert = "${VSToolsPath}\vstools\scripts\msvscpp_convert.py"
If (-Not (Test-Path $Python))
{
Write-Host "Missing Python: ${Python}" -foreground Red
Exit ${ExitFailure}
}
If (-Not (Test-Path ${VSToolsPath}))
{
# PowerShell will raise NativeCommandError if git writes to stdout or stderr
# therefore 2>&1 is added and the output is stored in a variable.
$Output = Invoke-Expression -Command "${Git} clone ${GitUrl} ${VSToolsPath} 2>&1" | %{ "$_" }
}
Else
{
Push-Location "${VSToolsPath}"
Try
{
# Make sure vstools are up to date.
$Output = Invoke-Expression -Command "${Git} pull 2>&1" | %{ "$_" }
}
Finally
{
Pop-Location
}
}
If (-Not (Test-Path ${MSVSCppConvert}))
{
Write-Host "Missing msvscpp_convert.py: ${MSVSCppConvert}" -foreground Red
Exit ${ExitFailure}
}
If (-Not ${VisualStudioVersion})
{
$VisualStudioVersion = "2022"
Write-Host "Visual Studio version not set defauting to: ${VisualStudioVersion}" -foreground Red
}
If ((${VisualStudioVersion} -ne "2008") -And (${VisualStudioVersion} -ne "2010") -And (${VisualStudioVersion} -ne "2012") -And (${VisualStudioVersion} -ne "2013") -And (${VisualStudioVersion} -ne "2015") -And (${VisualStudioVersion} -ne "2017") -And (${VisualStudioVersion} -ne "2019") -And (${VisualStudioVersion} -ne "2022"))
{
Write-Host "Unsupported Visual Studio version: ${VisualStudioVersion}" -foreground Red
Exit ${ExitFailure}
}
$MSBuild = ""
If (${VisualStudioVersion} -eq "2008")
{
$MSBuild = "C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe"
}
ElseIf ((${VisualStudioVersion} -eq "2010") -Or (${VisualStudioVersion} -eq "2012"))
{
$MSBuild = "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
}
ElseIf (${VisualStudioVersion} -eq "2013")
{
$MSBuild = "C:\Program Files (x86)\MSBuild\12.0\Bin\MSBuild.exe"
}
ElseIf (${VisualStudioVersion} -eq "2015")
{
$MSBuild = "C:\Program Files (x86)\MSBuild\14.0\Bin\MSBuild.exe"
}
ElseIf (${VisualStudioVersion} -eq "2017")
{
$Results = Get-ChildItem -Path "C:\Program Files\Microsoft Visual Studio\${VisualStudioVersion}\*\MSBuild\15.0\Bin\MSBuild.exe" -Recurse -ErrorAction SilentlyContinue -Force
If ($Results.Count -eq 0)
{
$Results = Get-ChildItem -Path "C:\Program Files (x86)\Microsoft Visual Studio\${VisualStudioVersion}\*\MSBuild\15.0\Bin\MSBuild.exe" -Recurse -ErrorAction SilentlyContinue -Force
}
If ($Results.Count -gt 0)
{
$MSBuild = $Results[0].FullName
}
}
ElseIf (${VisualStudioVersion} -eq "2019" -Or ${VisualStudioVersion} -eq "2022")
{
$Results = Get-ChildItem -Path "C:\Program Files\Microsoft Visual Studio\${VisualStudioVersion}\*\MSBuild\Current\Bin\MSBuild.exe" -Recurse -ErrorAction SilentlyContinue -Force
If ($Results.Count -eq 0)
{
$Results = Get-ChildItem -Path "C:\Program Files (x86)\Microsoft Visual Studio\${VisualStudioVersion}\*\MSBuild\Current\Bin\MSBuild.exe" -Recurse -ErrorAction SilentlyContinue -Force
}
If ($Results.Count -gt 0)
{
$MSBuild = $Results[0].FullName
}
}
If (-Not ${MSBuild})
{
Write-Host "Unable to determine path to msbuild.exe" -foreground Red
Exit ${ExitFailure}
}
ElseIf (-Not (Test-Path ${MSBuild}))
{
Write-Host "Missing msbuild.exe: ${MSBuild}" -foreground Red
Exit ${ExitFailure}
}
If (${VisualStudioVersion} -eq "2008")
{
$VSSolutionPath = "msvscpp"
}
Else
{
$VSSolutionPath = "vs${VisualStudioVersion}"
If (-Not (Test-Path "${VSSolutionPath}"))
{
${Env:PYTHONPATH} = ${VSToolsPath}
Invoke-Expression -Command "& '${Python}' ${MSVSCppConvert} --output-format ${VisualStudioVersion} ${VSToolsOptions} msvscpp\libevtx.sln 2>&1" | %{ "$_" }
}
}
$VSSolutionFile = "${VSSolutionPath}\libevtx.sln"
If (-Not (Test-Path "${VSSolutionFile}"))
{
Write-Host "Missing Visual Studio ${VisualStudioVersion} solution file: ${VSSolutionFile}" -foreground Red
Exit ${ExitFailure}
}
If (-Not ${Configuration})
{
$Configuration = "Release"
Write-Host "Configuration not set defauting to: ${Configuration}"
}
If (-Not ${Platform})
{
$Platform = "Win32"
Write-Host "Platform not set defauting to: ${Platform}"
}
$PlatformToolset = ""
If (-Not ${PlatformToolset})
{
If (${VisualStudioVersion} -eq "2015")
{
$PlatformToolset = "v140"
}
ElseIf (${VisualStudioVersion} -eq "2017")
{
$PlatformToolset = "v141"
}
ElseIf (${VisualStudioVersion} -eq "2019")
{
$PlatformToolset = "v142"
}
ElseIf (${VisualStudioVersion} -eq "2022")
{
$PlatformToolset = "v143"
}
Write-Host "PlatformToolset not set defauting to: ${PlatformToolset}"
}
$MSBuildOptions = "/verbosity:quiet /target:Build /property:Configuration=${Configuration},Platform=${Platform}"
If (${PlatformToolset})
{
$MSBuildOptions = "${MSBuildOptions} /property:PlatformToolset=${PlatformToolset}"
}
If (${Env:APPVEYOR} -eq "True")
{
Invoke-Expression -Command "& '${MSBuild}' ${MSBuildOptions} ${VSSolutionFile} /logger:'C:\Program Files\AppVeyor\BuildAgent\Appveyor.MSBuildLogger.dll' 2>&1" | %{ "$_" }
}
Else
{
Invoke-Expression -Command "& '${MSBuild}' ${MSBuildOptions} ${VSSolutionFile} 2>&1" | %{ "$_" }
}
Exit ${ExitSuccess}
================================================
FILE: common/Makefile.am
================================================
AM_CPPFLAGS = \
-I../include -I$(top_srcdir)/include
EXTRA_DIST = \
byte_stream.h \
common.h \
config.h \
config_borlandc.h \
config_msc.h \
config_winapi.h \
file_stream.h \
memory.h \
narrow_string.h \
system_string.h \
types.h \
types.h.in \
wide_string.h
DISTCLEANFILES = \
config.h \
types.h \
Makefile \
Makefile.in
================================================
FILE: common/byte_stream.h
================================================
/*
* Byte stream functions
*
* Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>
*
* Refer to AUTHORS for acknowledgements.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
#if !defined( _BYTE_STREAM_H )
#define _BYTE_STREAM_H
#include "common.h"
#include "types.h"
#if defined( __cplusplus )
extern "C" {
#endif
#define _BYTE_STREAM_HOST_IS_ENDIAN_BIG ( *((uint32_t *) "\x01\x02\x03\x04" ) == 0x01020304 )
#define _BYTE_STREAM_HOST_IS_ENDIAN_LITTLE ( *((uint32_t *) "\x01\x02\x03\x04" ) == 0x04030201 )
#define _BYTE_STREAM_HOST_IS_ENDIAN_MIDDLE ( *((uint32_t *) "\x01\x02\x03\x04" ) == 0x02010403 )
#define _BYTE_STREAM_ENDIAN_BIG (uint8_t) 'b'
#define _BYTE_STREAM_ENDIAN_LITTLE (uint8_t) 'l'
#define _BYTE_STREAM_ENDIAN_MIDDLE (uint8_t) 'm'
typedef union byte_stream_float32
{
float floating_point;
uint32_t integer;
} byte_stream_float32_t;
typedef union byte_stream_float64
{
double floating_point;
uint64_t integer;
} byte_stream_float64_t;
#define byte_stream_copy_to_uint16_big_endian( byte_stream, value ) \
( value ) = ( byte_stream )[ 0 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 1 ];
#define byte_stream_copy_to_uint16_little_endian( byte_stream, value ) \
( value ) = ( byte_stream )[ 1 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 0 ];
#define byte_stream_copy_to_uint24_big_endian( byte_stream, value ) \
( value ) = ( byte_stream )[ 0 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 1 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 2 ];
#define byte_stream_copy_to_uint24_little_endian( byte_stream, value ) \
( value ) = ( byte_stream )[ 2 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 1 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 0 ];
#define byte_stream_copy_to_uint32_big_endian( byte_stream, value ) \
( value ) = ( byte_stream )[ 0 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 1 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 2 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 3 ];
#define byte_stream_copy_to_uint32_little_endian( byte_stream, value ) \
( value ) = ( byte_stream )[ 3 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 2 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 1 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 0 ];
#define byte_stream_copy_to_uint48_big_endian( byte_stream, value ) \
( value ) = ( byte_stream )[ 0 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 1 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 2 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 3 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 4 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 5 ];
#define byte_stream_copy_to_uint48_little_endian( byte_stream, value ) \
( value ) |= ( byte_stream )[ 5 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 4 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 3 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 2 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 1 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 0 ];
#define byte_stream_copy_to_uint64_big_endian( byte_stream, value ) \
( value ) = ( byte_stream )[ 0 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 1 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 2 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 3 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 4 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 5 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 6 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 7 ];
#define byte_stream_copy_to_uint64_little_endian( byte_stream, value ) \
( value ) = ( byte_stream )[ 7 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 6 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 5 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 4 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 3 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 2 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 1 ]; \
( value ) <<= 8; \
( value ) |= ( byte_stream )[ 0 ];
#define byte_stream_copy_from_uint16_big_endian( byte_stream, value ) \
( byte_stream )[ 0 ] = (uint8_t) ( ( ( value ) >> 8 ) & 0x0ff ); \
( byte_stream )[ 1 ] = (uint8_t) ( ( value ) & 0x0ff )
#define byte_stream_copy_from_uint16_little_endian( byte_stream, value ) \
( byte_stream )[ 1 ] = (uint8_t) ( ( ( value ) >> 8 ) & 0x0ff ); \
( byte_stream )[ 0 ] = (uint8_t) ( ( value ) & 0x0ff )
#define byte_stream_copy_from_uint24_big_endian( byte_stream, value ) \
( byte_stream )[ 0 ] = (uint8_t) ( ( ( value ) >> 16 ) & 0x0ff ); \
( byte_stream )[ 1 ] = (uint8_t) ( ( ( value ) >> 8 ) & 0x0ff ); \
( byte_stream )[ 2 ] = (uint8_t) ( ( value ) & 0x0ff )
#define byte_stream_copy_from_uint24_little_endian( byte_stream, value ) \
( byte_stream )[ 2 ] = (uint8_t) ( ( ( value ) >> 16 ) & 0x0ff ); \
( byte_stream )[ 1 ] = (uint8_t) ( ( ( value ) >> 8 ) & 0x0ff ); \
( byte_stream )[ 0 ] = (uint8_t) ( ( value ) & 0x0ff )
#define byte_stream_copy_from_uint32_big_endian( byte_stream, value ) \
( byte_stream )[ 0 ] = (uint8_t) ( ( ( value ) >> 24 ) & 0x0ff ); \
( byte_stream )[ 1 ] = (uint8_t) ( ( ( value ) >> 16 ) & 0x0ff ); \
( byte_stream )[ 2 ] = (uint8_t) ( ( ( value ) >> 8 ) & 0x0ff ); \
( byte_stream )[ 3 ] = (uint8_t) ( ( value ) & 0x0ff )
#define byte_stream_copy_from_uint32_little_endian( byte_stream, value ) \
( byte_stream )[ 3 ] = (uint8_t) ( ( ( value ) >> 24 ) & 0x0ff ); \
( byte_stream )[ 2 ] = (uint8_t) ( ( ( value ) >> 16 ) & 0x0ff ); \
( byte_stream )[ 1 ] = (uint8_t) ( ( ( value ) >> 8 ) & 0x0ff ); \
( byte_stream )[ 0 ] = (uint8_t) ( ( value ) & 0x0ff )
#define byte_stream_copy_from_uint48_big_endian( byte_stream, value ) \
( byte_stream )[ 0 ] = (uint8_t) ( ( ( value ) >> 40 ) & 0x0ff ); \
( byte_stream )[ 1 ] = (uint8_t) ( ( ( value ) >> 32 ) & 0x0ff ); \
( byte_stream )[ 2 ] = (uint8_t) ( ( ( value ) >> 24 ) & 0x0ff ); \
( byte_stream )[ 3 ] = (uint8_t) ( ( ( value ) >> 16 ) & 0x0ff ); \
( byte_stream )[ 4 ] = (uint8_t) ( ( ( value ) >> 8 ) & 0x0ff ); \
( byte_stream )[ 5 ] = (uint8_t) ( ( value ) & 0x0ff )
#define byte_stream_copy_from_uint48_little_endian( byte_stream, value ) \
( byte_stream )[ 5 ] = (uint8_t) ( ( ( value ) >> 40 ) & 0x0ff ); \
( byte_stream )[ 4 ] = (uint8_t) ( ( ( value ) >> 32 ) & 0x0ff ); \
( byte_stream )[ 3 ] = (uint8_t) ( ( ( value ) >> 24 ) & 0x0ff ); \
( byte_stream )[ 2 ] = (uint8_t) ( ( ( value ) >> 16 ) & 0x0ff ); \
( byte_stream )[ 1 ] = (uint8_t) ( ( ( value ) >> 8 ) & 0x0ff ); \
( byte_stream )[ 0 ] = (uint8_t) ( ( value ) & 0x0ff )
#define byte_stream_copy_from_uint64_big_endian( byte_stream, value ) \
( byte_stream )[ 0 ] = (uint8_t) ( ( ( value ) >> 56 ) & 0x0ff ); \
( byte_stream )[ 1 ] = (uint8_t) ( ( ( value ) >> 48 ) & 0x0ff ); \
( byte_stream )[ 2 ] = (uint8_t) ( ( ( value ) >> 40 ) & 0x0ff ); \
( byte_stream )[ 3 ] = (uint8_t) ( ( ( value ) >> 32 ) & 0x0ff ); \
( byte_stream )[ 4 ] = (uint8_t) ( ( ( value ) >> 24 ) & 0x0ff ); \
( byte_stream )[ 5 ] = (uint8_t) ( ( ( value ) >> 16 ) & 0x0ff ); \
( byte_stream )[ 6 ] = (uint8_t) ( ( ( value ) >> 8 ) & 0x0ff ); \
( byte_stream )[ 7 ] = (uint8_t) ( ( value ) & 0x0ff )
#define byte_stream_copy_from_uint64_little_endian( byte_stream, value ) \
( byte_stream )[ 7 ] = (uint8_t) ( ( ( value ) >> 56 ) & 0x0ff ); \
( byte_stream )[ 6 ] = (uint8_t) ( ( ( value ) >> 48 ) & 0x0ff ); \
( byte_stream )[ 5 ] = (uint8_t) ( ( ( value ) >> 40 ) & 0x0ff ); \
( byte_stream )[ 4 ] = (uint8_t) ( ( ( value ) >> 32 ) & 0x0ff ); \
( byte_stream )[ 3 ] = (uint8_t) ( ( ( value ) >> 24 ) & 0x0ff ); \
( byte_stream )[ 2 ] = (uint8_t) ( ( ( value ) >> 16 ) & 0x0ff ); \
( byte_stream )[ 1 ] = (uint8_t) ( ( ( value ) >> 8 ) & 0x0ff ); \
( byte_stream )[ 0 ] = (uint8_t) ( ( value ) & 0x0ff )
#define byte_stream_bit_rotate_left_8bit( byte_stream, number_of_bits ) \
( ( ( byte_stream ) << ( number_of_bits ) ) | ( ( byte_stream ) >> ( 8 - ( number_of_bits ) ) ) )
#define byte_stream_bit_rotate_right_8bit( byte_stream, number_of_bits ) \
( ( ( byte_stream ) >> ( number_of_bits ) ) | ( ( byte_stream ) << ( 8 - ( number_of_bits ) ) ) )
#define byte_stream_bit_rotate_left_16bit( byte_stream, number_of_bits ) \
( ( ( byte_stream ) << ( number_of_bits ) ) | ( ( byte_stream ) >> ( 16 - ( number_of_bits ) ) ) )
#define byte_stream_bit_rotate_right_16bit( byte_stream, number_of_bits ) \
( ( ( byte_stream ) >> ( number_of_bits ) ) | ( ( byte_stream ) << ( 16 - ( number_of_bits ) ) ) )
#define byte_stream_bit_rotate_left_32bit( byte_stream, number_of_bits ) \
( ( ( byte_stream ) << ( number_of_bits ) ) | ( ( byte_stream ) >> ( 32 - ( number_of_bits ) ) ) )
#define byte_stream_bit_rotate_right_32bit( byte_stream, number_of_bits ) \
( ( ( byte_stream ) >> ( number_of_bits ) ) | ( ( byte_stream ) << ( 32 - ( number_of_bits ) ) ) )
#define byte_stream_bit_rotate_left_64bit( byte_stream, number_of_bits ) \
( ( ( byte_stream ) << ( number_of_bits ) ) | ( ( byte_stream ) >> ( 64 - ( number_of_bits ) ) ) )
#define byte_stream_bit_rotate_right_64bit( byte_stream, number_of_bits ) \
( ( ( byte_stream ) >> ( number_of_bits ) ) | ( ( byte_stream ) << ( 64 - ( number_of_bits ) ) ) )
#define byte_stream_bit_rotate_left( value, number_of_bits ) \
( ( ( value ) << ( number_of_bits ) ) | ( ( value ) >> ( ( sizeof( value ) << 3 ) - ( number_of_bits ) ) ) )
#define byte_stream_bit_rotate_right( value, number_of_bits ) \
( ( ( value ) >> ( number_of_bits ) ) | ( ( value ) << ( ( sizeof( value ) << 3 ) - ( number_of_bits ) ) ) )
#if defined( __cplusplus )
}
#endif
#endif /* !defined( _BYTE_STREAM_H ) */
================================================
FILE: common/common.h
================================================
/*
* Common include file
*
* Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>
*
* Refer to AUTHORS for acknowledgements.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
#if !defined( _COMMON_H )
#define _COMMON_H
#if defined( HAVE_CONFIG_H )
#include "config.h"
#endif
/* Include the Borland/CodeGear C++ Builder compiler specific configuration
*/
#if defined( __BORLANDC__ )
#include "config_borlandc.h"
/* Include the Microsoft Visual Studio C++ compiler specific configuration
*/
#elif defined( _MSC_VER )
#include "config_msc.h"
#endif
#include "config_winapi.h"
#endif /* !defined( _COMMON_H ) */
================================================
FILE: common/config_borlandc.h
================================================
/*
* Configuration for the Borland/CodeGear C++ Builder compiler
*
* Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>
*
* Refer to AUTHORS for acknowledgements.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
#if !defined( _CONFIG_BORLANDC_H )
#define _CONFIG_BORLANDC_H
#endif /* !defined( _CONFIG_BORLANDC_H ) */
================================================
FILE: common/config_msc.h
================================================
/*
* Configuration for the Microsoft Visual Studio C++ compiler
*
* Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>
*
* Refer to AUTHORS for acknowledgements.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
#if !defined( _CONFIG_MSC_H )
#define _CONFIG_MSC_H
/* Disable warning C4127: conditional expression is constant
*/
#pragma warning( disable : 4127 )
/* Disable warning C4201: nonstandard extension used : nameless struct/union
*/
#pragma warning( disable : 4201 )
#endif /* !defined( _CONFIG_MSC_H ) */
================================================
FILE: common/config_winapi.h
================================================
/*
* Configuration file for WINAPI
*
* Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>
*
* Refer to AUTHORS for acknowledgements.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
#if !defined( _CONFIG_WINAPI_H )
#define _CONFIG_WINAPI_H
/* Define the earliest supported WINAPI version
#define WINVER 0x0501
*/
/* If necessary make sure WINAPI is defined
*/
#if defined( HAVE_WINDOWS_H ) || defined( __BORLANDC__ ) || defined( _MSC_VER )
#include <windows.h>
#endif
#if defined( WINAPI )
/* Define to the address where bug reports for this package should be sent.
*/
#define PACKAGE_BUGREPORT "joachim.metz@gmail.com"
/* Define the size of the integer for WINAPI
*/
#if !defined( SIZEOF_INT )
#define SIZEOF_INT 4
#endif
/* Define the size of size_t for WINAPI
* Do not define when pyconfig.h has been included via python.h
*/
#if !defined( HAVE_PYCONFIG_H )
#if !defined( SIZEOF_SIZE_T )
#if __WORDSIZE == 64
#define SIZEOF_SIZE_T 8
#else
#define SIZEOF_SIZE_T 4
#endif
#endif
#endif /* !defined( HAVE_PYCONFIG_H ) */
/* Define the size of the wide character for WINAPI
*/
#if !defined( SIZEOF_WCHAR_T )
#define SIZEOF_WCHAR_T 2
#endif
/* Enable the DllMain function
*/
#define HAVE_DLLMAIN 1
/* Enable verbose output
#define HAVE_VERBOSE_OUTPUT 1
*/
/* Enable debug output
#define HAVE_DEBUG_OUTPUT 1
*/
/* Enable both the narrow and wide character functions
*/
#if !defined( HAVE_WIDE_CHARACTER_TYPE )
#define HAVE_WIDE_CHARACTER_TYPE 1
#endif
/* If not controlled by config.h enable multi-thread support
*/
#if !defined( HAVE_CONFIG_H ) && !defined( HAVE_MULTI_THREAD_SUPPORT )
#define HAVE_MULTI_THREAD_SUPPORT 1
#endif
#endif /* defined( WINAPI ) */
#endif /* !defined( _CONFIG_WINAPI_H ) */
================================================
FILE: common/file_stream.h
================================================
/*
* FILE stream functions
*
* Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>
*
* Refer to AUTHORS for acknowledgements.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
#if !defined( _FILE_STREAM_H )
#define _FILE_STREAM_H
#include "common.h"
#if defined( HAVE_GLIB_H )
#include <glib.h>
#include <glib/gstdio.h>
#endif
#include <stdio.h>
#if defined( __cplusplus )
extern "C" {
#endif
#define FILE_STREAM_OPEN_APPEND "a"
#define FILE_STREAM_OPEN_READ "r"
#define FILE_STREAM_OPEN_WRITE "w"
#if defined( WINAPI )
#define FILE_STREAM_BINARY_OPEN_APPEND "ab"
#define FILE_STREAM_BINARY_OPEN_READ "rb"
#define FILE_STREAM_BINARY_OPEN_WRITE "wb"
#else
#define FILE_STREAM_BINARY_OPEN_APPEND "a"
#define FILE_STREAM_BINARY_OPEN_READ "r"
#define FILE_STREAM_BINARY_OPEN_WRITE "w"
#endif
/* narrow character FILE stream open
*/
#if defined( HAVE_GLIB_H )
#define file_stream_open( filename, mode ) \
g_fopen( filename, mode )
#elif defined( HAVE_FOPEN ) || defined( WINAPI )
#define file_stream_open( filename, mode ) \
fopen( filename, mode )
#endif
/* wide character FILE stream open
*/
#if defined( WINAPI )
#define file_stream_open_wide( filename, mode ) \
_wfopen( filename, mode )
#endif
/* FILE stream close
*/
#if defined( HAVE_FCLOSE ) || defined( WINAPI )
#define file_stream_close( stream ) \
fclose( stream )
#endif
/* FILE stream read
*/
#if defined( HAVE_FREAD ) || defined( WINAPI )
#define file_stream_read( stream, data, size ) \
fread( data, 1, size, stream )
#endif
/* FILE stream write
*/
#if defined( HAVE_FWRITE ) || defined( WINAPI )
#define file_stream_write( stream, data, size ) \
fwrite( data, 1, size, stream )
#endif
/* FILE stream seek
*/
#if defined( WINAPI )
#define file_stream_seek_offset( stream, offset, whence ) \
fseek( stream, offset, whence )
#elif defined( HAVE_FSEEKO )
#define file_stream_seek_offset( stream, offset, whence ) \
fseeko( stream, offset, whence )
#elif defined( HAVE_FSEEKO64 )
#define file_stream_seek_offset( stream, offset, whence ) \
fseeko64( stream, offset, whence )
#endif
/* End of FILE stream
*/
#if defined( HAVE_FEOF ) || defined( WINAPI )
#define file_stream_at_end( stream ) \
feof( stream )
#endif
/* Get narrow character string from FILE stream
*/
#if defined( HAVE_FGETS ) || defined( WINAPI )
#define file_stream_get_string( stream, string, size ) \
fgets( string, size, stream )
#endif
/* Get wide characters string from FILE stream
*/
#if defined( HAVE_FGETWS ) || defined( WINAPI )
#define file_stream_get_string_wide( stream, string, size ) \
fgetws( string, size, stream )
#endif
/* Variable arguments formatted print to stream function
*/
#if defined( HAVE_GLIB_H )
#define file_stream_vfprintf( stream, format, ... ) \
g_vfprintf( stream, format, __VA_ARGS__ )
/* Borland BCC previous to version 5.6.0 cannot handle the macro form: MACRO( ... )
*/
#elif defined( __BORLANDC__ ) && ( __BORLANDC__ < 0x0560 )
#define file_stream_vfprintf \
vfprintf
#elif defined( HAVE_VFPRINTF ) || defined( WINAPI )
#define file_stream_vfprintf( stream, format, ... ) \
vfprintf( stream, format, __VA_ARGS__ )
#endif
#if defined( __cplusplus )
}
#endif
#endif /* !defined( _FILE_STREAM_H ) */
================================================
FILE: common/memory.h
================================================
/*
* Memory functions
*
* Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>
*
* Refer to AUTHORS for acknowledgements.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
#if !defined( _MEMORY_H )
#define _MEMORY_H
#include "common.h"
#if defined( HAVE_GLIB_H )
#include <glib.h>
#endif
#if defined( HAVE_STDLIB_H ) || defined( WINAPI )
#include <stdlib.h>
#endif
#if defined( HAVE_STRING_H ) || defined( WINAPI )
#include <string.h>
#endif
#if defined( __cplusplus )
extern "C" {
#endif
/* Note that 128 MiB is an arbitrary selected upper limit here
*/
#define MEMORY_MAXIMUM_ALLOCATION_SIZE \
( 128 * 1024 * 1024 )
/* Memory allocation
*/
#if defined( HAVE_GLIB_H )
#define memory_allocate( size ) \
g_malloc( (gsize) size )
#elif defined( WINAPI )
#define memory_allocate( size ) \
HeapAlloc( GetProcessHeap(), 0, (SIZE_T) size )
#elif defined( HAVE_MALLOC )
#define memory_allocate( size ) \
malloc( size )
#endif
#define memory_allocate_structure( type ) \
(type *) memory_allocate( sizeof( type ) )
#define memory_allocate_structure_as_value( type ) \
(intptr_t *) memory_allocate( sizeof( type ) )
/* Memory reallocation
*/
#if defined( HAVE_GLIB_H )
#define memory_reallocate( buffer, size ) \
g_realloc( (gpointer) buffer, (gsize) size )
#elif defined( WINAPI )
/* HeapReAlloc does not allocate empty (NULL) buffers as realloc does
*/
#define memory_reallocate( buffer, size ) \
( buffer == NULL ) ? \
HeapAlloc( GetProcessHeap(), 0, (SIZE_T) size ) : \
HeapReAlloc( GetProcessHeap(), 0, (LPVOID) buffer, (SIZE_T) size )
#elif defined( HAVE_REALLOC )
#define memory_reallocate( buffer, size ) \
realloc( (void *) buffer, size )
#endif
/* Memory free
*/
#if defined( HAVE_GLIB_H )
#define memory_free( buffer ) \
g_free( (gpointer) buffer )
#elif defined( WINAPI )
#define memory_free( buffer ) \
( buffer == NULL ) ? TRUE : HeapFree( GetProcessHeap(), 0, (LPVOID) buffer )
#elif defined( HAVE_FREE )
#define memory_free( buffer ) \
free( (void *) buffer )
#endif
/* Memory compare
*/
#if defined( HAVE_MEMCMP ) || defined( WINAPI )
#define memory_compare( buffer1, buffer2, size ) \
memcmp( (const void *) buffer1, (const void *) buffer2, size )
#endif
/* Memory copy
*/
#if defined( HAVE_MEMCPY ) || defined( WINAPI )
#define memory_copy( destination, source, count ) \
memcpy( (void *) destination, (void *) source, count )
#endif
/* Memory set
*/
#if defined( HAVE_MEMSET ) || defined( WINAPI )
#define memory_set( buffer, value, count ) \
memset( (void *) buffer, (int) value, count )
#endif
#if defined( __cplusplus )
}
#endif
#endif /* !defined( _MEMORY_H ) */
================================================
FILE: common/narrow_string.h
================================================
/*
* Narrow character string functions
*
* Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>
*
* Refer to AUTHORS for acknowledgements.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
#if !defined( _NARROW_STRING_H )
#define _NARROW_STRING_H
#include "common.h"
#include "memory.h"
#include "types.h"
#if defined( HAVE_GLIB_H )
#include <glib.h>
#endif
#if defined( HAVE_STDLIB_H ) || defined( WINAPI )
#include <stdlib.h>
#endif
#if defined( HAVE_STRING_H ) || defined( WINAPI )
#include <string.h>
#endif
#if defined( __cplusplus )
extern "C" {
#endif
/* String allocation
*/
#define narrow_string_allocate( size ) \
(char *) memory_allocate( sizeof( char ) * ( size ) )
/* String reallocation
*/
#define narrow_string_reallocate( string, size ) \
(char *) memory_reallocate( string, ( sizeof( char ) * ( size ) ) )
/* String length
*/
#if defined( HAVE_STRLEN ) || defined( WINAPI )
#define narrow_string_length( string ) \
strlen( string )
#endif
/* String compare
*/
#if defined( HAVE_MEMCMP ) || defined( WINAPI )
#define narrow_string_compare( string1, string2, size ) \
memcmp( (void *) string1, (void *) string2, size )
#elif defined( HAVE_STRNCMP )
#define narrow_string_compare( string1, string2, size ) \
strncmp( string1, string2, size )
#endif
/* Caseless string compare
*/
#if defined( HAVE_GLIB_H )
#define narrow_string_compare_no_case( string1, string2, size ) \
g_ascii_strncasecmp( string1, string2, size )
#elif defined( _MSC_VER )
#define narrow_string_compare_no_case( string1, string2, size ) \
_strnicmp( string1, string2, size )
#elif ( defined( WINAPI ) && !defined( __CYGWIN__ ) ) || defined( HAVE_STRNICMP )
#define narrow_string_compare_no_case( string1, string2, size ) \
strnicmp( string1, string2, size )
#elif defined( HAVE_STRNCASECMP )
#define narrow_string_compare_no_case( string1, string2, size ) \
strncasecmp( string1, string2, size )
#elif defined( HAVE_STRCASECMP )
#define narrow_string_compare_no_case( string1, string2, size ) \
strcasecmp( string1, string2 )
#endif
/* String copy
*/
#if defined( HAVE_MEMCPY ) || defined( WINAPI )
#define narrow_string_copy( destination, source, size ) \
(char *) memcpy( (void *) destination, (void *) source, size )
#elif defined( HAVE_STRNCPY )
#define narrow_string_copy( destination, source, size ) \
strncpy( destination, source, size )
#endif
/* String character search
*/
#if defined( HAVE_MEMCHR ) || defined( WINAPI )
#define narrow_string_search_character( string, character, size ) \
(char *) memchr( (void *) string, (int) character, size )
#elif defined( HAVE_STRCHR )
#define narrow_string_search_character( string, character, size ) \
strchr( string, (int) character )
#endif
/* String reverse character search
*/
#if defined( HAVE_MEMRCHR ) && ( HAVE_DECL_MEMRCHR == 1 )
#define narrow_string_search_character_reverse( string, character, size ) \
(char *) memrchr( (void *) string, (int) character, size )
#elif defined( HAVE_STRRCHR ) || defined( WINAPI )
/* (void)(size) is used to suppress unused variable warnings */
#define narrow_string_search_character_reverse( string, character, size ) \
strrchr( string, (int) character ); (void)(size)
#endif
/* String sub-string search
*/
#if defined( HAVE_STRSTR ) || defined( WINAPI )
#define narrow_string_search_string( string, substring, size ) \
strstr( string, substring )
#endif
/* String formatted print (snprintf)
*/
#if defined( HAVE_GLIB_H )
#define narrow_string_snprintf( target, size, ... ) \
g_snprintf( target, size, __VA_ARGS__ )
#elif defined( _MSC_VER )
#define narrow_string_snprintf( target, size, ... ) \
sprintf_s( target, size, __VA_ARGS__ )
#elif defined( __BORLANDC__ ) && ( __BORLANDC__ < 0x0560 )
#define narrow_string_snprintf \
snprintf
#elif defined( HAVE_SNPRINTF ) || defined( WINAPI )
#define narrow_string_snprintf( target, size, ... ) \
snprintf( target, size, __VA_ARGS__ )
#endif
/* String input conversion (sscanf)
*/
#if defined( __BORLANDC__ ) && ( __BORLANDC__ < 0x0560 )
#define narrow_string_sscanf \
sscanf
#elif defined( HAVE_SSCANF ) || defined( WINAPI )
#define narrow_string_sscanf( string, format, ... ) \
sscanf( string, format, __VA_ARGS__ )
#endif
/* Variable arguments formatted print to string function (vsnprintf)
*/
#if defined( HAVE_GLIB_H )
#define narrow_string_vsnprintf( string, size, format, ... ) \
g_vsnprintf( string, size, format, __VA_ARGS__ )
#elif defined( __BORLANDC__ ) && ( __BORLANDC__ < 0x0560 )
#define narrow_string_vsnprintf \
vsnprintf
#elif defined( HAVE_VSNPRINTF ) || defined( WINAPI )
#define narrow_string_vsnprintf( string, size, format, ... ) \
vsnprintf( string, size, format, __VA_ARGS__ )
#endif
#if defined( __cplusplus )
}
#endif
#endif /* !defined( _NARROW_STRING_H ) */
================================================
FILE: common/system_string.h
================================================
/*
* System character string functions
*
* Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>
*
* Refer to AUTHORS for acknowledgements.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
#if !defined( _SYSTEM_STRING_H )
#define _SYSTEM_STRING_H
#include "common.h"
#include "narrow_string.h"
#include "types.h"
#include "wide_string.h"
#if defined( _cplusplus )
extern "C" {
#endif
#if defined( HAVE_WIDE_SYSTEM_CHARACTER )
#if SIZEOF_WCHAR_T != 2
#error Unsupported wide system character size
#endif
/* Intermediate version of the macro required
* for correct evaluation predefined string
*/
#define _SYSTEM_STRING_INTERMEDIATE( string ) \
L ## string
#define _SYSTEM_STRING( string ) \
_SYSTEM_STRING_INTERMEDIATE( string )
#define system_string_allocate( size ) \
wide_string_allocate( size )
#define system_string_reallocate( string, size ) \
wide_string_reallocate( string, size )
#define system_string_compare( destination, source, size ) \
wide_string_compare( destination, source, size )
#define system_string_compare_no_case( destination, source, size ) \
wide_string_compare_no_case( destination, source, size )
#define system_string_copy( destination, source, size ) \
wide_string_copy( destination, source, size )
#define system_string_length( string ) \
wide_string_length( string )
#define system_string_search_character( string, character, size ) \
wide_string_search_character( string, character, size )
#define system_string_search_character_reverse( string, character, size ) \
wide_string_search_character_reverse( string, character, size )
#define system_string_search_string( string, substring, size ) \
wide_string_search_string( string, substring, size )
#if defined( __BORLANDC__ ) && ( __BORLANDC__ < 0x0560 )
#define system_string_sprintf \
wide_string_snwprintf
#else
#define system_string_sprintf( string, size, format, ... ) \
wide_string_snwprintf( string, size, format, __VA_ARGS__ )
#endif
#if defined( __BORLANDC__ ) && ( __BORLANDC__ < 0x0560 )
#define system_string_vsnprintf \
wide_string_vsnwprintf
#else
#define system_string_vsnprintf( string, size, format, ... ) \
wide_string_vsnwprintf( string, size, format, __VA_ARGS__ )
#endif
#else
#define _SYSTEM_STRING( string ) \
string
#define system_string_allocate( size ) \
narrow_string_allocate( size )
#define system_string_reallocate( string, size ) \
narrow_string_reallocate( string, size )
#define system_string_compare( destination, source, size ) \
narrow_string_compare( destination, source, size )
#define system_string_compare_no_case( destination, source, size ) \
narrow_string_compare_no_case( destination, source, size )
#define system_string_copy( destination, source, size ) \
narrow_string_copy( destination, source, size )
#define system_string_length( string ) \
narrow_string_length( string )
#define system_string_search_character( string, character, size ) \
narrow_string_search_character( string, character, size )
#define system_string_search_character_reverse( string, character, size ) \
narrow_string_search_character_reverse( string, character, size )
#define system_string_search_string( string, substring, size ) \
narrow_string_search_string( string, substring, size )
#if defined( __BORLANDC__ ) && ( __BORLANDC__ < 0x0560 )
#define system_string_sprintf \
narrow_string_snprintf
#else
#define system_string_sprintf( string, size, format, ... ) \
narrow_string_snprintf( string, size, format, __VA_ARGS__ )
#endif
#if defined( __BORLANDC__ ) && ( __BORLANDC__ < 0x0560 )
#define system_string_vsnprintf \
narrow_string_vsnprintf
#else
#define system_string_vsnprintf( string, size, format, ... ) \
narrow_string_vsnprintf( string, size, format, __VA_ARGS__ )
#endif
#endif /* defined( HAVE_WIDE_SYSTEM_CHARACTER ) */
/* For backwards compatibility */
#define system_string_vsprintf system_string_vsnprintf
#if defined( _cplusplus )
}
#endif
#endif /* !defined( _SYSTEM_STRING_H ) */
================================================
FILE: common/types.h.in
================================================
/*
* Type and type-support definitions
*
* Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>
*
* Refer to AUTHORS for acknowledgements.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
#if !defined( _TYPES_H )
#define _TYPES_H
#include "common.h"
#if defined( HAVE_LIMITS_H ) || defined( WINAPI )
#include <limits.h>
#endif
/* Make sure to include inttypes.h or stdint.h before
* PRI definitions are defined
*/
#include <@PACKAGE@/types.h>
#if defined( WINAPI ) && ( defined( _UNICODE ) || defined( UNICODE ) )
#define HAVE_WIDE_SYSTEM_CHARACTER 1
/* The system character type is wide
* A system string contains either UTF-16 or UTF-32
*/
typedef wchar_t system_character_t;
typedef wint_t system_integer_t;
#define PRIc_SYSTEM "lc"
#define PRIs_SYSTEM "ls"
#else
/* The system character type is narrow
* A system string contains either UTF-8 or extended ASCII with a codepage
*/
typedef char system_character_t;
typedef int system_integer_t;
#define PRIc_SYSTEM "c"
#define PRIs_SYSTEM "s"
#endif /* defined( WINAPI ) && ( defined( _UNICODE ) || defined( UNICODE ) ) */
/* Fallback for systems without PRI definitions
* Do not define when pyconfig.h has been included via python.h
*/
#if !defined( HAVE_PYCONFIG_H )
#if !defined( PRId8 )
#define PRId8 "d"
#endif
#if !defined( PRId16 )
#define PRId16 "d"
#endif
#if !defined( PRId32 )
#if defined( WINAPI )
#define PRId32 "I32d"
#else
#define PRId32 "d"
#endif
#endif /* !defined( PRId32 ) */
#if !defined( PRId64 )
#if defined( WINAPI )
#define PRId64 "I64d"
#elif __WORDSIZE == 64
#define PRId64 "ld"
#else
#define PRId64 "lld"
#endif
#endif /* !defined( PRId64 ) */
#if !defined( PRIi8 )
#define PRIi8 "i"
#endif
#if !defined( PRIi16 )
#define PRIi16 "i"
#endif
#if !defined( PRIi32 )
#if defined( WINAPI )
#define PRIi32 "I32i"
#else
#define PRIi32 "i"
#endif
#endif /* !defined( PRIi32 ) */
#if !defined( PRIi64 )
#if defined( WINAPI )
#define PRIi64 "I64i"
#elif __WORDSIZE == 64
#define PRIi64 "li"
#else
#define PRIi64 "lli"
#endif
#endif /* !defined( PRIi64 ) */
#if !defined( PRIu8 )
#define PRIu8 "u"
#endif
#if !defined( PRIu16 )
#define PRIu16 "u"
#endif
#if !defined( PRIu32 )
#if defined( WINAPI )
#define PRIu32 "I32u"
#else
#define PRIu32 "u"
#endif
#endif /* !defined( PRIu32 ) */
#if !defined( PRIu64 )
#if defined( WINAPI )
#define PRIu64 "I64u"
#elif __WORDSIZE == 64
#define PRIu64 "lu"
#else
#define PRIu64 "llu"
#endif
#endif /* !defined( PRIu64 ) */
#if !defined( PRIo8 )
#define PRIo8 "o"
#endif
#if !defined( PRIo16 )
#define PRIo16 "o"
#endif
#if !defined( PRIo32 )
#if defined( WINAPI )
#define PRIo32 "I32o"
#else
#define PRIo32 "o"
#endif
#endif /* !defined( PRIo32 ) */
#if !defined( PRIo64 )
#if defined( WINAPI )
#define PRIo64 "I64o"
#elif __WORDSIZE == 64
#define PRIo64 "lo"
#else
#define PRIo64 "llo"
#endif
#endif /* !defined( PRIo64 ) */
#if !defined( PRIx8 )
#define PRIx8 "x"
#endif
#if !defined( PRIx16 )
#define PRIx16 "x"
#endif
#if !defined( PRIx32 )
#if defined( WINAPI )
#define PRIx32 "I32x"
#else
#define PRIx32 "x"
#endif
#endif /* !defined( PRIx32 ) */
#if !defined( PRIx64 )
#if defined( WINAPI )
#define PRIx64 "I64x"
#elif __WORDSIZE == 64
#define PRIx64 "lx"
#else
#define PRIx64 "llx"
#endif
#endif /* !defined( PRIx64 ) */
#endif /* !defined( HAVE_PYCONFIG_H ) */
/* Fallback for systems without printf %jd definition
*/
#if defined( HAVE_PRINTF_JD )
#define PRIjd "jd"
#define PRIji "ji"
#define PRIju "ju"
#define PRIjx "jx"
#elif SIZEOF_OFF_T == 8
#define PRIjd PRId64
#define PRIji PRIi64
#define PRIju PRIu64
#define PRIjx PRIx64
#else
#define PRIjd PRId32
#define PRIji PRIi32
#define PRIju PRIu32
#define PRIjx PRIx32
#endif /* defined( HAVE_PRINTF_JD ) */
/* Fallback for systems without printf %zd definition
*/
#if defined( HAVE_PRINTF_ZD )
#define PRIzd "zd"
#define PRIzi "zi"
#define PRIzu "zu"
#define PRIzx "zx"
#elif defined( _MSC_VER )
#define PRIzd "Id"
#define PRIzi "Ii"
#define PRIzu "Iu"
#define PRIzx "Ix"
#elif SIZEOF_SIZE_T == 8
#define PRIzd PRId64
#define PRIzi PRIi64
#define PRIzu PRIu64
#define PRIzx PRIx64
#else
#define PRIzd PRId32
#define PRIzi PRIi32
#define PRIzu PRIu32
#define PRIzx PRIx32
#endif /* defined( HAVE_PRINTF_ZD ) */
/* Fallback for systems without (U)INTx_MAX definitions
*/
/* The maximum signed 8-bit integer is 127 (0x7f)
*/
#if !defined( INT8_MAX )
#define INT8_MAX (0x7f)
#endif
/* The maximum unsigned 8-bit integer is 256 (0xff)
*/
#if !defined( UINT8_MAX )
#define UINT8_MAX (0xff)
#endif
/* The maximum signed 16-bit integer is 32767 (0x7ffff)
*/
#if !defined( INT16_MAX )
#define INT16_MAX (0x7fff)
#endif
/* The maximum unsigned 16-bit integer is 65535 (0xffff)
*/
#if !defined( UINT16_MAX )
#define UINT16_MAX (0xffff)
#endif
/* The maximum signed 32-bit integer is 2147483647 (0x7fffffff)
*/
#if !defined( INT32_MAX )
#define INT32_MAX (0x7fffffffL)
#endif
/* The maximum unsigned 32-bit integer is 4294967295 (0xffffffff)
*/
#if !defined( UINT32_MAX )
#define UINT32_MAX (0xffffffffUL)
#endif
/* The minimum signed 64-bit integer is -9223372036854775808 (0x8000000000000000)
*/
#if !defined( INT64_MIN )
#if defined( __BORLANDC__ ) && ( __BORLANDC__ < 0x0560 )
#define INT64_MIN (0x8000000000000000UL)
#else
#define INT64_MIN (0x8000000000000000ULL)
#endif
#endif /* !defined( INT64_MIN ) */
/* The maximum signed 64-bit integer is 9223372036854775807 (0x7fffffffffffffff)
*/
#if !defined( INT64_MAX )
#if defined( __BORLANDC__ ) && ( __BORLANDC__ < 0x0560 )
#define INT64_MAX (0x7fffffffffffffffUL)
#else
#define INT64_MAX (0x7fffffffffffffffULL)
#endif
#endif /* !defined( INT64_MAX ) */
/* The maximum unsigned 64-bit integer is 18446744073709551615 (0xffffffffffffffff)
*/
#if !defined( UINT64_MAX )
#if defined( __BORLANDC__ ) && ( __BORLANDC__ < 0x0560 )
#define UINT64_MAX (0xffffffffffffffffUL)
#else
#define UINT64_MAX (0xffffffffffffffffULL)
#endif
#endif /* !defined( UINT64_MAX ) */
/* The maximum signed integer
*/
#if !defined( INT_MAX )
#define INT_MAX INT32_MAX
#endif
/* The maximum unsigned integer
*/
#if !defined( UINT_MAX )
#define UINT_MAX UINT32_MAX
#endif
/* The maximum signed long integer
*/
#if !defined( LONG_MAX )
#define LONG_MAX INT32_MAX
#endif
/* The maximum unsigned long integer
*/
#if !defined( ULONG_MAX )
#define ULONG_MAX UINT32_MAX
#endif
/* The maximum signed size type is platform dependent
*/
#if !defined( SSIZE_MAX )
#if defined( WINAPI )
#if defined( _WIN64 )
#define SSIZE_MAX INT64_MAX
#else
#define SSIZE_MAX INT32_MAX
#endif
#else
#if __WORDSIZE == 64
#define SSIZE_MAX INT64_MAX
#else
#define SSIZE_MAX INT32_MAX
#endif
#endif /* WINAPI */
#endif /* SSIZE_MAX */
#endif /* !defined( _TYPES_H ) */
================================================
FILE: common/wide_string.h
================================================
/*
* Wide character string functions
*
* Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>
*
* Refer to AUTHORS for acknowledgements.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
#if !defined( _WIDE_STRING_H )
#define _WIDE_STRING_H
#include "common.h"
#include "memory.h"
#include "types.h"
#if defined( HAVE_WCHAR_H ) || defined( WINAPI )
#include <wchar.h>
#endif
#if defined( __cplusplus )
extern "C" {
#endif
/* Intermediate version of the macro required
* for correct evaluation predefined string
*/
#define _WIDE_STRING_INTERMEDIATE( string ) \
L ## string
#define _WIDE_STRING( string ) \
_WIDE_STRING_INTERMEDIATE( string )
/* String allocation
*/
#define wide_string_allocate( size ) \
(wchar_t *) memory_allocate( sizeof( wchar_t ) * ( size ) )
/* String reallocation
*/
#define wide_string_reallocate( string, size ) \
(wchar_t *) memory_reallocate( string, ( sizeof( wchar_t ) * ( size ) ) )
/* String length
*/
#if defined( HAVE_WCSLEN ) || defined( WINAPI )
#define wide_string_length( string ) \
wcslen( string )
#endif
/* String compare
*/
#if defined( HAVE_WMEMCMP )
#define wide_string_compare( string1, string2, size ) \
wmemcmp( (void *) string1, (void *) string2, size )
#elif defined( HAVE_WCSNCMP ) || defined( WINAPI )
#define wide_string_compare( string1, string2, size ) \
wcsncmp( string1, string2, size )
#endif
/* Caseless string compare
*/
#if defined( _MSC_VER ) || ( defined( __BORLANDC__ ) && ( __BORLANDC__ >= 0x0551 ) )
#define wide_string_compare_no_case( string1, string2, size ) \
_wcsnicmp( string1, string2, size )
#elif ( defined( WINAPI ) && !defined( __CYGWIN__ ) ) || defined( HAVE_WCSNICMP )
#define wide_string_compare_no_case( string1, string2, size ) \
wcsnicmp( string1, string2, size )
#elif defined( HAVE_WCSNCASECMP )
#define wide_string_compare_no_case( string1, string2, size ) \
wcsncasecmp( string1, string2, size )
#elif defined( HAVE_WCSCASECMP )
#define wide_string_compare_no_case( string1, string2, size ) \
wcscasecmp( string1, string2 )
#endif
/* String copy
*/
#if defined( HAVE_WMEMCPY )
#define wide_string_copy( destination, source, size ) \
(wchar_t *) wmemcpy( (void *) destination, (void *) source, size )
#elif defined( HAVE_WCSNCPY ) || defined( WINAPI )
#define wide_string_copy( destination, source, size ) \
wcsncpy( destination, source, size )
#endif
/* String character search
*/
#if defined( HAVE_WMEMCHR )
#define wide_string_search_character( string, character, size ) \
(wchar_t *) wmemchr( (void *) string, (wchar_t) character, size )
#elif defined( HAVE_WCSCHR ) || defined( WINAPI )
#define wide_string_search_character( string, character, size ) \
wcschr( string, (wchar_t) character )
#endif
/* String reverse character search
*/
#if defined( HAVE_WMEMRCHR )
#define wide_string_search_character_reverse( string, character, size ) \
(wchar_t *) wmemrchr( (void *) string, (wchar_t) character, size )
#elif defined( HAVE_WCSRCHR ) || defined( WINAPI )
/* (void)(size) is used to suppress unused variable warnings */
#define wide_string_search_character_reverse( string, character, size ) \
wcsrchr( string, (wchar_t) character ); (void)(size)
#endif
/* String sub-string search
*/
#if defined( HAVE_WCSSTR ) || defined( WINAPI )
#define wide_string_search_string( string, substring, size ) \
wcsstr( string, substring )
#endif
/* String formatted print (snwprintf)
*/
#if defined( _MSC_VER )
#define wide_string_snwprintf( target, size, ... ) \
swprintf_s( target, size, __VA_ARGS__ )
#elif defined( __BORLANDC__ ) && ( __BORLANDC__ < 0x0560 )
#define wide_string_snwprintf \
snwprintf
#elif defined( WINAPI )
#define wide_string_snwprintf( target, size, ... ) \
snwprintf( target, size, __VA_ARGS__ )
#elif defined( HAVE_SWPRINTF )
#define wide_string_snwprintf( target, size, ... ) \
swprintf( target, size, __VA_ARGS__ )
#endif
/* Variable arguments formatted print to string function (vsnwprintf)
*/
#if defined( __BORLANDC__ ) && ( __BORLANDC__ < 0x0560 )
#define wide_string_vsnwprintf \
_vsnwprintf
#elif defined( WINAPI )
#define wide_string_vsnwprintf( string, size, format, ... ) \
_vsnwprintf( string, size, format, __VA_ARGS__ )
#elif defined( HAVE_VSWPRINTF )
#define wide_string_vsnwprintf( string, size, format, ... ) \
vswprintf( string, size, format, __VA_ARGS__ )
#endif
#if defined( __cplusplus )
}
#endif
#endif /* !defined( _WIDE_STRING_H ) */
================================================
FILE: configure.ac
================================================
AC_PREREQ([2.71])
AC_INIT(
[libevtx],
[20251215],
[joachim.metz@gmail.com])
AC_CONFIG_SRCDIR(
[include/libevtx.h.in])
AM_INIT_AUTOMAKE([gnu 1.6 tar-ustar])
AM_EXTRA_RECURSIVE_TARGETS([sources splint])
AC_CONFIG_MACRO_DIR([m4])
dnl Check for host type
AC_CANONICAL_HOST
dnl Check for libtool DLL support
LT_INIT([win32-dll])
dnl Checks for programs
AC_PROG_CC
AC_PROG_GCC_TRADITIONAL
AC_PROG_CXX
AC_PROG_MAKE_SET
AC_PROG_INSTALL
dnl Check for libtool
AC_SUBST(LIBTOOL_DEPS)
dnl Check for pkg-config
AC_PATH_PROG(PKGCONFIG,[pkg-config])
dnl Support of internationalization (i18n)
AM_GNU_GETTEXT([external])
AM_GNU_GETTEXT_VERSION([0.21])
dnl Check for compiler language support
AC_C_CONST
AC_C_VOLATILE
dnl Check for large file support
AC_SYS_LARGEFILE
dnl Check if shared library support should be disabled
AX_COMMON_CHECK_DISABLE_SHARED_LIBS
dnl Check if tools should be build as static executables
AX_COMMON_CHECK_ENABLE_STATIC_EXECUTABLES
dnl Check if WINAPI support should be enabled
AX_COMMON_CHECK_ENABLE_WINAPI
dnl Check if wide character type should be enabled
AX_COMMON_CHECK_ENABLE_WIDE_CHARACTER_TYPE
dnl Check if verbose output should be enabled
AX_COMMON_CHECK_ENABLE_VERBOSE_OUTPUT
dnl Check if debug output should be enabled
AX_COMMON_CHECK_ENABLE_DEBUG_OUTPUT
dnl Check for type definitions
AX_TYPES_CHECK_LOCAL
dnl Check if common required headers and functions are available
AX_COMMON_CHECK_LOCAL
dnl Check if libcerror or required headers and functions are available
AX_LIBCERROR_CHECK_ENABLE
dnl Check if libcthreads or required headers and functions are available
AX_LIBCTHREADS_CHECK_ENABLE
dnl Check if libcdata or required headers and functions are available
AX_LIBCDATA_CHECK_ENABLE
dnl Check if libclocale or required headers and functions are available
AX_LIBCLOCALE_CHECK_ENABLE
dnl Check if libcnotify or required headers and functions are available
AX_LIBCNOTIFY_CHECK_ENABLE
dnl Check if libcsplit or required headers and functions are available
AX_LIBCSPLIT_CHECK_ENABLE
dnl Check if libuna or required headers and functions are available
AX_LIBUNA_CHECK_ENABLE
dnl Check if libcfile or required headers and functions are available
AX_LIBCFILE_CHECK_ENABLE
dnl Check if libcpath or required headers and functions are available
AX_LIBCPATH_CHECK_ENABLE
dnl Check if libbfio or required headers and functions are available
AX_LIBBFIO_CHECK_ENABLE
dnl Check if libfcache or required headers and functions are available
AX_LIBFCACHE_CHECK_ENABLE
dnl Check if libfdata or required headers and functions are available
AX_LIBFDATA_CHECK_ENABLE
dnl Check if libfdatetime or required headers and functions are available
AX_LIBFDATETIME_CHECK_ENABLE
dnl Check if libfguid or required headers and functions are available
AX_LIBFGUID_CHECK_ENABLE
dnl Check if libfvalue or required headers and functions are available
AX_LIBFVALUE_CHECK_ENABLE
dnl Check if libfwevt or required headers and functions are available
AX_LIBFWEVT_CHECK_ENABLE
dnl Check if libfwnt or required headers and functions are available
AX_LIBFWNT_CHECK_ENABLE
dnl Check if libevtx required headers and functions are available
AX_LIBEVTX_CHECK_LOCAL
dnl Check if libevtx Python bindings (pyevtx) required headers and functions are available
AX_PYTHON_CHECK_ENABLE
AS_IF(
[test "x${ac_cv_enable_python}" != xno],
[dnl Headers included in pyevtx/pyevtx_error.c
AC_CHECK_HEADERS([stdarg.h varargs.h])
AS_IF(
[test "x$ac_cv_header_stdarg_h" != xyes && test "x$ac_cv_header_varargs_h" != xyes],
[AC_MSG_FAILURE(
[Missing headers: stdarg.h and varargs.h],
[1])
])
])
dnl Check if libexe or required headers and functions are available
AX_LIBEXE_CHECK_ENABLE
dnl Check if libregf or required headers and functions are available
AX_LIBREGF_CHECK_ENABLE
dnl Check if libwrc or required headers and functions are available
AX_LIBWRC_CHECK_ENABLE
dnl Check if libcdirectory or required headers and functions are available
AX_LIBCDIRECTORY_CHECK_ENABLE
dnl Check if evtxtools required headers and functions are available
AX_EVTXTOOLS_CHECK_LOCAL
dnl Check if DLL support is needed
AX_LIBEVTX_CHECK_DLL_SUPPORT
dnl Check if tests required headers and functions are available
AX_TESTS_CHECK_LOCAL
AX_TESTS_CHECK_OSSFUZZ
dnl Set additional compiler flags
CFLAGS="$CFLAGS -Wall";
dnl Check if requires and build requires should be set in spec file
AS_IF(
[test "x$ac_cv_libcerror" = xyes || test "x$ac_cv_libcthreads" = xyes || test "x$ac_cv_libcdata" = xyes || test "x$ac_cv_libclocale" = xyes || test "x$ac_cv_libcnotify" = xyes || test "x$ac_cv_libcsplit" = xyes || test "x$ac_cv_libuna" = xyes || test "x$ac_cv_libcfile" = xyes || test "x$ac_cv_libcpath" = xyes || test "x$ac_cv_libbfio" = xyes || test "x$ac_cv_libfcache" = xyes || test "x$ac_cv_libfdata" = xyes || test "x$ac_cv_libfdatetime" = xyes || test "x$ac_cv_libfguid" = xyes || test "x$ac_cv_libfvalue" = xyes || test "x$ac_cv_libfwevt" = xyes || test "x$ac_cv_libfwnt" = xyes],
[AC_SUBST(
[libevtx_spec_requires],
[Requires:])
])
AS_IF(
[test "x$ac_cv_libexe" = xyes || test "x$ac_cv_libregf" = xyes || test "x$ac_cv_libwrc" = xyes || test "x$ac_cv_libcdirectory" = xyes],
[AC_SUBST(
[libevtx_spec_tools_build_requires],
[BuildRequires:])
])
dnl Set the date for the dpkg files
AC_SUBST(
[DPKG_DATE],
[`date -R 2> /dev/null`])
dnl Set the date for the spec file
AC_SUBST(
[SPEC_DATE],
[`date +"%a %b %e %Y" 2> /dev/null`])
dnl Generate Makefiles
AC_CONFIG_FILES([Makefile])
AC_CONFIG_FILES([include/Makefile])
AC_CONFIG_FILES([common/Makefile])
AC_CONFIG_FILES([libcerror/Makefile])
AC_CONFIG_FILES([libcthreads/Makefile])
AC_CONFIG_FILES([libcdata/Makefile])
AC_CONFIG_FILES([libclocale/Makefile])
AC_CONFIG_FILES([libcnotify/Makefile])
AC_CONFIG_FILES([libcsplit/Makefile])
AC_CONFIG_FILES([libuna/Makefile])
AC_CONFIG_FILES([libcfile/Makefile])
AC_CONFIG_FILES([libcpath/Makefile])
AC_CONFIG_FILES([libbfio/Makefile])
AC_CONFIG_FILES([libfcache/Makefile])
AC_CONFIG_FILES([libfdata/Makefile])
AC_CONFIG_FILES([libfdatetime/Makefile])
AC_CONFIG_FILES([libfguid/Makefile])
AC_CONFIG_FILES([libfvalue/Makefile])
AC_CONFIG_FILES([libfwevt/Makefile])
AC_CONFIG_FILES([libfwnt/Makefile])
AC_CONFIG_FILES([libevtx/Makefile])
AC_CONFIG_FILES([pyevtx/Makefile])
AC_CONFIG_FILES([libexe/Makefile])
AC_CONFIG_FILES([libregf/Makefile])
AC_CONFIG_FILES([libwrc/Makefile])
AC_CONFIG_FILES([libcdirectory/Makefile])
AC_CONFIG_FILES([evtxtools/Makefile])
AC_CONFIG_FILES([po/Makefile.in])
AC_CONFIG_FILES([po/Makevars])
AC_CONFIG_FILES([manuals/Makefile])
AC_CONFIG_FILES([tests/Makefile])
AC_CONFIG_FILES([ossfuzz/Makefile])
AC_CONFIG_FILES([msvscpp/Makefile])
dnl Generate header files
AC_CONFIG_FILES([include/libevtx.h])
AC_CONFIG_FILES([include/libevtx/definitions.h])
AC_CONFIG_FILES([include/libevtx/features.h])
AC_CONFIG_FILES([include/libevtx/types.h])
AC_CONFIG_FILES([libevtx/libevtx_definitions.h])
dnl Generate distribution specific files
AC_CONFIG_FILES([common/types.h])
AC_CONFIG_FILES([dpkg/changelog])
AC_CONFIG_FILES([libevtx/libevtx.rc])
AC_CONFIG_FILES([libevtx.pc])
AC_CONFIG_FILES([libevtx.spec])
AC_CONFIG_FILES([setup.cfg])
dnl Generate a source configuration file
AC_CONFIG_HEADERS([common/config.h])
AC_OUTPUT
dnl Print a summary
AC_MSG_NOTICE([
Building:
libcerror support: $ac_cv_libcerror
libcthreads support: $ac_cv_libcthreads
libcdata support: $ac_cv_libcdata
libclocale support: $ac_cv_libclocale
libcnotify support: $ac_cv_libcnotify
libcsplit support: $ac_cv_libcsplit
libuna support: $ac_cv_libuna
libcfile support: $ac_cv_libcfile
libcpath support: $ac_cv_libcpath
libbfio support: $ac_cv_libbfio
libfcache support: $ac_cv_libfcache
libfdata support: $ac_cv_libfdata
libfdatetime support: $ac_cv_libfdatetime
libfguid support: $ac_cv_libfguid
libfvalue support: $ac_cv_libfvalue
libfwevt support: $ac_cv_libfwevt
libfwnt support: $ac_cv_libfwnt
libexe support: $ac_cv_libexe
libregf support: $ac_cv_libregf
libwrc support: $ac_cv_libwrc
libcdirectory support: $ac_cv_libcdirectory
Features:
Multi-threading support: $ac_cv_libcthreads_multi_threading
Wide character type support: $ac_cv_enable_wide_character_type
evtxtools are build as static executables: $ac_cv_enable_static_executables
Python (pyevtx) support: $ac_cv_enable_python
Verbose output: $ac_cv_enable_verbose_output
Debug output: $ac_cv_enable_debug_output
]);
================================================
FILE: documentation/Windows XML Event Log (EVTX).asciidoc
================================================
= Windows XML Event Log (EVTX) format
Analysis of EVTX
:toc:
:toclevels: 4
:numbered!:
[abstract]
== Summary
The Windows XML EventLog (EVTX) format is used by Microsoft Windows to store
system log information. This specification is based the work done by A.
Schuster `[SCHUSTER11]` and on `[MS-EVEN6]`. It was complemented by other
public available information and was enhanced by analyzing test data.
This document is intended as a working document of the data format specification
for the libevtx project.
Special thanks to A. Schuster for his excellent work on the format and test
files.
[preface]
== Document information
[cols="1,5"]
|===
| Author(s): | Joachim Metz <joachim.metz@gmail.com>
| Abstract: | This document contains information about the Windows XML Event Viewer Log (EVTX) format.
| Classification: | Public
| Keywords: | Windows XML Event Viewer Log, EVTX
|===
[preface]
== License
....
Copyright (C) 2011-2024, Joachim Metz <joachim.metz@gmail.com>.
Permission is granted to copy, distribute and/or modify this document under the
terms of the GNU Free Documentation License, Version 1.3 or any later version
published by the Free Software Foundation; with no Invariant Sections, no
Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included
in the section entitled "GNU Free Documentation License".
....
[preface]
== Revision history
[cols="1,1,1,5",options="header"]
|===
| Version | Author | Date | Comments
| 0.0.1 | J.B. Metz | September 2011 | Initial version.
| 0.0.2 | J.B. Metz | March 2012 +
April 2012 | Additional information.
| 0.0.3 | J.B. Metz | May 2012 | Additional information.
| 0.0.4 | J.B. Metz | May 2012 | Updates for Windows 8 Consumer Preview.
| 0.0.5 | J.B. Metz | October 2012 | Additional information regarding formatted messages.
| 0.0.6 | J.B. Metz | December 2012 | Additional information regarding formatted messages.
| 0.0.7 | J.B. Metz | February 2013 | Additional information regarding formatted messages.
| 0.0.8 | J.B. Metz | February 2013 | Additional information regarding chunk offset values seen in archived EVTX files with thanks to R. Rumble.
| 0.0.8 | J.B. Metz | February 2013 | Additional information regarding corruption scenarios.
| 0.0.9 | J.B. Metz | March 2013 | Additional information regarding corruption scenarios.
| 0.0.10 | J.B. Metz | May 2013 | Additional information regarding corruption scenarios.
| 0.0.11 | J.B. Metz | July 2013 | Additional information regarding XML escaping with thanks to G. Torres.
| 0.0.12 | J.B. Metz | July 2013 | Additional information regarding ProcessingErrorData.
| 0.0.13 | J.B. Metz | July 2013 | Additional information regarding dirty file with invalid number of chunks corruption scenario with thanks to G. Torres.
| 0.0.14 | J.B. Metz | October 2013 | Added information about parameter expansion.
| 0.0.15 | J.B. Metz | February 2014 | Additional information regarding MUI and "language specific" event message files.
| 0.0.16 | J.B. Metz | July 2014 | Additional information about parameter expansion.
| 0.0.16 | J.B. Metz | March 2015 | Switched to asccidoc format.
| 0.0.17 | J.B. Metz | January 2016 | Additional information about Binary XML type (0x21).
| 0.0.18 | J.B. Metz | April 2016 | Fixed typo.
| 0.0.19 | J.B. Metz | November 2020 | Changes for formatting.
| 0.0.20 | J.B. Metz | May 2021 | Textual and formatting changes.
| 0.0.21 | J.B. Metz | Octoboer 2021 | Additional information regarding format versions.
| 0.0.22 | J.B. Metz | December 2021 | Additional information about MUI language neutral file.
| 0.0.23 | J.B. Metz | December 2023 | Updated references and additional information about SystemResources directory.
| 0.0.24 | J.B. Metz | January 2024 | Additional information about parameter message files.
| 0.0.25 | J.B. Metz | April 2024 | Additional information about dependency identifier.
| 0.0.26 | J.B. Metz | September 2024 | Additional information regarding format edge case with thanks to J. Solomon.
|===
:numbered:
== Overview
The Windows XML EventLog (EVTX) format is used by Microsoft Windows, as of
Windows Vista, to store system log information.
The EVTX format supersedes the Windows EventLog (EVT) format as used in Windows
XP.
An EVTX file consists of:
* file header
* chunks
* trailing empty values
[cols="1,5",options="header"]
|===
| Characteristics | Description
| Byte order | little-endian
| Date and time values | FILETIME in UTC
| Character strings | ASCII strings are Single Byte Character (SBC) or Multi Byte Character (MBC) string stored with a codepage. Sometimes referred to as ANSI string representation. +
Though technically maybe incorrect, this document will use term (extended) ASCII string. +
Unicode strings are stored in UTF-16 little-endian without the byte order mark (BOM).
|===
=== Test version
The following version of programs were used to test the information within this document:
* Windows Vista
* Windows 2008
* Windows 7
* Windows 8
* [yellow-background]*TODO: Windows 2012*
* Windows 10 (1903, 1909, 2004, 20H2)
* Windows 11 (21H2)
=== Event Log files
The event logs files can normally be found in:
....
C:\Windows\System32\winevt\Logs\
....
[cols="1,3",options="header"]
|===
| Filename | Description
| Application.evtx | Application events
| DFS Replication.evtx | [yellow-background]*TODO*
| HardwareEvents.evtx | [yellow-background]*TODO*
| Internet Explorer.evtx | Internet Explorer events
| Key Management Service.evtx | [yellow-background]*TODO*
| Media Center.evtx | [yellow-background]*TODO*
| Microsoft-Windows-Bits-Client%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-CodeIntegrity%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-CorruptedFileRecovery-Client%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-CorruptedFileRecovery-Server%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-DateTimeControlPanel%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-Diagnosis-DPS%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-Diagnosis-PLA%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-Diagnostics-Networking%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-Diagnostics-Performance%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-DiskDiagnostic%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-DiskDiagnosticResolver%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-Forwarding%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-GroupPolicy%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-Help%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-International%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-Kernel-WDI%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-Kernel-WHEA.evtx | [yellow-background]*TODO*
| Microsoft-Windows-LanguagePackSetup%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-MUI%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-NetworkAccessProtection%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-Program-Compatibility-Assistant%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-ReadyBoost%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-ReliabilityAnalysisComponent%4Metrics.evtx | [yellow-background]*TODO*
| Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-RestartManager%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-TaskScheduler%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-UAC%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-WindowsUpdateClient%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-Winlogon%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-Wired-AutoConfig%4Operational.evtx | [yellow-background]*TODO*
| Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx | [yellow-background]*TODO*
| ODiag.evtx | [yellow-background]*TODO*
| OSession.evtx | Office sessions events
| Security.evtx | Security events
| Setup.evtx | Setup events
| System.evtx | System events
|===
== File header
The file header is 4096 bytes of size and consists of:
[cols="1,1,1,5",options="header"]
|===
| Offset | Size | Value | Description
| 0 | 8 | "ElfFile\x00" | Signature
| 8 | 8 | | First chunk number
| 16 | 8 | | Last chunk number
| 24 | 8 | | Next record identifier
| 32 | 4 | 128 | Header size
| 36 | 2 | | Minor format version +
See section: <<format_versions,Format versions>>
| 38 | 2 | | Major format version +
See section: <<format_versions,Format versions>>
| 40 | 2 | 4096 | Header block size +
(or chunk data offset)
| 42 | 2 | | Number of chunks
| 44 | 76 | | [yellow-background]*Unknown (Empty values)*
| 120 | 4 | | File flags +
See section: <<file_flags,File flags>>
| 124 | 4 | | Checksum +
CRC32 of the first 120 bytes of the file header
| 128 | 3968 | | [yellow-background]*Unknown (Empty values)*
|===
The CRC-32 is describe in RFC 1952 and uses an initial value of 0.
[yellow-background]*TODO: check if: file size = ( Number of chunks * 65536 ) + 4096*
=== [[format_versions]]Format versions
[cols="1,5",options="header"]
|===
| Version +
(Major.Minor) | Description
| 3.1 | Seen on Windows Vista and later
| 3.2 | Seen on Windows 10 (2004) and later
|===
=== [[file_flags]]File flags
[cols="1,1,5",options="header"]
|===
| Value | Identifier | Description
| 0x0001 | | Is dirty
| 0x0002 | | Is full
|===
== Chunk
The chunk is 65536 bytes of size and consists of:
* chunk header
* array of event records
* unused space
=== Chunk header
The chunk header is 512 bytes of size and consists of:
[cols="1,1,1,5",options="header"]
|===
| Offset | Size | Value | Description
| 0 | 8 | "ElfChnk\x00" | Signature
| 8 | 8 | | First event record number
| 16 | 8 | | Last event record number
| 24 | 8 | | First event record identifier
| 32 | 8 | | Last event record identifier
| 40 | 4 | 128 | Header size +
(or offset to [yellow-background]*pointer data*)
| 44 | 4 | | Last event record data offset +
Offset to the data of the last event record. +
The offset is relative to the start of the chunk header.
| 48 | 4 | | Free space offset +
Offset to free space in the chunk. The offset is relative to the start of the chunk header.
| 52 | 4 | | Event records checksum +
CRC32 of the events records data
| 56 | 64 | | [yellow-background]*Unknown (Empty values)*
| 120 | 4 | | [yellow-background]*Unknown (flags?)*
| 124 | 4 | | Checksum +
CRC32 of the first 120 bytes and bytes 128 to 512 of the chunk.
|===
The CRC-32 is describe in RFC 1952 with an uses an initial value of 0.
The free space offset is not the end of event records data offset, is sometimes
point to the end of the chunk, where the chunk after the last event record was
filled with 0-byte values. This behavior was seen in archived EVTX files.
[cols="1,1,1,5",options="header"]
|===
| Offset | Size | Value | Description
| 128 | 64 x 4 = 256 | | [yellow-background]*Common string offset array* +
[yellow-background]*The offsets are relative from the start of the chunk*
| 384 | 32 x 4 = 128 | | [yellow-background]*TemplatePtr* +
[yellow-background]*Array of 32 x 32-bit values*
|===
[yellow-background]*The common string offset array contains the offsets of
strings that are common in the event records stored in the chunk so that they
only have to be stored once in the first event record and can be referenced
from successive event records.*
[yellow-background]*Identifier/Number of first and last event record in chunk*
[yellow-background]*Data after header and before event record?*
=== Event record
The event record is variable of size and consists of:
[cols="1,1,1,5",options="header"]
|===
| Offset | Size | Value | Description
| 0 | 4 | "\x2a\x2a\x00\x00" | Signature
| 4 | 4 | | Size +
The size of the event record including the signature and the size
| 8 | 8 | | Event record identifier
| 16 | 8 | | Written date and time +
Contains a FILETIME +
The date and time the event record was written (logged)
| 24 | ... | | Event +
Contains binary XML +
See section: <<binary_xml,Binary XML>>
| ... | 4 | | Copy of size
|===
== [[binary_xml]]Binary XML
=== Document structure
According `[MS-EVEN6]` the binary XML structure should consist of:
The document (BinXMLDocument) consists of:
* Prologue (BinXMLPI) (zero or one)
* Fragment (zero or more)
* Miscellaneous (BinXMLPI) (zero or one)
* End of file token
==== Fragment
The fragment (BinXMLFragment) consists of:
* fragment header
* an element or a template instance
==== Fragment header
The fragment header (BinXMLFragmentHeader) is 4 byte of size and consists of:
[cols="1,1,1,5",options="header"]
|===
| Offset | Size | Value | Description
| 0 | 1 | 0x0f | Fragment header token +
Should be: BinXmlFragmentHeaderToken +
See section: <<token_types,Token types>>
| 1 | 1 | 0x01 | Major version
| 2 | 1 | 0x01 | Minor version
| 3 | 1 | 0x00 | Flags
|===
==== Element
An element (BinXMLElement) can either be 'empty' or a 'filled'.
BinXMLEmpyElement:
* element start
* close empty element token
Example of an 'empty' element in textual XML:
....
<Provider Name="Provider"/>
....
BinXMLFilledElement:
* element start
* close start element token
* content
* end element token
Example of a 'filled' element in textual XML:
....
<EventID>400</EventID>
....
[yellow-background]*TODO: is it valid for a fragment with more then one element?*
==== Element start
The element start (BinXMLElementStart) is variable of size and consists of:
[cols="1,1,1,5",options="header"]
|===
| Offset | Size | Value | Description
| 0 | 1 | 0x01 +
0x41 | Open start element tag token +
Should be: BinXmlTokenOpenStartElementTag +
See section: <<token_types,Token types>>
4+| _Optional see notes below_
| 1 | 2 | | Dependency identifier +
-1 (0xffff) => not set
4+| _Common_
| 3 | 4 | | Data size +
The size of the data. +
This includes the size of the element name, attribute list, close element tag, content and end element tag, except for the first 5 or 7 bytes of the element start.
4+| _Optional see notes below_
| 7 | 4 | | Element name offset +
The offset is relative from the start of the chunk +
See section: <<name,Name>>
4+| _Common_
| 11 | ... | | Attribute list +
See section: <<attribute_list,Attribute list>>
|===
A token type of 0x01 indicates that the element start tag contains no elements;
a token type of 0x41 indicates that an attribute list can be expected in the
element start tag.
[NOTE]
The element name can be stored before the attribute list.
[NOTE]
The name offset is not present in the binary XML in the Windows Event Template
resource.
[NOTE]
According to `[MS-EVEN6]` the dependency identifier is not present when the
element start is used in a substitution token with value type: Binary XML
(0x21).
==== [[attribute_list]]Attribute list
The attribute (BinXmlAttributeList) is variable of size and consists of:
[cols="1,1,1,5",options="header"]
|===
| Offset | Size | Value | Description
| 0 | 4 | | Data size +
Does not include the 4 byte of the size.
| 4 | ... | | Array of attributes +
See section: <<attribute,Attribute>>
|===
[yellow-background]*TODO: if attribute list is empty it is trailed by 2 bytes?
Is this 32-bit alignment padding?*
==== [[attribute]]Attribute
The attribute (BinXmlAttribute) is variable of size and consists of:
[cols="1,1,1,5",options="header"]
|===
| Offset | Size | Value | Description
| 0 | 1 | 0x06 +
0x46 | Attribute token +
Should be: BinXmlTokenAttribute +
See section: <<token_types,Token types>>
4+| _Optional see notes below_
| 1 | 4 | | Attribute name offset +
The offset is relative from the start of the chunk +
See section: <<name,Name>>
4+| _Common_
| 5 | ... | | Attribute data
|===
A token type of 0x46 indicates that there is another attribute in the attribute
list; a token type of 0x06 indicates that no more attributes exist.
[NOTE]
The attribute name can be stored before the attribute list.
The attribute data (BinXMLAttributeData) can be:
* value text
* substitution
* character entity reference
* entity reference
[NOTE]
The name offset is not present in the binary XML in the Windows Event Template
resource.
==== [[name]]Name
The name (BinXmlName) is variable of size and consists of:
[cols="1,1,1,5",options="header"]
|===
| Offset | Size | Value | Description
| 0 | 4 | | [yellow-background]*Unknown*
| 4 | 2 | | Name hash +
[yellow-background]*Which hash algorithm?*
| 6 | 2 | | Number of characters
| 8 | ... | | UTF-16 little-endian string with an end-of-string character
|===
The unknown 4 bytes are not present in the binary XML in the Windows Event
Template resource.
==== Content
The content (BinXMLContent) can be:
* an element
* content string data
* character entity reference
* entity reference
* CDATA section
* PI
==== Content string
The content string data (BinXMLContentStringData) can be:
* value text
* substitution
[yellow-background]*TODO: a content string containing an end-of-line character
seems to be considered empty by Event Viewer*
==== Value text
The value text (BinXmlValueText) is variable of size and consists of:
[cols="1,1,1,5",options="header"]
|===
| Offset | Size | Value | Description
| 0 | 1 | 0x05 +
0x45 | Value token +
Should be: BinXmlTokenValue +
See section: <<token_types,Token types>>
| 1 | 1 | 0x01 | Value type +
Should be: StringType +
See section: <<value_type,Value types>>
| 2 | ... | | Value data +
See section: <<unicode_text_string,Unicode text string>>
|===
A token type of 0x45 indicates that more data can be expected to follow in the
current content of the element or attribute; a token type of 0x05 indicates
that no more such data follows.
A value text can be stored spanning multiple value tokens.
==== Substitution
The substitution (BinXmSubstitution) can be:
* normal substitution
* optional substitution
==== Normal substitution
The normal substitution (BinXmNormalSubstitution) is 4 byte of size and
consists of:
[cols="1,1,1,5",options="header"]
|===
| Offset | Size | Value | Description
| 0 | 1 | 0x0d | Normal substitution token +
Should be: BinXmlTokenNormalSubstitution +
See section: <<token_types,Token types>>
| 1 | 2 | | Substitution identifier +
Identifier of the value in the template instance data, where 0 represents the first value
| 3 | 1 | | Value type +
See section: <<value_types,Value types>>
|===
If the value type is an array type (0x80) the substitution is repeated for
every element of the array. If the size of an array type is 0 then a single
empty element should be created.
If the value type is Size (0x10) the corresponding substitution value should be
a 32-bit hexadecimal integer (0x14) or 64-bit hexadecimal integer (0x15). The
same applies to an array of Size (0x90) where the substitution value should be
an array of 32-bit hexadecimal integer (0x94) or an array of 64-bit hexadecimal
integer (0x95).
If the value type is the Binary XML type (0x21) the value data should be one of
the following:
* an open start element tag (BinXmlTokenOpenStartElementTag);
* a fragment (BinXMLFragment);
* a template instance (BinXmlTemplateInstance).
==== Optional substitution
The optional substitution (BinXmlOptionalSubstitution) is 4 byte of size and
consists of:
[cols="1,1,1,5",options="header"]
|===
| Offset | Size | Value | Description
| 0 | 1 | 0x0e | Optional substitution token +
Should be: BinXmlTokenOptionallSubstitution +
See section: <<token_types,Token types>>
| 1 | 2 | | Substitution identifier +
Identifier of the value in the template instance data, where 0 represents the first value
| 3 | 1 | | Value type +
See section: <<value_types,Value types>>
|===
If the value type of the corresponding template value is NULL (0x00) the
element should be ignored and not created.
If the value type is an array type (0x80) the substitution is repeated for
every element of the array. If the size of an array type is 0 then a single
empty element should be created.
If the value type is Size (0x10) the corresponding substitution value should be
a 32-bit hexadecimal integer (0x14) or 64-bit hexadecimal integer (0x15). The
same applies to an array of Size (0x90) where the substitution value should be
an array of 32-bit hexadecimal integer (0x94) or an array of 64-bit hexadecimal
integer (0x95).
If the value type is the Binary XML type (0x21) the value data should be one of
the following:
* an open start element tag (BinXmlTokenOpenStartElementTag);
* a fragment (BinXMLFragment);
* a template instance (BinXmlTemplateInstance).
==== Character entity reference
The character entity reference (BinXmlCharacterEntityReference) is 3 byte of size and consists of:
[cols="1,1,1,5",options="header"]
|===
| Offset | Size | Value | Description
| 0 | 1 | 0x08 +
0x48 | Character entity reference token +
Should be: BinXmlTokenCharRef +
See section: <<token_types,Token types>>
| 1 | 2 | | Character entity value
|===
A token type of 0x48 indicates that more data can be expected to follow in the
current content of the element or attribute; a token type of 0x08 indicates
that no more such data follows.
In the resulting XML the character entity is replaced e.g. `38` becomes `&`.
[yellow-background]*According to `[MS-EVEN6]` emit the characters '&' and '#'
and the decimal string representation of the value. TODO create a test file.*
==== Entity reference
The entity reference (BinXmlEntityReference) is 5 bytes of size and consists of:
[cols="1,1,1,5",options="header"]
|===
| Offset | Size | Value | Description
| 0 | 1 | 0x09 +
0x49 | Entity reference token +
Should be: BinXmlTokenEntityRef +
See section: <<token_types,Token types>>
4+| _Optional see notes below_
| 1 | 4 | | Entity name offset +
The offset is relative from the start of the chunk +
See section: <<name,Name>>
|===
A token type of 0x49 indicates that more data can be expected to follow in the
current content of the element or attribute; a token type of 0x09 indicates
that no more such data follows.
In the resulting string the entity is replaced e.g. `amp` becomes & for a
Unicode string and `&` for an XML string.
[NOTE]
The name offset is not present in the binary XML in the Windows Event Template
resource.
It currently is assumed that the following entity references are supported lt,
gt, amp, quot and apos.
==== CDATA section
The entity reference (BinXmlEntityReference) is variable of size and consists of:
[cols="1,1,1,5",options="header"]
|===
| Offset | Size | Value | Description
| 0 | 1 | 0x07 +
0x47 | CDATA section token +
Should be: BinXmlTokenCDATASection +
See section: <<token_types,Token types>>
| 1 | ... | | CDATA text +
See section: <<unicode_text_string,Unicode text string>>
|===
A token type of 0x47 indicates that more data can be expected to follow in the
current content of the element or attribute; a token type of 0x07 indicates
that no more such data follows.
==== Template instance
The template instance (BinXmlTemplateInstance) is variable of size and consists of:
[cols="1,1,1,5",options="header"]
|===
| Offset | Size | Value | Description
| 0 | 1 | 0x0c | Template instance token +
Should be: BinXmlTokenTemplateInstance +
See section: <<token_types,Token types>>
| 1 | ... | | Template definition
| ... | ... | | Template instance data
|===
==== Template definition
The template definition (BinXmlTemplateDefinition) is variable of size and
consists of:
[cols="1,1,1,5",options="header"]
|===
| Offset | Size | Value | Description
| 0 | 1 | | [yellow-background]*Unknown(Version? Or number of template defs?)* +
[yellow-background]*Seen: 0x01*
| 1 | 4 | | [yellow-background]*Unknown (Template identifier?)*
| 5 | 4 | | Template definition data offset +
Template definition data
| 9 | 4 | | [yellow-background]*Unknown (Next template definition offset)* +
[yellow-background]*0 if not used*
| 13 | 16 | | Template identifier +
Contains a GUID
| 29 | 4 | | Data size +
The size of the data. +
This includes the size of the fragment header, element and end of file token, except for the first 33 bytes of the template definition.
| 33 | ... | | Fragment header
| ... | ... | | Element
| ... | 1 | | End of file token +
Should be: BinXmlTokenEOF +
See section: <<token_types,Token types>>
|===
[NOTE]
The template definition data offset either point to the offset directly after
this value or somewhere previously in the chunk. The template definition can
therefore be stored non-continuous.
[yellow-background]*What does the %b0 in `[MS-EVEN6]` signify?*
[yellow-background]*Possibly a bit value of 0 seeing that in other MSDN documentation %d16 indicates a decimal value of 16.*
==== Template instance data
The template instance data (BinXmlTemplateInstanceData) is variable of size and
consists of:
[cols="1,1,1,5",options="header"]
|===
| Offset | Size | Value | Description
| 0 | 4 | | Number of template values
| 4 | ... | | Array of template value descriptors
| ... | ... | | Array of template value data
|===
The template value descriptor is 4 bytes of size and consists of:
[cols="1,1,1,5",options="header"]
|===
| Offset | Size | Value | Description
| 0 | 2 | | Value size
| 2 | 1 | | Value type
| 1 | 1 | 0x00 | [yellow-background]*Unknown (Empty value)*
|===
==== [[unicode_text_string]]Unicode text string
The Unicode text string is variable of size and consists of:
[cols="1,1,1,5",options="header"]
|===
| Offset | Size | Value | Description
| 2 | 2 | | Number of characters
| 4 | ... | | UTF-16 little-endian string without an end-of-string character
|===
==== PI
The PI consists of:
* PI target
* PI data
==== PI target
The PI target (BinXmlPITarget) is 5 bytes of size and consists of:
[cols="1,1,1,5",options="header"]
|===
| Offset | Size | Value | Description
| 0 | 1 | 0x0a | PI target reference token +
Should be: BinXmlTokenPITarget +
See section: <<token_types,Token types>>
4+| _Optional see notes below_
| 1 | 4 | | PI target name offset +
The offset is relative from the start of the chunk +
See section: <<name,Name>>
|===
[NOTE]
The name offset is not present in the binary XML in the Windows Event Template
resource.
==== PI data
The entity reference (BinXmlPIData) is variable of size and consists of:
[cols="1,1,1,5",options="header"]
|===
| Offset | Size | Value | Description
| 0 | 1 | 0x0b | PI data token +
Should be: BinXmlTokenCDATASection +
See section: <<token_types,Token types>>
| 1 | ... | | PI data text +
See section: <<unicode_text_string,Unicode text string>>
|===
=== [[token_types]]Token types
Binary XML defines multiple token types.
[cols="1,1,5",options="header"]
|===
| Value | Identifier | Description
| 0x00 | BinXmlTokenEOF | End of file
| 0x01 +
0x41 | BinXmlTokenOpenStartElementTag | Open start element tag +
Indicates the start of a start element, correlates to '<' in '<Event>'
| 0x02 | BinXmlTokenCloseStartElementTag | Close start element tag +
Indicates the end of a start element, correlates to '>' in '<Event>'
| 0x03 | BinXmlTokenCloseEmptyElementTag | Close empty element tag +
Indicates the end of a start element, correlates to '/>' in '<Event/>'
| 0x04 | BinXmlTokenEndElementTag | Close end element tag +
Indicates the end of element, correlates to '</Event>'
| 0x05 +
0x45 | BinXmlTokenValue | Value
| 0x06 +
0x46 | BinXmlTokenAttribute | Attribute
| 0x07 +
0x47 | BinXmlTokenCDATASection | CDATA section
| 0x08 +
0x48 | BinXmlTokenCharRef | Character entity reference
| 0x09 +
0x49 | BinXmlTokenEntityRef | Entity reference
| 0x0a | BinXmlTokenPITarget | Processing instructions (PI) target +
XML processing instructions
| 0x0b | BinXmlTokenPIData | Processing instructions (PI) data +
XML processing instructions
| 0x0c | BinXmlTokenTemplateInstance | Template instance
| 0x0d | BinXmlTokenNormalSubstitution | Normal substitution
| 0x0e | BinXmlTokenOptionalSubstitution | Optional substitution
| 0x0f | BinXmlFragmentHeaderToken | Fragment header token
|===
Some of the token types can contain the has more data flag 0x40.
[yellow-background]*TODO bitmask of 0x1f ? is this defined in winevt.h ? If so
what do the other flags signify?*
=== [[value_types]]Value types
[cols="1,1,5",options="header"]
|===
| Value | Identifier | Description
| 0x00 | NullType | NULL or empty
| 0x01 | StringType | Unicode string +
Stored as UTF-16 little-endian without an end-of-string character
| 0x02 | AnsiStringType | ASCII string +
Stored using a codepage without an end-of-string character
| 0x03 | Int8Type | 8-bit integer signed
| 0x04 | UInt8Type | 8-bit integer unsigned
| 0x05 | Int16Type | 16-bit integer signed
| 0x06 | UInt16Type | 16-bit integer unsigned
| 0x07 | Int32Type | 32-bit integer signed
| 0x08 | UInt32Type | 32-bit integer unsigned
| 0x09 | Int64Type | 64-bit integer signed
| 0x0a | UInt64Type | 64-bit integer unsigned
| 0x0b | Real32Type | Floating point 32-bit (single precision)
| 0x0c | Real64Type | Floating point 64-bit (double precision)
| 0x0d | BoolType | Boolean +
[yellow-background]*An 32-bit integer that MUST be 0x00 or 0x01 (mapping to true or false, respectively).*
| 0x0e | BinaryType | Binary data
| 0x0f | GuidType | GUID +
Stored in little-endian
| 0x10 | SizeTType | Size type +
Either 32 or 64-bits. This value type should be pair up with a HexInt32Type or HexInt64Type
| 0x11 | FileTimeType | FILETIME (64-bit) +
Stored in little-endian
| 0x12 | SysTimeType | System time (128-bit) +
Stored in little-endian
| 0x13 | SidType | NT Security Identifier (SID) +
See `[LIBFWNT]`
| 0x14 | HexInt32Type | 32-bit integer hexadecimal +
32-bit (unsigned) integer that should be represented in hexadecimal notation
| 0x15 | HexInt64Type | 64-bit integer hexadecimal +
64-bit (unsigned) integer that should be represented in hexadecimal notation
| | |
| 0x20 | EvtHandle | [yellow-background]*Unknown*
| 0x21 | BinXmlType | Binary XML fragment
| | |
| 0x23 | EvtXml | [yellow-background]*Unknown*
|===
If the MSB of the value type (0x80) is use to indicate an array type. According
to `[MSDN]` binary data and binary XML fragment types are not supported. For the
string types the end-of-string character is used as a separator.
[cols="1,1,5",options="header"]
|===
| Value | Identifier | Description
| 0x81 | | Array of Unicode strings +
Individual strings are stored as UTF-16 little-endian with an end-of-string character
| 0x82 | | Array of ASCII strings +
Individual strings are stored as ASCII string using a codepage with an end-of-string character
| 0x83 | | Array of 8-bit integer signed +
Every 1 byte is an individual value
| 0x84 | | Array of 8-bit integer unsigned +
Every 1 byte is an individual value
| 0x85 | | Array of 16-bit integer signed +
Every 2 bytes are an individual value in little-endian
| 0x86 | | Array of 16-bit integer unsigned +
Every 2 bytes are an individual value in little-endian
| 0x87 | | Array of 32-bit integer signed +
Every 4 bytes are an individual value in little-endian
| 0x88 | | Array of 32-bit integer unsigned +
Every 4 bytes are an individual value in little-endian
| 0x89 | | Array of 64-bit integer signed +
Every 8 bytes are an individual value in little-endian
| 0x8a | | Array of 64-bit integer unsigned +
Every 8 bytes are an individual value in little-endian
| 0x8b | | Array of Floating point 32-bit (single precision) +
Every 4 bytes are an individual value in little-endian
| 0x8c | | Array of Floating point 64-bit (double precision) +
Every 8 bytes are an individual value in little-endian
| 0x8d | | [yellow-background]*Array of boolean* +
[yellow-background]*Every 4 bytes are an individual value in little-endian*
| | |
| 0x8f | | Array of GUID +
Every 16 bytes are an individual value in little-endian
| 0x90 | | Array of size type +
An individual value is either 32 or 64-bits. This value type should be pair up with an array of HexInt32Type or HexInt64Type
| 0x91 | | Array of FILETIME +
Every 8 bytes are an individual value in little-endian
| 0x92 | | Array of system time +
Every 16 bytes are an individual value in little-endian
| 0x93 | | [yellow-background]*Array of NT Security Identifiers (SID)*
| 0x94 | | Array of 32-bit integer hexadecimal +
Every 4 bytes are an individual value in little-endian
| 0x95 | | Array of 64-bit integer hexadecimal +
Every 8 bytes are an individual value in little-endian
|===
==== String
If in a string the characters: <, >, &, " and ' are not escaped they must
respectively be replaced by the following character entities: `<`, `>`,
`&`, `"` and `'`. This does not apply to Character entity
reference and Entity reference encoded strings.
Event Viewer will not escape the character entities in the XML view, but will
when exported as XML. Event Viewer seems to apply the XML character entity
escaping inside element values for &, < and > but not for ' and ".
==== Systemtime
The systemtime is 16 bytes of size and consists of:
[cols="1,1,1,5",options="header"]
|===
| Offset | Size | Value | Description
| 0 | 2 | | Year
| 2 | 2 | | Month
| 4 | 2 | | Day of week
| 6 | 2 | | Day of month
| 8 | 2 | | Hours
| 10 | 2 | | Minutes
| 12 | 2 | | Seconds
| 14 | 2 | | Milliseconds
|===
==== Floating point
Floating point values are represented as the following stings.
[cols="1,1,5",options="header"]
|===
| Value | Identifier | Description
| -1.#INF | | Negative infinity/overflow
| 1.#INF | | Positive infinity/overflow
| -1.#IND | | Indeterminate
| [-]?0 | | Positive or negative zero
| [yellow-background]*[-]?[0-9]+* | | [yellow-background]*Any positive or negative value that can be represented as an integer*
| [yellow-background]*[-]?[0-9]+.[0-9]{6}* | | [yellow-background]*Any positive or negative value that can be represented in 6 fractional digits*
| [yellow-background]*[-]?[0-9]+.[0-9]{6}e-[0-9]{3}* | | [yellow-background]*Any positive or negative value that could not be represented in 6 fractional digits*
|===
[yellow-background]*TODO validate the highlighted ones; 32-bit fractional of 6,
64-bit fractional of 14*
== Event
=== Event identifier
The event identifier is 4 bytes of size and consist of:
[cols="1,1,1,5",options="header"]
|===
| Offset | Size | Value | Description
| 0.0 | 16 bits | | Code
| 2.0 | 12 bits | | Facility
| 3.4 | 1 bit | | Reserved
| 3.5 | 1 bit | | Customer flags +
0 => System code +
1 => Customer code
| 3.6 | 2 bits | | Severity +
00 => Success +
01 => Informational +
10 => Warning +
11 => Error
|===
=== Level
[cols="1,1,5",options="header"]
|===
| Value | Identifier | Description
| 0x00000000 | | Identifies an event that should always be logged +
(win:LogAlways) +
Shown as "Information" in Event Viewer
| 0x00000001 | WINEVENT_LEVEL_CRITICAL | Identifies an abnormal exit or termination event +
(win:Critical)
| 0x00000002 | WINEVENT_LEVEL_ERROR | Identifies a severe error event +
(win:Error)
| 0x00000003 | WINEVENT_LEVEL_WARNING | Identifies a warning event such as an allocation failure +
(win:Warning)
| 0x00000004 | WINEVENT_LEVEL_INFO | Identifies a non-error event such as an entry or exit event +
(win:Informational)
| 0x00000005 | WINEVENT_LEVEL_VERBOSE | Identifies a detailed trace event +
(win:Verbose)
| 0x00000006 | | [yellow-background]*Reserved* +
[yellow-background]*(win:ReservedLevel6)*
| 0x00000007 | | [yellow-background]*Reserved* +
[yellow-background]*(win:ReservedLevel7)*
| 0x00000008 | | [yellow-background]*Reserved* +
[yellow-background]*(win:ReservedLevel8)*
| 0x00000009 | | [yellow-background]*Reserved* +
[yellow-background]*(win:ReservedLevel9)*
| 0x0000000a | | [yellow-background]*Reserved* +
[yellow-background]*(win:ReservedLevel10)*
| 0x0000000b | | [yellow-background]*Reserved* +
[yellow-background]*(win:ReservedLevel11)*
| 0x0000000c | | [yellow-background]*Reserved* +
[yellow-background]*(win:ReservedLevel12)*
| 0x0000000d | | [yellow-background]*Reserved* +
[yellow-background]*(win:ReservedLevel13)*
| 0x0000000e | | [yellow-background]*Reserved* +
[yellow-background]*(win:ReservedLevel14)*
| 0x0000000f | | [yellow-background]*Reserved* +
[yellow-background]*(win:ReservedLevel15)*
|===
=== Keywords
[cols="1,1,5",options="header"]
|===
| 0x0000000000000000 | | [yellow-background]*win:AnyKeyword*
| | |
| [yellow-background]*0x0000000000010000* | | [yellow-background]*Shell*
| [yellow-background]*0x0000000000020000* | | [yellow-background]*Properties*
| [yellow-background]*0x0000000000040000* | | [yellow-background]*FileClassStoreAndIconCache*
| [yellow-background]*0x0000000000080000* | | [yellow-background]*Controls*
| [yellow-background]*0x0000000000100000* | | [yellow-background]*APICalls*
| [yellow-background]*0x0000000000200000* | | [yellow-background]*InternetExplorer*
| [yellow-background]*0x0000000000400000* | | [yellow-background]*ShutdownUX*
| [yellow-background]*0x0000000000800000* | | [yellow-background]*CopyEngine*
| [yellow-background]*0x0000000001000000* | | [yellow-background]*Tasks*
| [yellow-background]*0x0000000002000000* | | [yellow-background]*WDI*
| [yellow-background]*0x0000000004000000* | | [yellow-background]*StartupPerf*
| [yellow-background]*0x0000000008000000* | | [yellow-background]*StructuredQuery*
| | |
| 0x0001000000000000 | | [yellow-background]*win:Reserved*
| 0x0002000000000000 | | [yellow-background]*win:WDIContext*
| 0x0004000000000000 | | [yellow-background]*win:WDIDiag*
| 0x0008000000000000 | | [yellow-background]*win:SQM*
| 0x0010000000000000 | | [yellow-background]*win:AuditFailure*
| 0x0020000000000000 | | [yellow-background]*win:AuditSuccess*
| 0x0040000000000000 | | [yellow-background]*win:CorrelationHint*
| 0x0080000000000000 | | [yellow-background]*Classic* +
[yellow-background]*win:EventlogClassic*
| 0x0100000000000000 | | [yellow-background]*win:ReservedKeyword56*
| 0x0200000000000000 | | [yellow-background]*win:ReservedKeyword57*
| 0x0400000000000000 | | [yellow-background]*win:ReservedKeyword58*
| 0x0800000000000000 | | [yellow-background]*win:ReservedKeyword59*
| 0x1000000000000000 | | [yellow-background]*win:ReservedKeyword60*
| 0x2000000000000000 | | [yellow-background]*win:ReservedKeyword61*
| 0x4000000000000000 | | [yellow-background]*win:ReservedKeyword62*
| 0x8000000000000000 | | [yellow-background]*win:ReservedKeyword63* +
[yellow-background]*Microsoft-Windows-Shell-Core/Diagnostic*
|===
=== Externally stored values
Some of the data that Event Viewer shows is stored outside the event log files.
On Windows XP (and earlier) the first step to determine the location of these
values is find the corresponding "eventlog type sub key" in the Windows
Registry under:
....
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\
....
Every event log type has its own sub key, e.g.:
....
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\System
....
Common event log types are:
* Application
* Security
* System
[NOTE]
The event log type is also stored in the "Channel" event XML element.
The event log type sub key has a "event source sub key" for every source name,
e.g for the source name "Workstation":
....
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\System\Workstation
....
[NOTE]
The source name is case insensitive; so "Workstation" and "workstation" are
considered equivalent.
The source name is stored as an attribute of the "Provider" element within the Event XML, e.g.
....
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Search"
Guid="{CA4E628D-8567-4896-AB6B-835B221F373F}"
EventSourceName="Windows Search Service"/>
....
The "EventSourceName" attribute contains the source name. If there is no
"EventSourceName" attribute the "Name" attribute is used.
As of Windows Vista the event log type sub key contains the value
"ProviderGuid" which should contain the same GUID as indicated in the Event XML:
....
{CA4E628D-8567-4896-AB6B-835B221F373F}
....
The corresponding provider settings can be found in the event message provider
Registry key:
....
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{ca4e628d-8567-4896-ab6b-835b221f373f}
....
On a Windows Vista (or later) system "wevtutil" can be used to determine more
about the provider. E.g.
....
wevtutil gp Microsoft-Windows-Search
....
==== Message strings
The event message strings are stored in event message files.
The event message provider Registry key has a value named "EventMessageFile"
which contains a path specification of the event message file, e.g.
....
%SystemRoot%\System32\netmsg.dll
....
[NOTE]
The value can contain multiple filenames separated by a semi colon (;)
character and that the name of the event message files is case insensitive.
On Windows XP (and earlier) the event source sub key has a value named
"EventMessageFile" which contains the same path. As of Windows Vista this value
is not always present and using the value "MessageFileName" in the event
message provider Registry key seems to be the preferred method. However it is
possible that the event message provider Registry key is not present and the
event source sub key is needs to be used instead.
Here "%SystemRoot%" is case insensitive and needs to be expanded to the Windows
directory. The actual value of %SystemRoot% can be found in the Registry value:
....
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Value: SystemRoot
....
This value is depended on the Windows version, e.g.
[cols="1,5",options="header"]
|===
| Value | Version
| C:\WINDOWS | Windows XP (NT 5.1) and later
| C:\WINNT | Windows NT 3.1, Windows NT 4.0 and Windows 2000 (NT 5.0)
| C:\WINNT35 | Windows NT 3.5x
| C:\WTSRV | Windows NT 4.0 Terminal Server
|===
Other placeholders that found to be used are:
....
%WinDir%
....
The actual value of e.g. %WinDir% can be found in the Registry value:
....
Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment\
Value: windir
....
Event message files are PE/COFF executables that contains a resource (".rsrc ")
section. Event message files can have various extensions, e.g. ".exe", ".dll",
".dll.mui", ".sys".
There different types of event message files:
* Message-table resource
* Multilingual User Interface (MUI) resource
The event message files can have any combination of these resources. The rules
of preference seems to be:
* use message-table resource if present, before checking MUI resource
===== Event resource file
The event message provider Registry key has a value named "ResourceFileName".
It is currently assumed that this Registry value contains a path specification
of the event resource file, e.g.
....
%SystemRoot%\System32\tquery.dll
....
The event resource file should contain a Windows Event Template (WEVT_TEMPLATE)
resource. The MUI resource should also contain a main name type "WEVT_TEMPLATE".
On recent version of Windows 10 the WEVT_TEMPLATE resource can also be stored
in a corresponding file in the SystemResources directory.
....
C:\Windows\SystemResources\tquery.dll.mun
....
The information stored in this resource is used to:
* determine the message string identifier
* determine the string identifiers of channels, keywords, levels, opcodes and tasks
* parse Event XML "UserData"
For more detailed information see: `[LIBEXE]` and `[LIBFWEVT]`;
===== Message string identifier
On Windows XP (and earlier) the message string identifier was a direct mapping
of the event identifier as of Windows Vista this is no longer the case. There
seem to be multiple methods how the event identifier is mapped to the message
string identifier, namely:
* Using the event identifier qualifiers
* Using the Windows Event Template resource
====== Using the event identifier qualifiers
If the EventID element in Event XML has the Qualifiers attribute set, e.g.:
....
<EventID Qualifiers="16384">7036</EventID>
....
Then the message string identifier can be determined as following:
....
16384 in hexadecimal is 0x4000
7036 in hexadecimal is 0x1b7c
....
....
message string identifier = ( 0x4000 << 16 ) | 0x1b7c = 0x40001b7c
....
====== Using the Windows Event Template (WEVT_TEMPLATE) resource
If an event resource file has been specified and if the Provider element in the
Event XML has the GUID attribute set, e.g.:
....
<Provider Name="Microsoft-Windows-UAC"
Guid="{E7558269-3FA5-46ED-9F4D-3C6E282DDE55}"/>
<EventID>1</EventID>
....
This GUID can be used to find a corresponding provider in the Windows Event
Template (WEVT_TEMPLATE) resource. This resource should contain an event
definition with the same identifier as the EventID in the Event XML, e.g. in
case of the example 1. The event definition will also contain a reference the
the message identifier, e.g. in case of the example 0xb9000001.
===== Message-table resource event message files
In a message-table resource event message file the event message strings are
stored in the message-table resource of the event message file.
The resource section of a message-table resource event message file contains a
message-table resource which contains the event message strings. E.g. on
Windows Vista
....
C:\Windows\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll
....
The event message strings have identifiers similar to the event identifiers.
E.g. if the event identifier is 0 and the message string identifier 0, the
corresponding event message string would be:
....
%1
....
The placeholder values %1 represent the first string in the event.
The event strings are stored as "Data" elements in the "EventData" element
....
within the Event XML, e.g.
<EventData>
<Data>Service has been successfully shut down.</Data>
</EventData>
....
For a more comprehensive description of how to extract the event strings from
the Event XML see section: <<event_data,Event data>>. Sometimes the message
string can have more placeholder than the event data contains strings, it seems
in such a case the placeholders are not replaced and shown as %# in the
resulting string.
Note that the event message strings are language specific. An event message
file can therefore contain event message strings for multiple languages.
===== Multilingual User Interface (MUI) event message files
The resource section of a Multilingual User Interface (MUI) event message file
contains Multilingual User Interface (MUI) resource. E.g. on Windows Vista
....
C:\Windows\System32\services.exe
....
The MUI event message (or language neutral) files do not have to contain
a message-table resource but forward to a language specific message-table
resource event message file, e.g. "en-US":
....
C:\Windows\System32\en-US\services.exe.mui
....
Note that it also possible that the corresponding "language specific" event
message file is stored in the same directory as the MUI event message file.
....
C:\Windows\System32\services.exe.mui
....
It is this file that contains the language specific event message-table
resource.
The event message strings have identifiers similar to the event identifiers.
E.g. if the event identifier in XML is:
....
<EventID Qualifiers="16384">7036</EventID>
....
This would correspond to the event message string identifier:
....
16384 in hexadecimal is 0x4000
7036 in hexadecimal is 0x1b7c
....
....
event message string identifier = ( 0x4000 << 16 ) | 0x1b7c = 0x40001b7c
....
The corresponding event message string would be:
....
The %1 service entered the %2 state.
....
The placeholder values %1 and %2 represent the first and second string in the
event.
The event strings are stored as "Data" elements in the "EventData" element
within the Event XML, e.g.
....
<EventData>
<Data Name="param1">Volume Shadow Copy</Data>
<Data Name="param2">stopped</Data>
</EventData>
....
===== [[event_data]]Event data
As previously mentioned the event strings (and binary data) are stored as
"Data" elements in the "EventData" element within the Event XML. Another way to
store the event data is in a "UserData" element. The information in this
section is partially deduced on the behavior of the "General", "Details
Friendly View" and "Details XML View" of Event Viewer.
Let's start out with the following variant of event data.
....
<EventData>
<Data>SessionEnv</Data>
<Binary>D9060000</Binary>
</EventData>
....
In this case "EventData" in the "Details Friendly View" contains both the value
of the "Data" and the "Binary" tag. The value of the Binary tag is additionally
interpreted as "Binary Data", which is base16 encoded.
....
SessionEnv
D9060000
....
If the Data has a corresponding "Name" attribute the "EventData" in the
"Details Friendly View" shows the value of the "Name" attribute followed by the
value of the "Data" tag, e.g.
....
<EventData>
<Data Name="param1">86400</Data>
<Data Name="param2">SuppressDuplicateDuration</Data>
<Data Name="param3">Software\Microsoft\EventSystem\EventLog</Data>
</EventData>
....
....
param1 86400
param2 SuppressDuplicateDuration
param3 Software\Microsoft\EventSystem\EventLog
....
The data of an empty "Data" is not ignored but not directly visible int the
"Details Friendly View". In case of the following example on the value of the
"Name" attribute would be shown.
....
<EventData>
<Data Name="ExtraInfo"/>
</EventData>
ExtraInfo
....
ProcessingErrorData is a variation of EventData:
....
<ProcessingErrorData>
<ErrorCode>15005</ErrorCode>
<DataItemName>Value</DataItemName>
<EventPayload>804110C3E253BF01</EventPayload>
</ProcessingErrorData>
....
....
ErrorCode 15005
DataItemName Value
EventPayload 804110C3E253BF01
....
In some events the data is not stored in a "EventData" tag within the Event XML
but in a "UserData" tag, e.g.
....
<UserData>
<EventXML xmlns:auto-ns2="..." xmlns="LoadPerf">
<param1>WmiApRpl</param1>
<param2>WmiApRpl</param2>
<binaryDataSize>4</binaryDataSize>
<binaryData>44415441</binaryData>
</EventXML>
</UserData>
....
In this case the "EventData" in the "Details Friendly View" will show the data
as:
....
EventXML
param1 WmiApRpl
param2 WmiApRpl
binaryDataSize 4
binaryData 44415441
....
The binary data is not interpreted as the binary data seen with the "EventData"
tag.
Here "WmiApRpl" is the first string and "44415441" the fourth.
Event strings can also be stored as attribute values.
....
<UserData>
<EventProcessingFailure xmlns="http://manifests.microsoft.com/...">
<Error Code="15007"/>
<EventID>4616</EventID>
<PublisherID>Microsoft-Windows-Security-Auditing</PublisherID>
</EventProcessingFailure>
</UserData>
....
....
EventProcessingFailure
Error
[Code] 15007
EventID 4616
PublisherID Microsoft-Windows-Security-Auditing
....
The corresponding message string is:
....
The event logging service encountered an error while processing an incoming event published from %3.
....
Which indicates the attribute value should be considered the first event string.
Some event records have a corresponding template definition in the
WEVT_TEMPLATE data.
An example of an event record with a corresponding template definition is:
....
<EventData Name="EVENT_HIVE_LEAK">
<Data Name="Detail">1 user registry handles leaked from ...</Data>
</EventData>
....
....
<EventData Name="EVENT_HIVE_LEAK">
<Data Name="Detail">Detail</Data>
</EventData>
....
Note that not all event records have corresponding WEVT_TEMPLATE data or
template definition. Sometimes the template definition does not entirely match
the event record e.g. the following example where the template definition
contains Name="%1" but not the event record.
....
<EventData>
<Data>http://www.download.windowsupdate.com/...</Data>
<Data>The data is invalid.</Data>
</EventData>
....
....
<EventData>
<Data Name="%1">%1</Data>
<Data Name="%2">%2</Data>
</EventData>
....
This however might be a special case of the "EventData".
===== Parsing event data
In the initial phases of the libevtx project several attempts have been made to
uniformly parse the event data.
Firstly the naive approach. This approach considers the element values of the
sub elements of the "EventData" or "UserData" elements as event string. Alas
this approach fails to handle event strings that are defined as element
attributes values mainly seen in "UserData" elements, e.g.
....
<UserData>
<EventProcessingFailure xmlns="http://manifests.microsoft.com/...">
<Error Code="15007"/>
<EventID>4616</EventID>
<PublisherID>Microsoft-Windows-Security-Auditing</PublisherID>
</EventProcessingFailure>
</UserData>
....
The next approach was to use the template definitions, if available, to parse
the "EventData" and "UserData" elements.
gitextract_30yz1f74/ ├── .codecov.yml ├── .github/ │ └── workflows/ │ ├── build.yml │ ├── build_freebsd.yml │ ├── build_macos.yml │ ├── build_ossfuzz.yml │ ├── build_shared.yml │ └── build_wheel.yml ├── .gitignore ├── AUTHORS ├── COPYING ├── COPYING.LESSER ├── ChangeLog ├── Makefile.am ├── NEWS ├── README ├── acinclude.m4 ├── appveyor.yml ├── autogen.ps1 ├── autogen.sh ├── build.ps1 ├── common/ │ ├── Makefile.am │ ├── byte_stream.h │ ├── common.h │ ├── config_borlandc.h │ ├── config_msc.h │ ├── config_winapi.h │ ├── file_stream.h │ ├── memory.h │ ├── narrow_string.h │ ├── system_string.h │ ├── types.h.in │ └── wide_string.h ├── configure.ac ├── documentation/ │ └── Windows XML Event Log (EVTX).asciidoc ├── dpkg/ │ ├── changelog.in │ ├── compat │ ├── control │ ├── copyright │ ├── libevtx-dev.install │ ├── libevtx-python3.install │ ├── libevtx-tools.install │ ├── libevtx.install │ ├── rules │ └── source/ │ └── format ├── dtfabric.yaml ├── evtxtools/ │ ├── Makefile.am │ ├── evtxexport.c │ ├── evtxinfo.c │ ├── evtxinput.c │ ├── evtxinput.h │ ├── evtxtools_getopt.c │ ├── evtxtools_getopt.h │ ├── evtxtools_i18n.h │ ├── evtxtools_libbfio.h │ ├── evtxtools_libcdirectory.h │ ├── evtxtools_libcerror.h │ ├── evtxtools_libclocale.h │ ├── evtxtools_libcnotify.h │ ├── evtxtools_libcpath.h │ ├── evtxtools_libcsplit.h │ ├── evtxtools_libevtx.h │ ├── evtxtools_libexe.h │ ├── evtxtools_libfcache.h │ ├── evtxtools_libfdatetime.h │ ├── evtxtools_libfguid.h │ ├── evtxtools_libfvalue.h │ ├── evtxtools_libfwevt.h │ ├── evtxtools_libfwnt.h │ ├── evtxtools_libregf.h │ ├── evtxtools_libuna.h │ ├── evtxtools_libwrc.h │ ├── evtxtools_output.c │ ├── evtxtools_output.h │ ├── evtxtools_signal.c │ ├── evtxtools_signal.h │ ├── evtxtools_system_split_string.h │ ├── evtxtools_unused.h │ ├── evtxtools_wide_string.c │ ├── evtxtools_wide_string.h │ ├── export_handle.c │ ├── export_handle.h │ ├── info_handle.c │ ├── info_handle.h │ ├── log_handle.c │ ├── log_handle.h │ ├── message_handle.c │ ├── message_handle.h │ ├── message_string.c │ ├── message_string.h │ ├── path_handle.c │ ├── path_handle.h │ ├── registry_file.c │ ├── registry_file.h │ ├── resource_file.c │ └── resource_file.h ├── include/ │ ├── Makefile.am │ ├── libevtx/ │ │ ├── codepage.h │ │ ├── definitions.h.in │ │ ├── error.h │ │ ├── extern.h │ │ ├── features.h.in │ │ └── types.h.in │ └── libevtx.h.in ├── libevtx/ │ ├── Makefile.am │ ├── evtx_chunk.h │ ├── evtx_event_record.h │ ├── evtx_file_header.h │ ├── libevtx.c │ ├── libevtx.rc.in │ ├── libevtx_byte_stream.c │ ├── libevtx_byte_stream.h │ ├── libevtx_checksum.c │ ├── libevtx_checksum.h │ ├── libevtx_chunk.c │ ├── libevtx_chunk.h │ ├── libevtx_chunks_table.c │ ├── libevtx_chunks_table.h │ ├── libevtx_codepage.c │ ├── libevtx_codepage.h │ ├── libevtx_debug.c │ ├── libevtx_debug.h │ ├── libevtx_definitions.h.in │ ├── libevtx_error.c │ ├── libevtx_error.h │ ├── libevtx_extern.h │ ├── libevtx_file.c │ ├── libevtx_file.h │ ├── libevtx_i18n.c │ ├── libevtx_i18n.h │ ├── libevtx_io_handle.c │ ├── libevtx_io_handle.h │ ├── libevtx_libbfio.h │ ├── libevtx_libcdata.h │ ├── libevtx_libcerror.h │ ├── libevtx_libclocale.h │ ├── libevtx_libcnotify.h │ ├── libevtx_libfcache.h │ ├── libevtx_libfdata.h │ ├── libevtx_libfdatetime.h │ ├── libevtx_libfguid.h │ ├── libevtx_libfwevt.h │ ├── libevtx_libuna.h │ ├── libevtx_notify.c │ ├── libevtx_notify.h │ ├── libevtx_record.c │ ├── libevtx_record.h │ ├── libevtx_record_values.c │ ├── libevtx_record_values.h │ ├── libevtx_support.c │ ├── libevtx_support.h │ ├── libevtx_template_definition.c │ ├── libevtx_template_definition.h │ ├── libevtx_types.h │ └── libevtx_unused.h ├── libevtx.ini ├── libevtx.pc.in ├── libevtx.spec.in ├── m4/ │ ├── common.m4 │ ├── libbfio.m4 │ ├── libcdata.m4 │ ├── libcdirectory.m4 │ ├── libcerror.m4 │ ├── libcfile.m4 │ ├── libclocale.m4 │ ├── libcnotify.m4 │ ├── libcpath.m4 │ ├── libcsplit.m4 │ ├── libcthreads.m4 │ ├── libexe.m4 │ ├── libfcache.m4 │ ├── libfdata.m4 │ ├── libfdatetime.m4 │ ├── libfguid.m4 │ ├── libfvalue.m4 │ ├── libfwevt.m4 │ ├── libfwnt.m4 │ ├── libregf.m4 │ ├── libuna.m4 │ ├── libwrc.m4 │ ├── pthread.m4 │ ├── python.m4 │ ├── tests.m4 │ └── types.m4 ├── manuals/ │ ├── Makefile.am │ ├── evtxexport.1 │ ├── evtxinfo.1 │ └── libevtx.3 ├── msvscpp/ │ ├── Makefile.am │ ├── evtx_test_chunk/ │ │ └── evtx_test_chunk.vcproj │ ├── evtx_test_chunks_table/ │ │ └── evtx_test_chunks_table.vcproj │ ├── evtx_test_error/ │ │ └── evtx_test_error.vcproj │ ├── evtx_test_file/ │ │ └── evtx_test_file.vcproj │ ├── evtx_test_io_handle/ │ │ └── evtx_test_io_handle.vcproj │ ├── evtx_test_notify/ │ │ └── evtx_test_notify.vcproj │ ├── evtx_test_record/ │ │ └── evtx_test_record.vcproj │ ├── evtx_test_record_values/ │ │ └── evtx_test_record_values.vcproj │ ├── evtx_test_support/ │ │ └── evtx_test_support.vcproj │ ├── evtx_test_template_definition/ │ │ └── evtx_test_template_definition.vcproj │ ├── evtx_test_tools_info_handle/ │ │ └── evtx_test_tools_info_handle.vcproj │ ├── evtx_test_tools_message_handle/ │ │ └── evtx_test_tools_message_handle.vcproj │ ├── evtx_test_tools_message_string/ │ │ └── evtx_test_tools_message_string.vcproj │ ├── evtx_test_tools_output/ │ │ └── evtx_test_tools_output.vcproj │ ├── evtx_test_tools_path_handle/ │ │ └── evtx_test_tools_path_handle.vcproj │ ├── evtx_test_tools_registry_file/ │ │ └── evtx_test_tools_registry_file.vcproj │ ├── evtx_test_tools_resource_file/ │ │ └── evtx_test_tools_resource_file.vcproj │ ├── evtx_test_tools_signal/ │ │ └── evtx_test_tools_signal.vcproj │ ├── evtxexport/ │ │ └── evtxexport.vcproj │ ├── evtxinfo/ │ │ └── evtxinfo.vcproj │ ├── libbfio/ │ │ └── libbfio.vcproj │ ├── libcdata/ │ │ └── libcdata.vcproj │ ├── libcdirectory/ │ │ └── libcdirectory.vcproj │ ├── libcerror/ │ │ └── libcerror.vcproj │ ├── libcfile/ │ │ └── libcfile.vcproj │ ├── libclocale/ │ │ └── libclocale.vcproj │ ├── libcnotify/ │ │ └── libcnotify.vcproj │ ├── libcpath/ │ │ └── libcpath.vcproj │ ├── libcsplit/ │ │ └── libcsplit.vcproj │ ├── libcthreads/ │ │ └── libcthreads.vcproj │ ├── libevtx/ │ │ └── libevtx.vcproj │ ├── libevtx.sln │ ├── libexe/ │ │ └── libexe.vcproj │ ├── libfcache/ │ │ └── libfcache.vcproj │ ├── libfdata/ │ │ └── libfdata.vcproj │ ├── libfdatetime/ │ │ └── libfdatetime.vcproj │ ├── libfguid/ │ │ └── libfguid.vcproj │ ├── libfvalue/ │ │ └── libfvalue.vcproj │ ├── libfwevt/ │ │ └── libfwevt.vcproj │ ├── libfwnt/ │ │ └── libfwnt.vcproj │ ├── libregf/ │ │ └── libregf.vcproj │ ├── libuna/ │ │ └── libuna.vcproj │ ├── libwrc/ │ │ └── libwrc.vcproj │ └── pyevtx/ │ └── pyevtx.vcproj ├── ossfuzz/ │ ├── Makefile.am │ ├── file_fuzzer.cc │ ├── ossfuzz_libbfio.h │ ├── ossfuzz_libevtx.h │ └── record_fuzzer.cc ├── po/ │ ├── ChangeLog │ ├── Makevars.in │ └── POTFILES.in ├── pyevtx/ │ ├── Makefile.am │ ├── pyevtx.c │ ├── pyevtx.h │ ├── pyevtx_codepage.c │ ├── pyevtx_codepage.h │ ├── pyevtx_datetime.c │ ├── pyevtx_datetime.h │ ├── pyevtx_error.c │ ├── pyevtx_error.h │ ├── pyevtx_event_levels.c │ ├── pyevtx_event_levels.h │ ├── pyevtx_file.c │ ├── pyevtx_file.h │ ├── pyevtx_file_flags.c │ ├── pyevtx_file_flags.h │ ├── pyevtx_file_object_io_handle.c │ ├── pyevtx_file_object_io_handle.h │ ├── pyevtx_integer.c │ ├── pyevtx_integer.h │ ├── pyevtx_libbfio.h │ ├── pyevtx_libcerror.h │ ├── pyevtx_libclocale.h │ ├── pyevtx_libevtx.h │ ├── pyevtx_libfwnt.h │ ├── pyevtx_python.h │ ├── pyevtx_record.c │ ├── pyevtx_record.h │ ├── pyevtx_records.c │ ├── pyevtx_records.h │ ├── pyevtx_strings.c │ ├── pyevtx_strings.h │ └── pyevtx_unused.h ├── pyproject.toml ├── runtests.ps1 ├── runtests.sh ├── setup.cfg.in ├── setup.py ├── synclibs.ps1 ├── synclibs.sh ├── synctestdata.ps1 ├── synctestdata.sh ├── tests/ │ ├── Makefile.am │ ├── build.sh │ ├── evtx_test_chunk.c │ ├── evtx_test_chunks_table.c │ ├── evtx_test_error.c │ ├── evtx_test_file.c │ ├── evtx_test_functions.c │ ├── evtx_test_functions.h │ ├── evtx_test_getopt.c │ ├── evtx_test_getopt.h │ ├── evtx_test_io_handle.c │ ├── evtx_test_libbfio.h │ ├── evtx_test_libcerror.h │ ├── evtx_test_libclocale.h │ ├── evtx_test_libcnotify.h │ ├── evtx_test_libevtx.h │ ├── evtx_test_libuna.h │ ├── evtx_test_macros.h │ ├── evtx_test_memory.c │ ├── evtx_test_memory.h │ ├── evtx_test_notify.c │ ├── evtx_test_record.c │ ├── evtx_test_record_values.c │ ├── evtx_test_support.c │ ├── evtx_test_template_definition.c │ ├── evtx_test_tools_info_handle.c │ ├── evtx_test_tools_message_handle.c │ ├── evtx_test_tools_message_string.c │ ├── evtx_test_tools_output.c │ ├── evtx_test_tools_path_handle.c │ ├── evtx_test_tools_registry_file.c │ ├── evtx_test_tools_resource_file.c │ ├── evtx_test_tools_signal.c │ ├── evtx_test_unused.h │ ├── lsan.suppressions │ ├── pkgbuild.sh │ ├── pyevtx_test_file.py │ ├── pyevtx_test_support.py │ ├── runtests.py │ ├── runtests.sh │ ├── syncsharedlibs.sh │ ├── test_evtxexport.sh │ ├── test_evtxinfo.ps1 │ ├── test_evtxinfo.sh │ ├── test_library.ps1 │ ├── test_library.sh │ ├── test_manpage.sh │ ├── test_python_module.sh │ ├── test_runner.sh │ ├── test_tools.ps1 │ └── test_tools.sh └── tox.ini
SYMBOL INDEX (578 symbols across 99 files)
FILE: common/byte_stream.h
type byte_stream_float32_t (line 40) | typedef union byte_stream_float32
type byte_stream_float64_t (line 47) | typedef union byte_stream_float64
FILE: evtxtools/evtxexport.c
function usage_fprint (line 51) | void usage_fprint(
function evtxexport_signal_handler (line 99) | void evtxexport_signal_handler(
function main (line 146) | int main( int argc, char * const argv[] )
FILE: evtxtools/evtxinfo.c
function usage_fprint (line 51) | void usage_fprint(
function evtxinfo_signal_handler (line 77) | void evtxinfo_signal_handler(
function main (line 124) | int main( int argc, char * const argv[] )
FILE: evtxtools/evtxinput.c
function evtxinput_determine_event_log_type (line 37) | int evtxinput_determine_event_log_type(
function evtxinput_determine_event_log_type_from_filename (line 110) | int evtxinput_determine_event_log_type_from_filename(
FILE: evtxtools/evtxinput.h
type EVTXTOOLS_EVENT_LOG_TYPES (line 34) | enum EVTXTOOLS_EVENT_LOG_TYPES
FILE: evtxtools/evtxtools_getopt.c
function system_integer_t (line 59) | system_integer_t evtxtools_getopt(
FILE: evtxtools/evtxtools_output.c
function evtxtools_output_initialize (line 42) | int evtxtools_output_initialize(
function evtxoutput_copyright_fprint (line 99) | void evtxoutput_copyright_fprint(
function evtxoutput_version_fprint (line 131) | void evtxoutput_version_fprint(
function evtxoutput_version_detailed_fprint (line 152) | void evtxoutput_version_detailed_fprint(
FILE: evtxtools/evtxtools_signal.c
function BOOL (line 42) | BOOL WINAPI evtxtools_signal_handler(
function evtxtools_signal_initialize_memory_debug (line 70) | void evtxtools_signal_initialize_memory_debug(
function evtxtools_signal_attach (line 95) | int evtxtools_signal_attach(
function evtxtools_signal_detach (line 176) | int evtxtools_signal_detach(
function evtxtools_signal_attach (line 204) | int evtxtools_signal_attach(
function evtxtools_signal_detach (line 240) | int evtxtools_signal_detach(
FILE: evtxtools/evtxtools_signal.h
type evtxtools_signal_t (line 39) | typedef unsigned long evtxtools_signal_t;
type evtxtools_signal_t (line 42) | typedef int evtxtools_signal_t;
FILE: evtxtools/evtxtools_wide_string.c
function evtxtools_wide_string_compare_no_case (line 38) | int evtxtools_wide_string_compare_no_case(
FILE: evtxtools/export_handle.c
function export_handle_initialize (line 111) | int export_handle_initialize(
function export_handle_free (line 221) | int export_handle_free(
function export_handle_signal_abort (line 294) | int export_handle_signal_abort(
function export_handle_set_export_mode (line 348) | int export_handle_set_export_mode(
function export_handle_set_export_format (line 424) | int export_handle_set_export_format(
function export_handle_set_ascii_codepage (line 477) | int export_handle_set_ascii_codepage(
function export_handle_set_preferred_language_identifier (line 553) | int export_handle_set_preferred_language_identifier(
function export_handle_set_event_log_type (line 591) | int export_handle_set_event_log_type(
function export_handle_set_event_log_type_from_filename (line 632) | int export_handle_set_event_log_type_from_filename(
function export_handle_set_software_registry_filename (line 673) | int export_handle_set_software_registry_filename(
function export_handle_set_system_registry_filename (line 711) | int export_handle_set_system_registry_filename(
function export_handle_set_registry_directory_name (line 749) | int export_handle_set_registry_directory_name(
function export_handle_set_resource_files_path (line 787) | int export_handle_set_resource_files_path(
function export_handle_open_input (line 825) | int export_handle_open_input(
function export_handle_close_input (line 914) | int export_handle_close_input(
function export_handle_guid_string_copy_to_byte_stream (line 968) | int export_handle_guid_string_copy_to_byte_stream(
function export_handle_resource_file_get_template_definition (line 1074) | int export_handle_resource_file_get_template_definition(
function export_handle_export_record_event_message (line 1270) | int export_handle_export_record_event_message(
function export_handle_export_record (line 1749) | int export_handle_export_record(
function export_handle_export_record_text (line 1810) | int export_handle_export_record_text(
function export_handle_export_record_xml (line 2513) | int export_handle_export_record_xml(
function export_handle_export_records (line 2635) | int export_handle_export_records(
function export_handle_export_recovered_records (line 2772) | int export_handle_export_recovered_records(
function export_handle_export_file (line 2907) | int export_handle_export_file(
FILE: evtxtools/export_handle.h
type EXPORT_MODES (line 40) | enum EXPORT_MODES
type EXPORT_FORMATS (line 47) | enum EXPORT_FORMATS
type export_handle_t (line 53) | typedef struct export_handle export_handle_t;
type export_handle (line 55) | struct export_handle
FILE: evtxtools/info_handle.c
function info_handle_initialize (line 43) | int info_handle_initialize(
function info_handle_free (line 131) | int info_handle_free(
function info_handle_signal_abort (line 178) | int info_handle_signal_abort(
function info_handle_set_ascii_codepage (line 219) | int info_handle_set_ascii_codepage(
function info_handle_set_event_log_type_from_filename (line 278) | int info_handle_set_event_log_type_from_filename(
function info_handle_open (line 319) | int info_handle_open(
function info_handle_close (line 380) | int info_handle_close(
function info_handle_file_fprint (line 416) | int info_handle_file_fprint(
FILE: evtxtools/info_handle.h
type info_handle_t (line 36) | typedef struct info_handle info_handle_t;
type info_handle (line 38) | struct info_handle
FILE: evtxtools/log_handle.c
function log_handle_initialize (line 43) | int log_handle_initialize(
function log_handle_free (line 115) | int log_handle_free(
function log_handle_open (line 145) | int log_handle_open(
function log_handle_close (line 192) | int log_handle_close(
function VARARGS (line 248) | void VARARGS(
FILE: evtxtools/log_handle.h
type log_handle_t (line 35) | typedef struct log_handle log_handle_t;
type log_handle (line 37) | struct log_handle
FILE: evtxtools/message_handle.c
function message_handle_initialize (line 49) | int message_handle_initialize(
function message_handle_free (line 182) | int message_handle_free(
function message_handle_signal_abort (line 357) | int message_handle_signal_abort(
function message_handle_set_ascii_codepage (line 412) | int message_handle_set_ascii_codepage(
function message_handle_set_preferred_language_identifier (line 438) | int message_handle_set_preferred_language_identifier(
function message_handle_set_software_registry_filename (line 464) | int message_handle_set_software_registry_filename(
function message_handle_set_system_registry_filename (line 565) | int message_handle_set_system_registry_filename(
function message_handle_set_registry_directory_name (line 666) | int message_handle_set_registry_directory_name(
function message_handle_set_resource_files_path (line 767) | int message_handle_set_resource_files_path(
function message_handle_open_software_registry_file (line 804) | int message_handle_open_software_registry_file(
function message_handle_open_system_registry_file (line 1255) | int message_handle_open_system_registry_file(
function message_handle_open_input (line 1598) | int message_handle_open_input(
function message_handle_close_input (line 1654) | int message_handle_close_input(
function message_handle_get_value_by_event_source (line 1737) | int message_handle_get_value_by_event_source(
function message_handle_get_value_by_provider_identifier (line 2012) | int message_handle_get_value_by_provider_identifier(
function message_handle_get_resource_file_path (line 2253) | int message_handle_get_resource_file_path(
function else (line 2631) | else if( volume_letter != NULL )
function message_handle_get_resource_file (line 2946) | int message_handle_get_resource_file(
function message_handle_get_resource_file_from_cache (line 3078) | int message_handle_get_resource_file_from_cache(
function message_handle_get_mui_resource_file (line 3181) | int message_handle_get_mui_resource_file(
function message_handle_get_mui_resource_file_from_cache (line 3313) | int message_handle_get_mui_resource_file_from_cache(
function message_handle_get_message_string_from_resource_file (line 3412) | int message_handle_get_message_string_from_resource_file(
function message_handle_get_message_string (line 3715) | int message_handle_get_message_string(
function message_handle_get_resource_file_by_provider_identifier (line 3878) | int message_handle_get_resource_file_by_provider_identifier(
FILE: evtxtools/message_handle.h
type message_handle_t (line 40) | typedef struct message_handle message_handle_t;
type message_handle (line 42) | struct message_handle
FILE: evtxtools/message_string.c
function message_string_initialize (line 39) | int message_string_initialize(
function message_string_free (line 119) | int message_string_free(
function message_string_get_from_message_table_resource (line 155) | int message_string_get_from_message_table_resource(
function message_string_fprint (line 291) | int message_string_fprint(
FILE: evtxtools/message_string.h
type message_string_t (line 37) | typedef struct message_string message_string_t;
type message_string (line 39) | struct message_string
FILE: evtxtools/path_handle.c
function path_handle_initialize (line 37) | int path_handle_initialize(
function path_handle_free (line 109) | int path_handle_free(
function path_handle_get_directory_entry_name_by_name_no_case (line 147) | int path_handle_get_directory_entry_name_by_name_no_case(
FILE: evtxtools/path_handle.h
type path_handle_t (line 34) | typedef struct path_handle path_handle_t;
type path_handle (line 36) | struct path_handle
FILE: evtxtools/registry_file.c
function registry_file_initialize (line 38) | int registry_file_initialize(
function registry_file_free (line 128) | int registry_file_free(
function registry_file_signal_abort (line 188) | int registry_file_signal_abort(
function registry_file_set_ascii_codepage (line 227) | int registry_file_set_ascii_codepage(
function registry_file_open (line 265) | int registry_file_open(
function registry_file_close (line 747) | int registry_file_close(
function registry_file_get_key_by_path (line 853) | int registry_file_get_key_by_path(
FILE: evtxtools/registry_file.h
type REGISTRY_FILE_TYPES (line 36) | enum REGISTRY_FILE_TYPES
type registry_file_t (line 45) | typedef struct registry_file registry_file_t;
type registry_file (line 47) | struct registry_file
FILE: evtxtools/resource_file.c
function resource_file_initialize (line 43) | int resource_file_initialize(
function resource_file_free (line 175) | int resource_file_free(
function resource_file_open (line 266) | int resource_file_open(
function resource_file_close (line 419) | int resource_file_close(
function resource_file_set_name (line 566) | int resource_file_set_name(
function resource_file_get_message_table_resource (line 675) | int resource_file_get_message_table_resource(
function resource_file_get_message_string_from_cache (line 1055) | int resource_file_get_message_string_from_cache(
function resource_file_get_message_string (line 1144) | int resource_file_get_message_string(
function resource_file_get_mui_resource (line 1327) | int resource_file_get_mui_resource(
function resource_file_get_mui_file_type (line 1706) | int resource_file_get_mui_file_type(
function resource_file_get_wevt_manifest (line 1768) | int resource_file_get_wevt_manifest(
function resource_file_get_provider (line 2147) | int resource_file_get_provider(
function resource_file_get_event (line 2215) | int resource_file_get_event(
function resource_file_get_template_definition (line 2302) | int resource_file_get_template_definition(
function resource_file_get_event_message_identifier (line 2466) | int resource_file_get_event_message_identifier(
FILE: evtxtools/resource_file.h
type resource_file_t (line 40) | typedef struct resource_file resource_file_t;
type resource_file (line 42) | struct resource_file
FILE: include/libevtx/codepage.h
type LIBEVTX_CODEPAGES (line 33) | enum LIBEVTX_CODEPAGES
FILE: include/libevtx/error.h
type libevtx_error_t (line 29) | typedef intptr_t libevtx_error_t;
type LIBEVTX_ERROR_DOMAINS (line 33) | enum LIBEVTX_ERROR_DOMAINS
type LIBEVTX_ARGUMENT_ERROR (line 48) | enum LIBEVTX_ARGUMENT_ERROR
type LIBEVTX_CONVERSION_ERROR (line 93) | enum LIBEVTX_CONVERSION_ERROR
type LIBEVTX_COMPRESSION_ERROR (line 109) | enum LIBEVTX_COMPRESSION_ERROR
type LIBEVTX_IO_ERROR (line 125) | enum LIBEVTX_IO_ERROR
type LIBEVTX_INPUT_ERROR (line 169) | enum LIBEVTX_INPUT_ERROR
type LIBEVTX_MEMORY_ERROR (line 194) | enum LIBEVTX_MEMORY_ERROR
type LIBEVTX_OUTPUT_ERROR (line 213) | enum LIBEVTX_OUTPUT_ERROR
type LIBEVTX_RUNTIME_ERROR (line 225) | enum LIBEVTX_RUNTIME_ERROR
FILE: libevtx/evtx_chunk.h
type evtx_chunk_header_t (line 32) | typedef struct evtx_chunk_header evtx_chunk_header_t;
type evtx_chunk_header (line 34) | struct evtx_chunk_header
FILE: libevtx/evtx_event_record.h
type evtx_event_record_header_t (line 32) | typedef struct evtx_event_record_header evtx_event_record_header_t;
type evtx_event_record_header (line 34) | struct evtx_event_record_header
FILE: libevtx/evtx_file_header.h
type evtx_file_header_t (line 32) | typedef struct evtx_file_header evtx_file_header_t;
type evtx_file_header (line 34) | struct evtx_file_header
FILE: libevtx/libevtx.c
function BOOL (line 42) | BOOL WINAPI DllMain(
function libevtx_is_dll (line 71) | int libevtx_is_dll(
FILE: libevtx/libevtx_byte_stream.c
function libevtx_byte_stream_check_for_zero_byte_fill (line 32) | int libevtx_byte_stream_check_for_zero_byte_fill(
FILE: libevtx/libevtx_checksum.c
function libevtx_checksum_initialize_crc32_table (line 38) | void libevtx_checksum_initialize_crc32_table(
function libevtx_checksum_calculate_little_endian_crc32 (line 73) | int libevtx_checksum_calculate_little_endian_crc32(
function libevtx_checksum_calculate_little_endian_weak_crc32 (line 140) | int libevtx_checksum_calculate_little_endian_weak_crc32(
FILE: libevtx/libevtx_chunk.c
function libevtx_chunk_initialize (line 46) | int libevtx_chunk_initialize(
function libevtx_chunk_free (line 158) | int libevtx_chunk_free(
function libevtx_chunk_read (line 222) | int libevtx_chunk_read(
function libevtx_chunk_get_number_of_records (line 959) | int libevtx_chunk_get_number_of_records(
function libevtx_chunk_get_record (line 1022) | int libevtx_chunk_get_record(
function libevtx_chunk_get_number_of_recovered_records (line 1063) | int libevtx_chunk_get_number_of_recovered_records(
function libevtx_chunk_get_recovered_record (line 1126) | int libevtx_chunk_get_recovered_record(
FILE: libevtx/libevtx_chunk.h
type libevtx_chunk_t (line 38) | typedef struct libevtx_chunk libevtx_chunk_t;
type libevtx_chunk (line 40) | struct libevtx_chunk
FILE: libevtx/libevtx_chunks_table.c
function libevtx_chunks_table_initialize (line 40) | int libevtx_chunks_table_initialize(
function libevtx_chunks_table_free (line 131) | int libevtx_chunks_table_free(
function libevtx_chunks_table_read_record (line 163) | int libevtx_chunks_table_read_record(
FILE: libevtx/libevtx_chunks_table.h
type libevtx_chunks_table_t (line 38) | typedef struct libevtx_chunks_table libevtx_chunks_table_t;
type libevtx_chunks_table (line 40) | struct libevtx_chunks_table
FILE: libevtx/libevtx_codepage.h
type LIBEVTX_CODEPAGES (line 44) | enum LIBEVTX_CODEPAGES
type libevtx_codepage_t (line 87) | typedef struct libevtx_codepage libevtx_codepage_t;
type libevtx_codepage (line 89) | struct libevtx_codepage
FILE: libevtx/libevtx_debug.c
function libevtx_debug_print_file_flags (line 35) | void libevtx_debug_print_file_flags(
function libevtx_debug_print_value_type (line 52) | void libevtx_debug_print_value_type(
function libevtx_debug_print_read_offsets (line 182) | int libevtx_debug_print_read_offsets(
FILE: libevtx/libevtx_error.c
function libevtx_error_free (line 33) | void libevtx_error_free(
function libevtx_error_fprint (line 43) | int libevtx_error_fprint(
function libevtx_error_sprint (line 60) | int libevtx_error_sprint(
function libevtx_error_backtrace_fprint (line 78) | int libevtx_error_backtrace_fprint(
function libevtx_error_backtrace_sprint (line 95) | int libevtx_error_backtrace_sprint(
FILE: libevtx/libevtx_file.c
function libevtx_file_initialize (line 48) | int libevtx_file_initialize(
function libevtx_file_free (line 155) | int libevtx_file_free(
function libevtx_file_signal_abort (line 218) | int libevtx_file_signal_abort(
function libevtx_file_open (line 257) | int libevtx_file_open(
function libevtx_file_open_wide (line 397) | int libevtx_file_open_wide(
function libevtx_file_open_file_io_handle (line 537) | int libevtx_file_open_file_io_handle(
function libevtx_file_close (line 676) | int libevtx_file_close(
function libevtx_file_open_read (line 849) | int libevtx_file_open_read(
function libevtx_file_is_corrupted (line 1567) | int libevtx_file_is_corrupted(
function libevtx_file_get_ascii_codepage (line 1608) | int libevtx_file_get_ascii_codepage(
function libevtx_file_set_ascii_codepage (line 1659) | int libevtx_file_set_ascii_codepage(
function libevtx_file_get_format_version (line 1724) | int libevtx_file_get_format_version(
function libevtx_file_get_version (line 1788) | int libevtx_file_get_version(
function libevtx_file_get_flags (line 1852) | int libevtx_file_get_flags(
function libevtx_file_get_number_of_records (line 1903) | int libevtx_file_get_number_of_records(
function libevtx_file_get_record (line 1944) | int libevtx_file_get_record(
function libevtx_file_get_record_by_index (line 2020) | int libevtx_file_get_record_by_index(
function libevtx_file_get_number_of_recovered_records (line 2096) | int libevtx_file_get_number_of_recovered_records(
function libevtx_file_get_recovered_record (line 2137) | int libevtx_file_get_recovered_record(
function libevtx_file_get_recovered_record_by_index (line 2213) | int libevtx_file_get_recovered_record_by_index(
FILE: libevtx/libevtx_file.h
type libevtx_internal_file_t (line 39) | typedef struct libevtx_internal_file libevtx_internal_file_t;
type libevtx_internal_file (line 41) | struct libevtx_internal_file
FILE: libevtx/libevtx_i18n.c
function libevtx_i18n_initialize (line 36) | int libevtx_i18n_initialize(
FILE: libevtx/libevtx_io_handle.c
function libevtx_io_handle_initialize (line 47) | int libevtx_io_handle_initialize(
function libevtx_io_handle_free (line 122) | int libevtx_io_handle_free(
function libevtx_io_handle_clear (line 153) | int libevtx_io_handle_clear(
function libevtx_io_handle_read_file_header (line 193) | int libevtx_io_handle_read_file_header(
function libevtx_io_handle_read_chunk (line 504) | int libevtx_io_handle_read_chunk(
FILE: libevtx/libevtx_io_handle.h
type libevtx_io_handle_t (line 38) | typedef struct libevtx_io_handle libevtx_io_handle_t;
type libevtx_io_handle (line 40) | struct libevtx_io_handle
FILE: libevtx/libevtx_notify.c
function libevtx_notify_set_verbose (line 38) | void libevtx_notify_set_verbose(
function libevtx_notify_set_stream (line 48) | int libevtx_notify_set_stream(
function libevtx_notify_stream_open (line 74) | int libevtx_notify_stream_open(
function libevtx_notify_stream_close (line 99) | int libevtx_notify_stream_close(
FILE: libevtx/libevtx_record.c
function libevtx_record_initialize (line 37) | int libevtx_record_initialize(
function libevtx_record_free (line 188) | int libevtx_record_free(
function libevtx_record_get_offset (line 254) | int libevtx_record_get_offset(
function libevtx_record_get_identifier (line 305) | int libevtx_record_get_identifier(
function libevtx_record_get_creation_time (line 356) | int libevtx_record_get_creation_time(
function libevtx_record_get_written_time (line 400) | int libevtx_record_get_written_time(
function libevtx_record_get_event_identifier (line 441) | int libevtx_record_get_event_identifier(
function libevtx_record_get_event_identifier_qualifiers (line 482) | int libevtx_record_get_event_identifier_qualifiers(
function libevtx_record_get_event_version (line 526) | int libevtx_record_get_event_version(
function libevtx_record_get_event_level (line 570) | int libevtx_record_get_event_level(
function libevtx_record_get_utf8_provider_identifier_size (line 612) | int libevtx_record_get_utf8_provider_identifier_size(
function libevtx_record_get_utf8_provider_identifier (line 657) | int libevtx_record_get_utf8_provider_identifier(
function libevtx_record_get_utf16_provider_identifier_size (line 704) | int libevtx_record_get_utf16_provider_identifier_size(
function libevtx_record_get_utf16_provider_identifier (line 749) | int libevtx_record_get_utf16_provider_identifier(
function libevtx_record_get_utf8_source_name_size (line 796) | int libevtx_record_get_utf8_source_name_size(
function libevtx_record_get_utf8_source_name (line 841) | int libevtx_record_get_utf8_source_name(
function libevtx_record_get_utf16_source_name_size (line 888) | int libevtx_record_get_utf16_source_name_size(
function libevtx_record_get_utf16_source_name (line 933) | int libevtx_record_get_utf16_source_name(
function libevtx_record_get_utf8_channel_name_size (line 980) | int libevtx_record_get_utf8_channel_name_size(
function libevtx_record_get_utf8_channel_name (line 1025) | int libevtx_record_get_utf8_channel_name(
function libevtx_record_get_utf16_channel_name_size (line 1072) | int libevtx_record_get_utf16_channel_name_size(
function libevtx_record_get_utf16_channel_name (line 1117) | int libevtx_record_get_utf16_channel_name(
function libevtx_record_get_utf8_computer_name_size (line 1164) | int libevtx_record_get_utf8_computer_name_size(
function libevtx_record_get_utf8_computer_name (line 1209) | int libevtx_record_get_utf8_computer_name(
function libevtx_record_get_utf16_computer_name_size (line 1256) | int libevtx_record_get_utf16_computer_name_size(
function libevtx_record_get_utf16_computer_name (line 1301) | int libevtx_record_get_utf16_computer_name(
function libevtx_record_get_utf8_user_security_identifier_size (line 1348) | int libevtx_record_get_utf8_user_security_identifier_size(
function libevtx_record_get_utf8_user_security_identifier (line 1393) | int libevtx_record_get_utf8_user_security_identifier(
function libevtx_record_get_utf16_user_security_identifier_size (line 1440) | int libevtx_record_get_utf16_user_security_identifier_size(
function libevtx_record_get_utf16_user_security_identifier (line 1485) | int libevtx_record_get_utf16_user_security_identifier(
function libevtx_record_parse_data_with_template_definition (line 1533) | int libevtx_record_parse_data_with_template_definition(
function libevtx_record_get_number_of_strings (line 1589) | int libevtx_record_get_number_of_strings(
function libevtx_record_get_utf8_string_size (line 1632) | int libevtx_record_get_utf8_string_size(
function libevtx_record_get_utf8_string (line 1678) | int libevtx_record_get_utf8_string(
function libevtx_record_get_utf16_string_size (line 1726) | int libevtx_record_get_utf16_string_size(
function libevtx_record_get_utf16_string (line 1772) | int libevtx_record_get_utf16_string(
function libevtx_record_get_data_size (line 1819) | int libevtx_record_get_data_size(
function libevtx_record_get_data (line 1864) | int libevtx_record_get_data(
function libevtx_record_get_utf8_xml_string_size (line 1912) | int libevtx_record_get_utf8_xml_string_size(
function libevtx_record_get_utf8_xml_string (line 1954) | int libevtx_record_get_utf8_xml_string(
function libevtx_record_get_utf16_xml_string_size (line 1998) | int libevtx_record_get_utf16_xml_string_size(
function libevtx_record_get_utf16_xml_string (line 2040) | int libevtx_record_get_utf16_xml_string(
FILE: libevtx/libevtx_record.h
type libevtx_internal_record_t (line 39) | typedef struct libevtx_internal_record libevtx_internal_record_t;
type libevtx_internal_record (line 41) | struct libevtx_internal_record
FILE: libevtx/libevtx_record_values.c
function libevtx_record_values_initialize (line 45) | int libevtx_record_values_initialize(
function libevtx_record_values_free (line 117) | int libevtx_record_values_free(
function libevtx_record_values_clone (line 198) | int libevtx_record_values_clone(
function libevtx_record_values_read_header (line 290) | int libevtx_record_values_read_header(
function libevtx_record_values_read_xml_document (line 591) | int libevtx_record_values_read_xml_document(
function libevtx_record_values_get_event_identifier (line 779) | int libevtx_record_values_get_event_identifier(
function libevtx_record_values_get_event_identifier_qualifiers (line 894) | int libevtx_record_values_get_event_identifier_qualifiers(
function libevtx_record_values_get_event_version (line 1036) | int libevtx_record_values_get_event_version(
function libevtx_record_values_get_creation_time (line 1165) | int libevtx_record_values_get_creation_time(
function libevtx_record_values_get_written_time (line 1324) | int libevtx_record_values_get_written_time(
function libevtx_record_values_get_event_level (line 1372) | int libevtx_record_values_get_event_level(
function libevtx_record_values_get_utf8_provider_identifier_size (line 1488) | int libevtx_record_values_get_utf8_provider_identifier_size(
function libevtx_record_values_get_utf8_provider_identifier (line 1650) | int libevtx_record_values_get_utf8_provider_identifier(
function libevtx_record_values_get_utf16_provider_identifier_size (line 1814) | int libevtx_record_values_get_utf16_provider_identifier_size(
function libevtx_record_values_get_utf16_provider_identifier (line 1976) | int libevtx_record_values_get_utf16_provider_identifier(
function libevtx_record_values_get_utf8_source_name_size (line 2140) | int libevtx_record_values_get_utf8_source_name_size(
function libevtx_record_values_get_utf8_source_name (line 2323) | int libevtx_record_values_get_utf8_source_name(
function libevtx_record_values_get_utf16_source_name_size (line 2508) | int libevtx_record_values_get_utf16_source_name_size(
function libevtx_record_values_get_utf16_source_name (line 2691) | int libevtx_record_values_get_utf16_source_name(
function libevtx_record_values_get_utf8_channel_name_size (line 2876) | int libevtx_record_values_get_utf8_channel_name_size(
function libevtx_record_values_get_utf8_channel_name (line 3013) | int libevtx_record_values_get_utf8_channel_name(
function libevtx_record_values_get_utf16_channel_name_size (line 3152) | int libevtx_record_values_get_utf16_channel_name_size(
function libevtx_record_values_get_utf16_channel_name (line 3289) | int libevtx_record_values_get_utf16_channel_name(
function libevtx_record_values_get_utf8_computer_name_size (line 3428) | int libevtx_record_values_get_utf8_computer_name_size(
function libevtx_record_values_get_utf8_computer_name (line 3565) | int libevtx_record_values_get_utf8_computer_name(
function libevtx_record_values_get_utf16_computer_name_size (line 3704) | int libevtx_record_values_get_utf16_computer_name_size(
function libevtx_record_values_get_utf16_computer_name (line 3841) | int libevtx_record_values_get_utf16_computer_name(
function libevtx_record_values_get_utf8_user_security_identifier_size (line 3980) | int libevtx_record_values_get_utf8_user_security_identifier_size(
function libevtx_record_values_get_utf8_user_security_identifier (line 4140) | int libevtx_record_values_get_utf8_user_security_identifier(
function libevtx_record_values_get_utf16_user_security_identifier_size (line 4302) | int libevtx_record_values_get_utf16_user_security_identifier_size(
function libevtx_record_values_get_utf16_user_security_identifier (line 4462) | int libevtx_record_values_get_utf16_user_security_identifier(
function libevtx_record_values_parse_data_xml_tag_by_template (line 4623) | int libevtx_record_values_parse_data_xml_tag_by_template(
function libevtx_record_values_parse_data (line 5056) | int libevtx_record_values_parse_data(
function libevtx_record_values_get_number_of_strings (line 5354) | int libevtx_record_values_get_number_of_strings(
function libevtx_record_values_get_utf8_string_size (line 5423) | int libevtx_record_values_get_utf8_string_size(
function libevtx_record_values_get_utf8_string (line 5528) | int libevtx_record_values_get_utf8_string(
function libevtx_record_values_get_utf16_string_size (line 5634) | int libevtx_record_values_get_utf16_string_size(
function libevtx_record_values_get_utf16_string (line 5739) | int libevtx_record_values_get_utf16_string(
function libevtx_record_values_get_data_size (line 5844) | int libevtx_record_values_get_data_size(
function libevtx_record_values_get_data (line 5999) | int libevtx_record_values_get_data(
function libevtx_record_values_get_utf8_xml_string_size (line 6157) | int libevtx_record_values_get_utf8_xml_string_size(
function libevtx_record_values_get_utf8_xml_string (line 6196) | int libevtx_record_values_get_utf8_xml_string(
function libevtx_record_values_get_utf16_xml_string_size (line 6237) | int libevtx_record_values_get_utf16_xml_string_size(
function libevtx_record_values_get_utf16_xml_string (line 6276) | int libevtx_record_values_get_utf16_xml_string(
FILE: libevtx/libevtx_record_values.h
type libevtx_record_values_t (line 41) | typedef struct libevtx_record_values libevtx_record_values_t;
type libevtx_record_values (line 43) | struct libevtx_record_values
FILE: libevtx/libevtx_support.c
function libevtx_get_access_flags_read (line 47) | int libevtx_get_access_flags_read(
function libevtx_get_codepage (line 57) | int libevtx_get_codepage(
function libevtx_set_codepage (line 83) | int libevtx_set_codepage(
function libevtx_check_file_signature (line 110) | int libevtx_check_file_signature(
function libevtx_check_file_signature_wide (line 217) | int libevtx_check_file_signature_wide(
function libevtx_check_file_signature_file_io_handle (line 324) | int libevtx_check_file_signature_file_io_handle(
FILE: libevtx/libevtx_template_definition.c
function libevtx_template_definition_initialize (line 37) | int libevtx_template_definition_initialize(
function libevtx_template_definition_free (line 123) | int libevtx_template_definition_free(
function libevtx_template_definition_set_data (line 185) | int libevtx_template_definition_set_data(
function libevtx_template_definition_read (line 243) | int libevtx_template_definition_read(
FILE: libevtx/libevtx_template_definition.h
type libevtx_internal_template_definition_t (line 39) | typedef struct libevtx_internal_template_definition libevtx_internal_tem...
type libevtx_internal_template_definition (line 41) | struct libevtx_internal_template_definition
FILE: libevtx/libevtx_types.h
type libevtx_file_t (line 37) | typedef struct libevtx_file {} libevtx_file_t;
type libevtx_record_t (line 38) | typedef struct libevtx_record {} libevtx_record_t;
type libevtx_template_definition_t (line 39) | typedef struct libevtx_template_definition {} libevtx_template_definitio...
type libevtx_file_t (line 42) | typedef intptr_t libevtx_file_t;
type libevtx_record_t (line 43) | typedef intptr_t libevtx_record_t;
type libevtx_template_definition_t (line 44) | typedef intptr_t libevtx_template_definition_t;
type libevtx_aligned_t (line 53) | typedef unsigned long int libevtx_aligned_t;
FILE: ossfuzz/file_fuzzer.cc
function LLVMFuzzerTestOneInput (line 46) | int LLVMFuzzerTestOneInput(
FILE: ossfuzz/record_fuzzer.cc
function LLVMFuzzerTestOneInput (line 46) | int LLVMFuzzerTestOneInput(
FILE: pyevtx/pyevtx.c
function if (line 149) | PYEVTX_UNREFERENCED_PARAMETER( self )
function Py_END_ALLOW_THREADS (line 300) | Py_END_ALLOW_THREADS
function if (line 350) | PYEVTX_UNREFERENCED_PARAMETER( self )
function Py_END_ALLOW_THREADS (line 383) | Py_END_ALLOW_THREADS
function PyMODINIT_FUNC (line 567) | PyMODINIT_FUNC PyInit_pyevtx(
FILE: pyevtx/pyevtx_datetime.c
function PyObject (line 34) | PyObject *pyevtx_datetime_new_from_time_elements(
function PyObject (line 174) | PyObject *pyevtx_datetime_new_from_fat_date_time(
function PyObject (line 291) | PyObject *pyevtx_datetime_new_from_filetime(
function PyObject (line 350) | PyObject *pyevtx_datetime_new_from_floatingtime(
function PyObject (line 530) | PyObject *pyevtx_datetime_new_from_hfs_time(
function PyObject (line 583) | PyObject *pyevtx_datetime_new_from_posix_time(
function PyObject (line 636) | PyObject *pyevtx_datetime_new_from_posix_time_in_micro_seconds(
FILE: pyevtx/pyevtx_error.c
function VARARGS (line 59) | void VARARGS(
function VARARGS (line 201) | void VARARGS(
function VARARGS (line 330) | void VARARGS(
FILE: pyevtx/pyevtx_event_levels.c
function pyevtx_event_levels_init_type (line 132) | int pyevtx_event_levels_init_type(
function PyObject (line 233) | PyObject *pyevtx_event_levels_new(
function pyevtx_event_levels_init (line 276) | int pyevtx_event_levels_init(
function pyevtx_event_levels_free (line 295) | void pyevtx_event_levels_free(
FILE: pyevtx/pyevtx_event_levels.h
type pyevtx_event_levels_t (line 35) | typedef struct pyevtx_event_levels pyevtx_event_levels_t;
FILE: pyevtx/pyevtx_file.c
function pyevtx_file_init (line 285) | int pyevtx_file_init(
function pyevtx_file_free (line 325) | void pyevtx_file_free(
function PyObject (line 401) | PyObject *pyevtx_file_signal_abort(
function PyObject (line 450) | PyObject *pyevtx_file_open(
function PyObject (line 667) | PyObject *pyevtx_file_open_file_object(
function PyObject (line 806) | PyObject *pyevtx_file_close(
function PyObject (line 879) | PyObject *pyevtx_file_is_corrupted(
function PyObject (line 935) | PyObject *pyevtx_file_get_ascii_codepage(
function pyevtx_file_set_ascii_codepage_from_string (line 1014) | int pyevtx_file_set_ascii_codepage_from_string(
function PyObject (line 1094) | PyObject *pyevtx_file_set_ascii_codepage(
function pyevtx_file_set_ascii_codepage_setter (line 1129) | int pyevtx_file_set_ascii_codepage_setter(
function PyObject (line 1247) | PyObject *pyevtx_file_get_format_version(
function PyObject (line 1340) | PyObject *pyevtx_file_get_number_of_records(
function PyObject (line 1396) | PyObject *pyevtx_file_get_record_by_index(
function PyObject (line 1467) | PyObject *pyevtx_file_get_record(
function PyObject (line 1495) | PyObject *pyevtx_file_get_records(
function PyObject (line 1559) | PyObject *pyevtx_file_get_number_of_recovered_records(
function PyObject (line 1615) | PyObject *pyevtx_file_get_recovered_record_by_index(
function PyObject (line 1686) | PyObject *pyevtx_file_get_recovered_record(
function PyObject (line 1714) | PyObject *pyevtx_file_get_recovered_records(
FILE: pyevtx/pyevtx_file.h
type pyevtx_file_t (line 36) | typedef struct pyevtx_file pyevtx_file_t;
type pyevtx_file (line 38) | struct pyevtx_file
FILE: pyevtx/pyevtx_file_flags.c
function pyevtx_file_flags_init_type (line 132) | int pyevtx_file_flags_init_type(
function PyObject (line 191) | PyObject *pyevtx_file_flags_new(
function pyevtx_file_flags_init (line 234) | int pyevtx_file_flags_init(
function pyevtx_file_flags_free (line 253) | void pyevtx_file_flags_free(
FILE: pyevtx/pyevtx_file_flags.h
type pyevtx_file_flags_t (line 35) | typedef struct pyevtx_file_flags pyevtx_file_flags_t;
FILE: pyevtx/pyevtx_file_object_io_handle.c
function pyevtx_file_object_io_handle_initialize (line 37) | int pyevtx_file_object_io_handle_initialize(
function pyevtx_file_object_initialize (line 126) | int pyevtx_file_object_initialize(
function pyevtx_file_object_io_handle_free (line 210) | int pyevtx_file_object_io_handle_free(
function pyevtx_file_object_io_handle_clone (line 249) | int pyevtx_file_object_io_handle_clone(
function pyevtx_file_object_io_handle_open (line 315) | int pyevtx_file_object_io_handle_open(
function pyevtx_file_object_io_handle_close (line 377) | int pyevtx_file_object_io_handle_close(
function pyevtx_file_object_read_buffer (line 416) | ssize_t pyevtx_file_object_read_buffer(
function pyevtx_file_object_io_handle_read (line 619) | ssize_t pyevtx_file_object_io_handle_read(
function pyevtx_file_object_write_buffer (line 675) | ssize_t pyevtx_file_object_write_buffer(
function pyevtx_file_object_io_handle_write (line 804) | ssize_t pyevtx_file_object_io_handle_write(
function pyevtx_file_object_seek_offset (line 860) | int pyevtx_file_object_seek_offset(
function pyevtx_file_object_get_offset (line 1005) | int pyevtx_file_object_get_offset(
function off64_t (line 1135) | off64_t pyevtx_file_object_io_handle_seek_offset(
function pyevtx_file_object_io_handle_exists (line 1201) | int pyevtx_file_object_io_handle_exists(
function pyevtx_file_object_io_handle_is_open (line 1228) | int pyevtx_file_object_io_handle_is_open(
function pyevtx_file_object_get_size (line 1265) | int pyevtx_file_object_get_size(
function pyevtx_file_object_io_handle_get_size (line 1371) | int pyevtx_file_object_io_handle_get_size(
FILE: pyevtx/pyevtx_file_object_io_handle.h
type pyevtx_file_object_io_handle_t (line 36) | typedef struct pyevtx_file_object_io_handle pyevtx_file_object_io_handle_t;
type pyevtx_file_object_io_handle (line 38) | struct pyevtx_file_object_io_handle
FILE: pyevtx/pyevtx_integer.c
function PyObject (line 33) | PyObject *pyevtx_integer_signed_new_from_64bit(
function PyObject (line 71) | PyObject *pyevtx_integer_unsigned_new_from_64bit(
function pyevtx_integer_signed_copy_to_64bit (line 108) | int pyevtx_integer_signed_copy_to_64bit(
function pyevtx_integer_unsigned_copy_to_64bit (line 249) | int pyevtx_integer_unsigned_copy_to_64bit(
FILE: pyevtx/pyevtx_record.c
function PyObject (line 384) | PyObject *pyevtx_record_new(
function pyevtx_record_init (line 443) | int pyevtx_record_init(
function pyevtx_record_free (line 466) | void pyevtx_record_free(
function PyObject (line 544) | PyObject *pyevtx_record_get_offset(
function PyObject (line 603) | PyObject *pyevtx_record_get_identifier(
function PyObject (line 655) | PyObject *pyevtx_record_get_creation_time(
function PyObject (line 714) | PyObject *pyevtx_record_get_creation_time_as_integer(
function PyObject (line 773) | PyObject *pyevtx_record_get_written_time(
function PyObject (line 832) | PyObject *pyevtx_record_get_written_time_as_integer(
function PyObject (line 891) | PyObject *pyevtx_record_get_event_identifier(
function PyObject (line 943) | PyObject *pyevtx_record_get_event_identifier_qualifiers(
function PyObject (line 1002) | PyObject *pyevtx_record_get_event_version(
function PyObject (line 1065) | PyObject *pyevtx_record_get_event_level(
function PyObject (line 1121) | PyObject *pyevtx_record_get_provider_identifier(
function PyObject (line 1242) | PyObject *pyevtx_record_get_source_name(
function PyObject (line 1363) | PyObject *pyevtx_record_get_channel_name(
function PyObject (line 1484) | PyObject *pyevtx_record_get_computer_name(
function PyObject (line 1605) | PyObject *pyevtx_record_get_user_security_identifier(
function PyObject (line 1726) | PyObject *pyevtx_record_get_number_of_strings(
function PyObject (line 1782) | PyObject *pyevtx_record_get_string_by_index(
function PyObject (line 1905) | PyObject *pyevtx_record_get_string(
function PyObject (line 1933) | PyObject *pyevtx_record_get_strings(
function PyObject (line 1996) | PyObject *pyevtx_record_get_data(
function PyObject (line 2120) | PyObject *pyevtx_record_get_xml_string(
FILE: pyevtx/pyevtx_record.h
type pyevtx_record_t (line 35) | typedef struct pyevtx_record pyevtx_record_t;
type pyevtx_record (line 37) | struct pyevtx_record
FILE: pyevtx/pyevtx_records.c
function PyObject (line 156) | PyObject *pyevtx_records_new(
function pyevtx_records_init (line 221) | int pyevtx_records_init(
function pyevtx_records_free (line 252) | void pyevtx_records_free(
function Py_ssize_t (line 299) | Py_ssize_t pyevtx_records_len(
function PyObject (line 318) | PyObject *pyevtx_records_getitem(
function PyObject (line 371) | PyObject *pyevtx_records_iter(
function PyObject (line 393) | PyObject *pyevtx_records_iternext(
FILE: pyevtx/pyevtx_records.h
type pyevtx_records_t (line 35) | typedef struct pyevtx_records pyevtx_records_t;
type pyevtx_records (line 37) | struct pyevtx_records
FILE: pyevtx/pyevtx_strings.c
function PyObject (line 155) | PyObject *pyevtx_strings_new(
function pyevtx_strings_init (line 220) | int pyevtx_strings_init(
function pyevtx_strings_free (line 251) | void pyevtx_strings_free(
function Py_ssize_t (line 298) | Py_ssize_t pyevtx_strings_len(
function PyObject (line 317) | PyObject *pyevtx_strings_getitem(
function PyObject (line 370) | PyObject *pyevtx_strings_iter(
function PyObject (line 392) | PyObject *pyevtx_strings_iternext(
FILE: pyevtx/pyevtx_strings.h
type pyevtx_strings_t (line 35) | typedef struct pyevtx_strings pyevtx_strings_t;
type pyevtx_strings (line 37) | struct pyevtx_strings
FILE: setup.py
class custom_build_ext (line 32) | class custom_build_ext(build_ext):
method _RunCommand (line 35) | def _RunCommand(self, command):
method build_extensions (line 52) | def build_extensions(self):
method run (line 57) | def run(self):
class custom_sdist (line 86) | class custom_sdist(sdist):
method run (line 89) | def run(self):
class ProjectInformation (line 166) | class ProjectInformation(object):
method __init__ (line 169) | def __init__(self):
method module_name (line 181) | def module_name(self):
method _ReadConfigureAc (line 185) | def _ReadConfigureAc(self):
method _ReadMakefileAm (line 209) | def _ReadMakefileAm(self):
FILE: tests/evtx_test_chunk.c
function evtx_test_chunk_initialize (line 43) | int evtx_test_chunk_initialize(
function evtx_test_chunk_free (line 238) | int evtx_test_chunk_free(
function evtx_test_chunk_get_number_of_records (line 276) | int evtx_test_chunk_get_number_of_records(
function evtx_test_chunk_get_number_of_recovered_records (line 399) | int evtx_test_chunk_get_number_of_recovered_records(
function main (line 528) | int main(
FILE: tests/evtx_test_chunks_table.c
function evtx_test_chunks_table_free (line 43) | int evtx_test_chunks_table_free(
function main (line 87) | int main(
FILE: tests/evtx_test_error.c
function evtx_test_error_free (line 37) | int evtx_test_error_free(
function evtx_test_error_fprint (line 51) | int evtx_test_error_fprint(
function evtx_test_error_sprint (line 66) | int evtx_test_error_sprint(
function evtx_test_error_backtrace_fprint (line 82) | int evtx_test_error_backtrace_fprint(
function evtx_test_error_backtrace_sprint (line 97) | int evtx_test_error_backtrace_sprint(
function main (line 117) | int main(
FILE: tests/evtx_test_file.c
function evtx_test_file_open_source (line 71) | int evtx_test_file_open_source(
function evtx_test_file_close_source (line 146) | int evtx_test_file_close_source(
function evtx_test_file_initialize (line 196) | int evtx_test_file_initialize(
function evtx_test_file_free (line 391) | int evtx_test_file_free(
function evtx_test_file_open (line 429) | int evtx_test_file_open(
function evtx_test_file_open_wide (line 606) | int evtx_test_file_open_wide(
function evtx_test_file_open_file_io_handle (line 783) | int evtx_test_file_open_file_io_handle(
function evtx_test_file_close (line 1008) | int evtx_test_file_close(
function evtx_test_file_open_close (line 1046) | int evtx_test_file_open_close(
function evtx_test_file_signal_abort (line 1187) | int evtx_test_file_signal_abort(
function evtx_test_file_get_ascii_codepage (line 1240) | int evtx_test_file_get_ascii_codepage(
function evtx_test_file_set_ascii_codepage (line 1313) | int evtx_test_file_set_ascii_codepage(
function evtx_test_file_get_flags (line 1451) | int evtx_test_file_get_flags(
function evtx_test_file_get_number_of_records (line 1524) | int evtx_test_file_get_number_of_records(
function evtx_test_file_get_record_by_index (line 1597) | int evtx_test_file_get_record_by_index(
function evtx_test_file_get_number_of_recovered_records (line 1744) | int evtx_test_file_get_number_of_recovered_records(
function evtx_test_file_get_recovered_record_by_index (line 1817) | int evtx_test_file_get_recovered_record_by_index(
function main (line 1965) | int main(
FILE: tests/evtx_test_functions.c
function evtx_test_get_narrow_source (line 41) | int evtx_test_get_narrow_source(
function evtx_test_get_wide_source (line 241) | int evtx_test_get_wide_source(
function evtx_test_open_file_io_handle (line 440) | int evtx_test_open_file_io_handle(
function evtx_test_close_file_io_handle (line 516) | int evtx_test_close_file_io_handle(
FILE: tests/evtx_test_getopt.c
function system_integer_t (line 59) | system_integer_t evtx_test_getopt(
FILE: tests/evtx_test_io_handle.c
function evtx_test_io_handle_initialize (line 43) | int evtx_test_io_handle_initialize(
function evtx_test_io_handle_free (line 238) | int evtx_test_io_handle_free(
function evtx_test_io_handle_clear (line 276) | int evtx_test_io_handle_clear(
function main (line 410) | int main(
FILE: tests/evtx_test_notify.c
function evtx_test_notify_set_verbose (line 38) | int evtx_test_notify_set_verbose(
function evtx_test_notify_set_stream (line 52) | int evtx_test_notify_set_stream(
function evtx_test_notify_stream_open (line 91) | int evtx_test_notify_stream_open(
function evtx_test_notify_stream_close (line 158) | int evtx_test_notify_stream_close(
function main (line 200) | int main(
FILE: tests/evtx_test_record.c
function evtx_test_record_free (line 41) | int evtx_test_record_free(
function main (line 83) | int main(
FILE: tests/evtx_test_record_values.c
function evtx_test_record_values_initialize (line 43) | int evtx_test_record_values_initialize(
function evtx_test_record_values_free (line 238) | int evtx_test_record_values_free(
function evtx_test_record_values_clone (line 276) | int evtx_test_record_values_clone(
function evtx_test_record_values_get_event_identifier (line 422) | int evtx_test_record_values_get_event_identifier(
function evtx_test_record_values_get_event_identifier_qualifiers (line 545) | int evtx_test_record_values_get_event_identifier_qualifiers(
function evtx_test_record_values_get_event_level (line 668) | int evtx_test_record_values_get_event_level(
function evtx_test_record_values_get_utf8_provider_identifier_size (line 791) | int evtx_test_record_values_get_utf8_provider_identifier_size(
function evtx_test_record_values_get_utf8_provider_identifier (line 914) | int evtx_test_record_values_get_utf8_provider_identifier(
function evtx_test_record_values_get_utf16_provider_identifier_size (line 1077) | int evtx_test_record_values_get_utf16_provider_identifier_size(
function evtx_test_record_values_get_utf16_provider_identifier (line 1200) | int evtx_test_record_values_get_utf16_provider_identifier(
function evtx_test_record_values_get_utf8_source_name_size (line 1363) | int evtx_test_record_values_get_utf8_source_name_size(
function evtx_test_record_values_get_utf8_source_name (line 1486) | int evtx_test_record_values_get_utf8_source_name(
function evtx_test_record_values_get_utf16_source_name_size (line 1649) | int evtx_test_record_values_get_utf16_source_name_size(
function evtx_test_record_values_get_utf16_source_name (line 1772) | int evtx_test_record_values_get_utf16_source_name(
function evtx_test_record_values_get_utf8_computer_name_size (line 1935) | int evtx_test_record_values_get_utf8_computer_name_size(
function evtx_test_record_values_get_utf8_computer_name (line 2058) | int evtx_test_record_values_get_utf8_computer_name(
function evtx_test_record_values_get_utf16_computer_name_size (line 2221) | int evtx_test_record_values_get_utf16_computer_name_size(
function evtx_test_record_values_get_utf16_computer_name (line 2344) | int evtx_test_record_values_get_utf16_computer_name(
function evtx_test_record_values_get_utf8_user_security_identifier_size (line 2507) | int evtx_test_record_values_get_utf8_user_security_identifier_size(
function evtx_test_record_values_get_utf8_user_security_identifier (line 2630) | int evtx_test_record_values_get_utf8_user_security_identifier(
function evtx_test_record_values_get_utf16_user_security_identifier_size (line 2793) | int evtx_test_record_values_get_utf16_user_security_identifier_size(
function evtx_test_record_values_get_utf16_user_security_identifier (line 2916) | int evtx_test_record_values_get_utf16_user_security_identifier(
function evtx_test_record_values_get_utf8_xml_string_size (line 3079) | int evtx_test_record_values_get_utf8_xml_string_size(
function evtx_test_record_values_get_utf8_xml_string (line 3202) | int evtx_test_record_values_get_utf8_xml_string(
function evtx_test_record_values_get_utf16_xml_string_size (line 3365) | int evtx_test_record_values_get_utf16_xml_string_size(
function evtx_test_record_values_get_utf16_xml_string (line 3488) | int evtx_test_record_values_get_utf16_xml_string(
function main (line 3657) | int main(
FILE: tests/evtx_test_support.c
function evtx_test_get_version (line 54) | int evtx_test_get_version(
function evtx_test_get_access_flags_read (line 81) | int evtx_test_get_access_flags_read(
function evtx_test_get_codepage (line 102) | int evtx_test_get_codepage(
function evtx_test_set_codepage (line 154) | int evtx_test_set_codepage(
function evtx_test_check_file_signature (line 205) | int evtx_test_check_file_signature(
function evtx_test_check_file_signature_wide (line 329) | int evtx_test_check_file_signature_wide(
function evtx_test_check_file_signature_file_io_handle (line 453) | int evtx_test_check_file_signature_file_io_handle(
FILE: tests/evtx_test_template_definition.c
function evtx_test_template_definition_initialize (line 39) | int evtx_test_template_definition_initialize(
function evtx_test_template_definition_free (line 234) | int evtx_test_template_definition_free(
function main (line 276) | int main(
FILE: tests/evtx_test_tools_info_handle.c
function evtx_test_tools_info_handle_initialize (line 41) | int evtx_test_tools_info_handle_initialize(
function evtx_test_tools_info_handle_free (line 236) | int evtx_test_tools_info_handle_free(
function main (line 278) | int main(
FILE: tests/evtx_test_tools_message_handle.c
function evtx_test_tools_message_handle_initialize (line 41) | int evtx_test_tools_message_handle_initialize(
function evtx_test_tools_message_handle_free (line 236) | int evtx_test_tools_message_handle_free(
function main (line 278) | int main(
FILE: tests/evtx_test_tools_message_string.c
function evtx_test_tools_message_string_initialize (line 41) | int evtx_test_tools_message_string_initialize(
function evtx_test_tools_message_string_free (line 241) | int evtx_test_tools_message_string_free(
function main (line 283) | int main(
FILE: tests/evtx_test_tools_output.c
function evtx_test_tools_output_initialize (line 45) | int evtx_test_tools_output_initialize(
function main (line 82) | int main(
FILE: tests/evtx_test_tools_path_handle.c
function evtx_test_tools_path_handle_initialize (line 41) | int evtx_test_tools_path_handle_initialize(
function evtx_test_tools_path_handle_free (line 236) | int evtx_test_tools_path_handle_free(
function main (line 278) | int main(
FILE: tests/evtx_test_tools_registry_file.c
function evtx_test_tools_registry_file_initialize (line 41) | int evtx_test_tools_registry_file_initialize(
function evtx_test_tools_registry_file_free (line 236) | int evtx_test_tools_registry_file_free(
function main (line 278) | int main(
FILE: tests/evtx_test_tools_resource_file.c
function evtx_test_tools_resource_file_initialize (line 41) | int evtx_test_tools_resource_file_initialize(
function evtx_test_tools_resource_file_free (line 241) | int evtx_test_tools_resource_file_free(
function main (line 283) | int main(
FILE: tests/evtx_test_tools_signal.c
function evtx_test_tools_signal_handler_function (line 36) | void evtx_test_tools_signal_handler_function(
function evtx_test_tools_signal_handler (line 47) | int evtx_test_tools_signal_handler(
function evtx_test_tools_signal_attach (line 87) | int evtx_test_tools_signal_attach(
function evtx_test_tools_signal_detach (line 140) | int evtx_test_tools_signal_detach(
function main (line 178) | int main(
FILE: tests/pyevtx_test_file.py
class FileTypeTests (line 30) | class FileTypeTests(unittest.TestCase):
method test_signal_abort (line 33) | def test_signal_abort(self):
method test_open (line 39) | def test_open(self):
method test_open_file_object (line 60) | def test_open_file_object(self):
method test_close (line 86) | def test_close(self):
method test_open_close (line 97) | def test_open_close(self):
method test_set_ascii_codepage (line 129) | def test_set_ascii_codepage(self):
method test_get_ascii_codepage (line 151) | def test_get_ascii_codepage(self):
method test_get_number_of_records (line 168) | def test_get_number_of_records(self):
method test_get_number_of_recovered_records (line 185) | def test_get_number_of_recovered_records(self):
FILE: tests/pyevtx_test_support.py
class SupportFunctionsTests (line 30) | class SupportFunctionsTests(unittest.TestCase):
method test_get_version (line 33) | def test_get_version(self):
method test_check_file_signature (line 38) | def test_check_file_signature(self):
method test_check_file_signature_file_object (line 47) | def test_check_file_signature_file_object(self):
method test_open (line 60) | def test_open(self):
method test_open_file_object (line 77) | def test_open_file_object(self):
FILE: tests/runtests.py
function ReadIgnoreList (line 18) | def ReadIgnoreList(test_profile):
Condensed preview — 333 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (2,578K chars).
[
{
"path": ".codecov.yml",
"chars": 556,
"preview": "coverage:\n precision: 2\n round: down\n range: 70...100\n status:\n project: true\n patch: true\n changes: false\n"
},
{
"path": ".github/workflows/build.yml",
"chars": 5308,
"preview": "# Build from source.\nname: build\non: [push, pull_request]\npermissions: read-all\njobs:\n build_ubuntu:\n runs-on: ubunt"
},
{
"path": ".github/workflows/build_freebsd.yml",
"chars": 534,
"preview": "# Build from source on FreeBSD.\nname: build_freebsd\non: [push]\npermissions: read-all\njobs:\n build_freebsd:\n runs-on:"
},
{
"path": ".github/workflows/build_macos.yml",
"chars": 1029,
"preview": "# Build from source.\nname: build_macos\non: [push, pull_request]\npermissions: read-all\njobs:\n build_macos:\n runs-on: "
},
{
"path": ".github/workflows/build_ossfuzz.yml",
"chars": 1187,
"preview": "# Build OSSFuzz fuzz targets from source.\nname: build_ossfuzz\non:\n push:\n branches: [main]\npermissions: read-all\njob"
},
{
"path": ".github/workflows/build_shared.yml",
"chars": 1049,
"preview": "# Build from source with libyal dependencies as shared libraries.\nname: build_shared\non:\n push:\n branches: [main]\npe"
},
{
"path": ".github/workflows/build_wheel.yml",
"chars": 2720,
"preview": "# Build Python wheels from source using cibuildwheel.\nname: build_wheels\non: [push, pull_request]\npermissions: read-all\n"
},
{
"path": ".gitignore",
"chars": 2725,
"preview": "# Files to ignore by git\n#\n# Version: 20231119\n\n# Generic auto-generated build files\n*~\n*.a\n*.gcda\n*.gcno\n*.gcov\n*.la\n*."
},
{
"path": "AUTHORS",
"chars": 91,
"preview": "Acknowledgements: libevtx\n\nCopyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n\n"
},
{
"path": "COPYING",
"chars": 35149,
"preview": " GNU GENERAL PUBLIC LICENSE\n Version 3, 29 June 2007\n\n Copyright (C) 2007 Free "
},
{
"path": "COPYING.LESSER",
"chars": 7652,
"preview": " GNU LESSER GENERAL PUBLIC LICENSE\n Version 3, 29 June 2007\n\n Copyright (C) 2007"
},
{
"path": "ChangeLog",
"chars": 2684,
"preview": "TODO\n* add parameter expansion support\n* evtxexport:\n - add add support for .mui files in the same directory\n - export"
},
{
"path": "Makefile.am",
"chars": 2327,
"preview": "ACLOCAL_AMFLAGS = -I m4\n\nSUBDIRS = \\\n\tinclude \\\n\tcommon \\\n\tlibcerror \\\n\tlibcthreads \\\n\tlibcdata \\\n\tlibclocale \\\n\tlibcnot"
},
{
"path": "NEWS",
"chars": 0,
"preview": ""
},
{
"path": "README",
"chars": 341,
"preview": "libevtx is a library to access the Windows XML Event Log (EVTX) format.\n\nProject information:\n\n* Status: alpha\n* Licence"
},
{
"path": "acinclude.m4",
"chars": 1764,
"preview": "dnl Checks for required headers and functions\ndnl\ndnl Version: 20200713\n\ndnl Function to detect if libevtx dependencies "
},
{
"path": "appveyor.yml",
"chars": 9908,
"preview": "environment:\n matrix:\n - TARGET: vs2008\n BUILD_ENVIRONMENT: msbuild\n APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio "
},
{
"path": "autogen.ps1",
"chars": 3128,
"preview": "# Script to generate the necessary files for a msvscpp build\n#\n# Version: 20241014\n\n$WinFlex = \"..\\win_flex_bison\\win_fl"
},
{
"path": "autogen.sh",
"chars": 3265,
"preview": "#!/bin/sh\n# Script to generate configure and Makefile using the autotools.\n#\n# Version: 20241013\n\nEXIT_SUCCESS=0;\nEXIT_F"
},
{
"path": "build.ps1",
"chars": 5525,
"preview": "# Script that builds libevtx\n#\n# Version: 20251125\n\nParam (\n\t[string]$Configuration = ${Env:Configuration},\n\t[string]$Pl"
},
{
"path": "common/Makefile.am",
"chars": 343,
"preview": "AM_CPPFLAGS = \\\n\t-I../include -I$(top_srcdir)/include\n\nEXTRA_DIST = \\\n\tbyte_stream.h \\\n\tcommon.h \\\n\tconfig.h \\\n\tconfig_b"
},
{
"path": "common/byte_stream.h",
"chars": 10437,
"preview": "/*\n * Byte stream functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS "
},
{
"path": "common/common.h",
"chars": 1250,
"preview": "/*\n * Common include file\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS fo"
},
{
"path": "common/config_borlandc.h",
"chars": 957,
"preview": "/*\n * Configuration for the Borland/CodeGear C++ Builder compiler\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.m"
},
{
"path": "common/config_msc.h",
"chars": 1157,
"preview": "/*\n * Configuration for the Microsoft Visual Studio C++ compiler\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.me"
},
{
"path": "common/config_winapi.h",
"chars": 2382,
"preview": "/*\n * Configuration file for WINAPI\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to "
},
{
"path": "common/file_stream.h",
"chars": 3878,
"preview": "/*\n * FILE stream functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS "
},
{
"path": "common/memory.h",
"chars": 3259,
"preview": "/*\n * Memory functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for a"
},
{
"path": "common/narrow_string.h",
"chars": 5419,
"preview": "/*\n * Narrow character string functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer"
},
{
"path": "common/system_string.h",
"chars": 4611,
"preview": "/*\n * System character string functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer"
},
{
"path": "common/types.h.in",
"chars": 7375,
"preview": "/*\n * Type and type-support definitions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer"
},
{
"path": "common/wide_string.h",
"chars": 5064,
"preview": "/*\n * Wide character string functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer t"
},
{
"path": "configure.ac",
"chars": 9129,
"preview": "AC_PREREQ([2.71])\n\nAC_INIT(\n [libevtx],\n [20251215],\n [joachim.metz@gmail.com])\n\nAC_CONFIG_SRCDIR(\n [include/libevtx"
},
{
"path": "documentation/Windows XML Event Log (EVTX).asciidoc",
"chars": 93074,
"preview": "= Windows XML Event Log (EVTX) format\nAnalysis of EVTX\n\n:toc:\n:toclevels: 4\n\n:numbered!:\n[abstract]\n== Summary\n\nThe Wind"
},
{
"path": "dpkg/changelog.in",
"chars": 120,
"preview": "libevtx (@VERSION@-1) unstable; urgency=low\n\n * Auto-generated\n\n -- Joachim Metz <joachim.metz@gmail.com> @DPKG_DATE@\n"
},
{
"path": "dpkg/compat",
"chars": 3,
"preview": "10\n"
},
{
"path": "dpkg/control",
"chars": 2089,
"preview": "Source: libevtx\nPriority: extra\nMaintainer: Joachim Metz <joachim.metz@gmail.com>\nBuild-Depends: debhelper (>= 9), dh-au"
},
{
"path": "dpkg/copyright",
"chars": 1024,
"preview": "Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/\nUpstream-Name: libevtx\nSource: https://github."
},
{
"path": "dpkg/libevtx-dev.install",
"chars": 96,
"preview": "usr/include/*\nusr/lib/*-*/lib*.a\nusr/lib/*-*/lib*.so\nusr/lib/*-*/pkgconfig/*\nusr/share/man/man3\n"
},
{
"path": "dpkg/libevtx-python3.install",
"chars": 18,
"preview": "/usr/lib/python3*\n"
},
{
"path": "dpkg/libevtx-tools.install",
"chars": 27,
"preview": "usr/bin\nusr/share/man/man1\n"
},
{
"path": "dpkg/libevtx.install",
"chars": 22,
"preview": "usr/lib/*-*/lib*.so.*\n"
},
{
"path": "dpkg/rules",
"chars": 761,
"preview": "#!/usr/bin/make -f\n# -*- makefile -*-\n\n# Uncomment for debhelper verbose output.\n# export DH_VERBOSE=1\n\nexport SKIP_PYTH"
},
{
"path": "dpkg/source/format",
"chars": 12,
"preview": "3.0 (quilt)\n"
},
{
"path": "dtfabric.yaml",
"chars": 1316,
"preview": "name: evtx\ntype: format\ndescription: Windows XML Event Log (EVTX) format\nurls: [\"https://github.com/libyal/libevtx/blob/"
},
{
"path": "evtxtools/Makefile.am",
"chars": 3313,
"preview": "AM_CPPFLAGS = \\\n\t-I../include -I$(top_srcdir)/include \\\n\t-I../common -I$(top_srcdir)/common \\\n\t@LIBCERROR_CPPFLAGS@ \\\n\t@"
},
{
"path": "evtxtools/evtxexport.c",
"chars": 14223,
"preview": "/*\n * Extracts items from a Windows XML Event Viewer Log (EVTX) file\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachi"
},
{
"path": "evtxtools/evtxinfo.c",
"chars": 7181,
"preview": "/*\n * Shows information obtained from a Windows XML Event Viewer Log (EVTX) file\n *\n * Copyright (C) 2011-2025, Joachim "
},
{
"path": "evtxtools/evtxinput.c",
"chars": 6105,
"preview": "/*\n * Common input functions for the evtxtools\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n "
},
{
"path": "evtxtools/evtxinput.h",
"chars": 1776,
"preview": "/*\n * Common input functions for the evtxtools\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n "
},
{
"path": "evtxtools/evtxtools_getopt.c",
"chars": 4531,
"preview": "/*\n * GetOpt functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for a"
},
{
"path": "evtxtools/evtxtools_getopt.h",
"chars": 1808,
"preview": "/*\n * GetOpt functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for a"
},
{
"path": "evtxtools/evtxtools_i18n.h",
"chars": 1210,
"preview": "/*\n * Internationalization (i18n) functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * R"
},
{
"path": "evtxtools/evtxtools_libbfio.h",
"chars": 1745,
"preview": "/*\n * The libbfio header wrapper\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUT"
},
{
"path": "evtxtools/evtxtools_libcdirectory.h",
"chars": 1432,
"preview": "/*\n * The internal libcdirectory header\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer"
},
{
"path": "evtxtools/evtxtools_libcerror.h",
"chars": 1480,
"preview": "/*\n * The libcerror header wrapper\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to A"
},
{
"path": "evtxtools/evtxtools_libclocale.h",
"chars": 1501,
"preview": "/*\n * The libclocale header wrapper\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to "
},
{
"path": "evtxtools/evtxtools_libcnotify.h",
"chars": 1498,
"preview": "/*\n * The libcnotify header wrapper\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to "
},
{
"path": "evtxtools/evtxtools_libcpath.h",
"chars": 1406,
"preview": "/*\n * The libcpath header wrapper\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AU"
},
{
"path": "evtxtools/evtxtools_libcsplit.h",
"chars": 1460,
"preview": "/*\n * The internal libcsplit header\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to "
},
{
"path": "evtxtools/evtxtools_libevtx.h",
"chars": 973,
"preview": "/*\n * The libevtx header wrapper\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUT"
},
{
"path": "evtxtools/evtxtools_libexe.h",
"chars": 1320,
"preview": "/*\n * The libexe header wrapper\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTH"
},
{
"path": "evtxtools/evtxtools_libfcache.h",
"chars": 1483,
"preview": "/*\n * The libfcache header wrapper\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to A"
},
{
"path": "evtxtools/evtxtools_libfdatetime.h",
"chars": 1768,
"preview": "/*\n * The libfdatetime header wrapper\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer t"
},
{
"path": "evtxtools/evtxtools_libfguid.h",
"chars": 1440,
"preview": "/*\n * The libfguid header wrapper\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AU"
},
{
"path": "evtxtools/evtxtools_libfvalue.h",
"chars": 1759,
"preview": "/*\n * The libfvalue header wrapper\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to A"
},
{
"path": "evtxtools/evtxtools_libfwevt.h",
"chars": 1797,
"preview": "/*\n * The libfwevt header wrapper\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AU"
},
{
"path": "evtxtools/evtxtools_libfwnt.h",
"chars": 1745,
"preview": "/*\n * The libfwnt header wrapper\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUT"
},
{
"path": "evtxtools/evtxtools_libregf.h",
"chars": 1387,
"preview": "/*\n * The libregf header wrapper\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUT"
},
{
"path": "evtxtools/evtxtools_libuna.h",
"chars": 1778,
"preview": "/*\n * The libuna header wrapper\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTH"
},
{
"path": "evtxtools/evtxtools_libwrc.h",
"chars": 1635,
"preview": "/*\n * The libwrc header wrapper\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTH"
},
{
"path": "evtxtools/evtxtools_output.c",
"chars": 4323,
"preview": "/*\n * Common output functions for the evtxtools\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n"
},
{
"path": "evtxtools/evtxtools_output.h",
"chars": 1445,
"preview": "/*\n * Common output functions for the evtxtools\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n"
},
{
"path": "evtxtools/evtxtools_signal.c",
"chars": 5726,
"preview": "/*\n * Signal handling functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTH"
},
{
"path": "evtxtools/evtxtools_signal.h",
"chars": 1749,
"preview": "/*\n * Signal handling functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTH"
},
{
"path": "evtxtools/evtxtools_system_split_string.h",
"chars": 2843,
"preview": "/*\n * Split system string functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to "
},
{
"path": "evtxtools/evtxtools_unused.h",
"chars": 1536,
"preview": "/*\n * Definitions to silence compiler warnings about unused function attributes/parameters.\n *\n * Copyright (C) 2011-202"
},
{
"path": "evtxtools/evtxtools_wide_string.c",
"chars": 1967,
"preview": "/*\n * Wide character string functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer t"
},
{
"path": "evtxtools/evtxtools_wide_string.h",
"chars": 1691,
"preview": "/*\n * Wide character string functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer t"
},
{
"path": "evtxtools/export_handle.c",
"chars": 66369,
"preview": "/*\n * Export handle\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for ackn"
},
{
"path": "evtxtools/export_handle.h",
"chars": 6706,
"preview": "/*\n * Export handle\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for ackn"
},
{
"path": "evtxtools/info_handle.c",
"chars": 13525,
"preview": "/*\n * Info handle\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for acknow"
},
{
"path": "evtxtools/info_handle.h",
"chars": 2374,
"preview": "/*\n * Info handle\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for acknow"
},
{
"path": "evtxtools/log_handle.c",
"chars": 5937,
"preview": "/*\n * Log handle\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for acknowl"
},
{
"path": "evtxtools/log_handle.h",
"chars": 1673,
"preview": "/*\n * Log handle\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for acknowl"
},
{
"path": "evtxtools/message_handle.c",
"chars": 100743,
"preview": "/*\n * Message handle\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for ack"
},
{
"path": "evtxtools/message_handle.h",
"chars": 8695,
"preview": "/*\n * Message handle\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for ack"
},
{
"path": "evtxtools/message_string.c",
"chars": 15315,
"preview": "/*\n * Message string\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for ack"
},
{
"path": "evtxtools/message_string.h",
"chars": 1960,
"preview": "/*\n * Message string\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for ack"
},
{
"path": "evtxtools/path_handle.c",
"chars": 9201,
"preview": "/*\n * Path handle\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for acknow"
},
{
"path": "evtxtools/path_handle.h",
"chars": 1729,
"preview": "/*\n * Path handle\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for acknow"
},
{
"path": "evtxtools/registry_file.c",
"chars": 19641,
"preview": "/*\n * Registry file\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for ackn"
},
{
"path": "evtxtools/registry_file.h",
"chars": 2808,
"preview": "/*\n * Registry file\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for ackn"
},
{
"path": "evtxtools/resource_file.c",
"chars": 57655,
"preview": "/*\n * Resource file\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for ackn"
},
{
"path": "evtxtools/resource_file.h",
"chars": 5080,
"preview": "/*\n * Resource file\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for ackn"
},
{
"path": "include/Makefile.am",
"chars": 410,
"preview": "include_HEADERS = \\\n\tlibevtx.h\n\npkginclude_HEADERS = \\\n\tlibevtx/codepage.h \\\n\tlibevtx/definitions.h \\\n\tlibevtx/error.h \\"
},
{
"path": "include/libevtx/codepage.h",
"chars": 5195,
"preview": "/*\n * Codepage definitions for libevtx\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer "
},
{
"path": "include/libevtx/definitions.h.in",
"chars": 2035,
"preview": "/*\n * Definitions for libevtx\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHOR"
},
{
"path": "include/libevtx/error.h",
"chars": 6689,
"preview": "/*\n * The error code definitions for libevtx\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * "
},
{
"path": "include/libevtx/extern.h",
"chars": 1412,
"preview": "/*\n * The extern definition\n *\n * This header should be included in header files that export or import\n * library functi"
},
{
"path": "include/libevtx/features.h.in",
"chars": 1539,
"preview": "/*\n * Features of libevtx\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS fo"
},
{
"path": "include/libevtx/types.h.in",
"chars": 5016,
"preview": "/*\n * Type definitions for libevtx\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to A"
},
{
"path": "include/libevtx.h.in",
"chars": 25428,
"preview": "/*\n * Library to access the Windows XML Event Log (EVTX) format\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.met"
},
{
"path": "libevtx/Makefile.am",
"chars": 2467,
"preview": "AM_CPPFLAGS = \\\n\t-DLOCALEDIR=\\\"$(datadir)/locale\\\" \\\n\t-I../include -I$(top_srcdir)/include \\\n\t-I../common -I$(top_srcdir"
},
{
"path": "libevtx/evtx_chunk.h",
"chars": 2297,
"preview": "/*\n * The chunk definition of a Windows XML Event Log (EVTX) file\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.m"
},
{
"path": "libevtx/evtx_event_record.h",
"chars": 1547,
"preview": "/*\n * The event record definition of a Windows XML Event Log (EVTX) file\n *\n * Copyright (C) 2011-2025, Joachim Metz <jo"
},
{
"path": "libevtx/evtx_file_header.h",
"chars": 2222,
"preview": "/*\n * The file header definition of a Windows XML Event Log (EVTX) file\n *\n * Copyright (C) 2011-2025, Joachim Metz <joa"
},
{
"path": "libevtx/libevtx.c",
"chars": 1826,
"preview": "/*\n * Library to access the Windows XML Event Log (EVTX) format\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.met"
},
{
"path": "libevtx/libevtx.rc.in",
"chars": 1086,
"preview": "#include <windows.h>\r\n\r\n#ifdef GCC_WINDRES\r\nVS_VERSION_INFO\t\t\t\tVERSIONINFO\r\n#else\r\nVS_VERSION_INFO\t\t\t\tVERSIONINFO\tMOVEAB"
},
{
"path": "libevtx/libevtx_byte_stream.c",
"chars": 2819,
"preview": "/*\n * Byte stream functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS "
},
{
"path": "libevtx/libevtx_byte_stream.h",
"chars": 1222,
"preview": "/*\n * Byte stream functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS "
},
{
"path": "libevtx/libevtx_checksum.c",
"chars": 4837,
"preview": "/*\n * Checksum functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for"
},
{
"path": "libevtx/libevtx_checksum.h",
"chars": 1498,
"preview": "/*\n * Checksum functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for"
},
{
"path": "libevtx/libevtx_chunk.c",
"chars": 28579,
"preview": "/*\n * Chunk functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for ac"
},
{
"path": "libevtx/libevtx_chunk.h",
"chars": 2600,
"preview": "/*\n * Chunk functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for ac"
},
{
"path": "libevtx/libevtx_chunks_table.c",
"chars": 10943,
"preview": "/*\n * Chunks table functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS"
},
{
"path": "libevtx/libevtx_chunks_table.h",
"chars": 2192,
"preview": "/*\n * Chunks table functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS"
},
{
"path": "libevtx/libevtx_codepage.c",
"chars": 3391,
"preview": "/*\n * Codepage functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for"
},
{
"path": "libevtx/libevtx_codepage.h",
"chars": 3078,
"preview": "/*\n * Codepage functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for"
},
{
"path": "libevtx/libevtx_debug.c",
"chars": 5605,
"preview": "/*\n * Debug functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for ac"
},
{
"path": "libevtx/libevtx_debug.h",
"chars": 1416,
"preview": "/*\n * Debug functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for ac"
},
{
"path": "libevtx/libevtx_definitions.h.in",
"chars": 6509,
"preview": "/*\n * The internal definitions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHO"
},
{
"path": "libevtx/libevtx_error.c",
"chars": 2896,
"preview": "/*\n * Error functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for ac"
},
{
"path": "libevtx/libevtx_error.h",
"chars": 1772,
"preview": "/*\n * Error functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for ac"
},
{
"path": "libevtx/libevtx_extern.h",
"chars": 1376,
"preview": "/*\n * The internal extern definition\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to"
},
{
"path": "libevtx/libevtx_file.c",
"chars": 53516,
"preview": "/*\n * File functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for ack"
},
{
"path": "libevtx/libevtx_file.h",
"chars": 5044,
"preview": "/*\n * File functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for ack"
},
{
"path": "libevtx/libevtx_i18n.c",
"chars": 1707,
"preview": "/*\n * Internationalization (i18n) functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * R"
},
{
"path": "libevtx/libevtx_i18n.h",
"chars": 1348,
"preview": "/*\n * Internationalization (i18n) functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * R"
},
{
"path": "libevtx/libevtx_io_handle.c",
"chars": 14293,
"preview": "/*\n * Input/Output (IO) handle functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refe"
},
{
"path": "libevtx/libevtx_io_handle.h",
"chars": 2852,
"preview": "/*\n * Input/Output (IO) handle functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refe"
},
{
"path": "libevtx/libevtx_libbfio.h",
"chars": 1700,
"preview": "/*\n * The libbfio header wrapper\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUT"
},
{
"path": "libevtx/libevtx_libcdata.h",
"chars": 1545,
"preview": "/*\n * The libcdata header wrapper\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AU"
},
{
"path": "libevtx/libevtx_libcerror.h",
"chars": 1435,
"preview": "/*\n * The libcerror header wrapper\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to A"
},
{
"path": "libevtx/libevtx_libclocale.h",
"chars": 1456,
"preview": "/*\n * The libclocale header wrapper\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to "
},
{
"path": "libevtx/libevtx_libcnotify.h",
"chars": 1453,
"preview": "/*\n * The libcnotify header wrapper\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to "
},
{
"path": "libevtx/libevtx_libfcache.h",
"chars": 1438,
"preview": "/*\n * The libfcache header wrapper\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to A"
},
{
"path": "libevtx/libevtx_libfdata.h",
"chars": 1542,
"preview": "/*\n * The libfdata header wrapper\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AU"
},
{
"path": "libevtx/libevtx_libfdatetime.h",
"chars": 1723,
"preview": "/*\n * The libfdatetime header wrapper\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer t"
},
{
"path": "libevtx/libevtx_libfguid.h",
"chars": 1395,
"preview": "/*\n * The libfguid header wrapper\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AU"
},
{
"path": "libevtx/libevtx_libfwevt.h",
"chars": 1791,
"preview": "/*\n * The libfwevt header wrapper\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AU"
},
{
"path": "libevtx/libevtx_libuna.h",
"chars": 1733,
"preview": "/*\n * The libuna header wrapper\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTH"
},
{
"path": "libevtx/libevtx_notify.c",
"chars": 2742,
"preview": "/*\n * Notification functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS"
},
{
"path": "libevtx/libevtx_notify.h",
"chars": 1578,
"preview": "/*\n * Notification functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS"
},
{
"path": "libevtx/libevtx_record.c",
"chars": 52056,
"preview": "/*\n * Record functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for a"
},
{
"path": "libevtx/libevtx_record.h",
"chars": 8760,
"preview": "/*\n * Record functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for a"
},
{
"path": "libevtx/libevtx_record_values.c",
"chars": 146868,
"preview": "/*\n * Record values functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHOR"
},
{
"path": "libevtx/libevtx_record_values.h",
"chars": 11019,
"preview": "/*\n * Record values functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHOR"
},
{
"path": "libevtx/libevtx_support.c",
"chars": 9298,
"preview": "/*\n * Support functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for "
},
{
"path": "libevtx/libevtx_support.h",
"chars": 2005,
"preview": "/*\n * Support functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to AUTHORS for "
},
{
"path": "libevtx/libevtx_template_definition.c",
"chars": 9049,
"preview": "/*\n * Template definition functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to "
},
{
"path": "libevtx/libevtx_template_definition.h",
"chars": 2281,
"preview": "/*\n * Template definition functions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to "
},
{
"path": "libevtx/libevtx_types.h",
"chars": 1846,
"preview": "/*\n * The internal type definitions\n *\n * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>\n *\n * Refer to "
},
{
"path": "libevtx/libevtx_unused.h",
"chars": 1400,
"preview": "/*\n * Definitions to silence compiler warnings about unused function attributes/parameters.\n *\n * Copyright (C) 2011-202"
},
{
"path": "libevtx.ini",
"chars": 1461,
"preview": "[project]\nname: \"libevtx\"\nstatus: \"alpha\"\nyear_of_creation: \"2011\"\ndata_format: \"Windows XML Event Log (EVTX)\"\ndocumenta"
},
{
"path": "libevtx.pc.in",
"chars": 801,
"preview": "prefix=@prefix@\nexec_prefix=@exec_prefix@\nlibdir=@libdir@\nincludedir=@includedir@\n\nName: libevtx\nDescription: Library to"
},
{
"path": "libevtx.spec.in",
"chars": 3713,
"preview": "Name: libevtx\nVersion: @VERSION@\nRelease: 1\nSummary: Library to access the Windows XML Event Log (EVTX) format\nGroup: Sy"
},
{
"path": "m4/common.m4",
"chars": 15958,
"preview": "dnl Checks for common headers and functions\ndnl\ndnl Version: 20241013\n\ndnl Function to test if a certain feature was dis"
},
{
"path": "m4/libbfio.m4",
"chars": 6613,
"preview": "dnl Checks for libbfio required headers and functions\ndnl\ndnl Version: 20240518\n\ndnl Function to detect if libbfio is av"
},
{
"path": "m4/libcdata.m4",
"chars": 7542,
"preview": "dnl Checks for libcdata required headers and functions\ndnl\ndnl Version: 20240514\n\ndnl Function to detect if libcdata is "
},
{
"path": "m4/libcdirectory.m4",
"chars": 6690,
"preview": "dnl Checks for libcdirectory required headers and functions\ndnl\ndnl Version: 20240525\n\ndnl Function to detect if libcdir"
},
{
"path": "m4/libcerror.m4",
"chars": 5002,
"preview": "dnl Checks for libcerror required headers and functions\ndnl\ndnl Version: 20240513\n\ndnl Function to detect if libcerror i"
},
{
"path": "m4/libcfile.m4",
"chars": 8655,
"preview": "dnl Checks for libcfile required headers and functions\ndnl\ndnl Version: 20240514\n\ndnl Function to detect if libcfile is "
},
{
"path": "m4/libclocale.m4",
"chars": 7027,
"preview": "dnl Checks for libclocale required headers and functions\ndnl\ndnl Version: 20240513\n\ndnl Function to detect if libclocale"
},
{
"path": "m4/libcnotify.m4",
"chars": 4438,
"preview": "dnl Checks for libcnotify required headers and functions\ndnl\ndnl Version: 20240513\n\ndnl Function to detect if libcnotify"
},
{
"path": "m4/libcpath.m4",
"chars": 7580,
"preview": "dnl Checks for libcpath required headers and functions\ndnl\ndnl Version: 20240518\n\ndnl Function to detect if libcpath is "
},
{
"path": "m4/libcsplit.m4",
"chars": 5672,
"preview": "dnl Checks for libcsplit required headers and functions\ndnl\ndnl Version: 20240513\n\ndnl Function to detect if libcsplit i"
},
{
"path": "m4/libcthreads.m4",
"chars": 6520,
"preview": "dnl Checks for libcthreads required headers and functions\ndnl\ndnl Version: 20240513\n\ndnl Function to detect if libcthrea"
},
{
"path": "m4/libexe.m4",
"chars": 4855,
"preview": "dnl Checks for libexe required headers and functions\ndnl\ndnl Version: 20240601\n\ndnl Function to detect if libexe is avai"
},
{
"path": "m4/libfcache.m4",
"chars": 4955,
"preview": "dnl Checks for libfcache required headers and functions\ndnl\ndnl Version: 20240514\n\ndnl Function to detect if libfcache i"
},
{
"path": "m4/libfdata.m4",
"chars": 8377,
"preview": "dnl Functions for libfdata\ndnl\ndnl Version: 20240520\n\ndnl Function to detect if libfdata is available\ndnl ac_libfdata_du"
},
{
"path": "m4/libfdatetime.m4",
"chars": 8525,
"preview": "dnl Checks for libfdatetime required headers and functions\ndnl\ndnl Version: 20240518\n\ndnl Function to detect if libfdate"
},
{
"path": "m4/libfguid.m4",
"chars": 4231,
"preview": "dnl Checks for libfguid required headers and functions\ndnl\ndnl Version: 20240519\n\ndnl Function to detect if libfguid is "
},
{
"path": "m4/libfvalue.m4",
"chars": 8624,
"preview": "dnl Checks for libfvalue required headers and functions\ndnl\ndnl Version: 20240519\n\ndnl Function to detect if libfvalue i"
},
{
"path": "m4/libfwevt.m4",
"chars": 20462,
"preview": "dnl Checks for libfwevt required headers and functions\ndnl\ndnl Version: 20240501\n\ndnl Function to detect if libfwevt is "
},
{
"path": "m4/libfwnt.m4",
"chars": 5281,
"preview": "dnl Checks for libfwnt required headers and functions\ndnl\ndnl Version: 20240519\n\ndnl Function to detect if libfwnt is av"
},
{
"path": "m4/libregf.m4",
"chars": 4076,
"preview": "dnl Checks for libregf required headers and functions\ndnl\ndnl Version: 20240601\n\ndnl Function to detect if libregf is av"
},
{
"path": "m4/libuna.m4",
"chars": 12910,
"preview": "dnl Checks for libuna or required headers and functions\ndnl\ndnl Version: 20240513\n\ndnl Function to detect if libuna is a"
},
{
"path": "m4/libwrc.m4",
"chars": 7217,
"preview": "dnl Checks for libwrc required headers and functions\ndnl\ndnl Version: 20240601\n\ndnl Function to detect if libwrc is avai"
},
{
"path": "m4/pthread.m4",
"chars": 2721,
"preview": "dnl Functions for pthread\ndnl\ndnl Version: 20240513\n\ndnl Function to detect if pthread is available\nAC_DEFUN([AX_PTHREAD"
},
{
"path": "m4/python.m4",
"chars": 6509,
"preview": "dnl Functions for Python bindings\ndnl\ndnl Version: 20251125\n\ndnl Function to check if the python binary is available\ndnl"
},
{
"path": "m4/tests.m4",
"chars": 756,
"preview": "dnl Functions for testing\ndnl\ndnl Version: 20200712\n\ndnl Function to detect if tests dependencies are available\nAC_DEFUN"
},
{
"path": "m4/types.m4",
"chars": 2058,
"preview": "dnl Functions for type definitions\ndnl\ndnl Version: 20180727\n\ndnl Function to detect if type definitions are available\nA"
},
{
"path": "manuals/Makefile.am",
"chars": 157,
"preview": "man_MANS = \\\n\tevtxexport.1 \\\n\tevtxinfo.1 \\\n\tlibevtx.3\n\nEXTRA_DIST = \\\n\tevtxexport.1 \\\n\tevtxinfo.1 \\\n\tlibevtx.3\n\nDISTCLEA"
},
{
"path": "manuals/evtxexport.1",
"chars": 2985,
"preview": ".Dd April 14, 2019\n.Dt evtxexport\n.Os libevtx\n.Sh NAME\n.Nm evtxexport\n.Nd exports items stored in a Windows XML EventVie"
},
{
"path": "manuals/evtxinfo.1",
"chars": 1451,
"preview": ".Dd April 14, 2019\n.Dt evtxinfo\n.Os libevtx\n.Sh NAME\n.Nm evtxinfo\n.Nd determines information about a Windows XML EventVi"
},
{
"path": "manuals/libevtx.3",
"chars": 10893,
"preview": ".Dd May 4, 2024\n.Dt libevtx 3\n.Os libevtx\n.Sh NAME\n.Nm libevtx.h\n.Nd Library to access the Windows XML Event Log (EVTX)"
},
{
"path": "msvscpp/Makefile.am",
"chars": 1851,
"preview": "MSVSCPP_FILES = \\\n\tevtx_test_chunk/evtx_test_chunk.vcproj \\\n\tevtx_test_chunks_table/evtx_test_chunks_table.vcproj \\\n\tevt"
},
{
"path": "msvscpp/evtx_test_chunk/evtx_test_chunk.vcproj",
"chars": 6303,
"preview": "<?xml version=\"1.0\" encoding=\"Windows-1252\"?>\r\n<VisualStudioProject\r\n\tProjectType=\"Visual C++\"\r\n\tVersion=\"9,00\"\r\n\tName=\""
},
{
"path": "msvscpp/evtx_test_chunks_table/evtx_test_chunks_table.vcproj",
"chars": 6324,
"preview": "<?xml version=\"1.0\" encoding=\"Windows-1252\"?>\r\n<VisualStudioProject\r\n\tProjectType=\"Visual C++\"\r\n\tVersion=\"9,00\"\r\n\tName=\""
},
{
"path": "msvscpp/evtx_test_error/evtx_test_error.vcproj",
"chars": 6060,
"preview": "<?xml version=\"1.0\" encoding=\"Windows-1252\"?>\r\n<VisualStudioProject\r\n\tProjectType=\"Visual C++\"\r\n\tVersion=\"9,00\"\r\n\tName=\""
},
{
"path": "msvscpp/evtx_test_file/evtx_test_file.vcproj",
"chars": 6955,
"preview": "<?xml version=\"1.0\" encoding=\"Windows-1252\"?>\r\n<VisualStudioProject\r\n\tProjectType=\"Visual C++\"\r\n\tVersion=\"9,00\"\r\n\tName=\""
},
{
"path": "msvscpp/evtx_test_io_handle/evtx_test_io_handle.vcproj",
"chars": 6315,
"preview": "<?xml version=\"1.0\" encoding=\"Windows-1252\"?>\r\n<VisualStudioProject\r\n\tProjectType=\"Visual C++\"\r\n\tVersion=\"9,00\"\r\n\tName=\""
},
{
"path": "msvscpp/evtx_test_notify/evtx_test_notify.vcproj",
"chars": 6146,
"preview": "<?xml version=\"1.0\" encoding=\"Windows-1252\"?>\r\n<VisualStudioProject\r\n\tProjectType=\"Visual C++\"\r\n\tVersion=\"9,00\"\r\n\tName=\""
},
{
"path": "msvscpp/evtx_test_record/evtx_test_record.vcproj",
"chars": 6306,
"preview": "<?xml version=\"1.0\" encoding=\"Windows-1252\"?>\r\n<VisualStudioProject\r\n\tProjectType=\"Visual C++\"\r\n\tVersion=\"9,00\"\r\n\tName=\""
},
{
"path": "msvscpp/evtx_test_record_values/evtx_test_record_values.vcproj",
"chars": 6327,
"preview": "<?xml version=\"1.0\" encoding=\"Windows-1252\"?>\r\n<VisualStudioProject\r\n\tProjectType=\"Visual C++\"\r\n\tVersion=\"9,00\"\r\n\tName=\""
},
{
"path": "msvscpp/evtx_test_support/evtx_test_support.vcproj",
"chars": 6964,
"preview": "<?xml version=\"1.0\" encoding=\"Windows-1252\"?>\r\n<VisualStudioProject\r\n\tProjectType=\"Visual C++\"\r\n\tVersion=\"9,00\"\r\n\tName=\""
},
{
"path": "msvscpp/evtx_test_template_definition/evtx_test_template_definition.vcproj",
"chars": 6345,
"preview": "<?xml version=\"1.0\" encoding=\"Windows-1252\"?>\r\n<VisualStudioProject\r\n\tProjectType=\"Visual C++\"\r\n\tVersion=\"9,00\"\r\n\tName=\""
},
{
"path": "msvscpp/evtx_test_tools_info_handle/evtx_test_tools_info_handle.vcproj",
"chars": 6570,
"preview": "<?xml version=\"1.0\" encoding=\"Windows-1252\"?>\r\n<VisualStudioProject\r\n\tProjectType=\"Visual C++\"\r\n\tVersion=\"9,00\"\r\n\tName=\""
},
{
"path": "msvscpp/evtx_test_tools_message_handle/evtx_test_tools_message_handle.vcproj",
"chars": 7077,
"preview": "<?xml version=\"1.0\" encoding=\"Windows-1252\"?>\r\n<VisualStudioProject\r\n\tProjectType=\"Visual C++\"\r\n\tVersion=\"9,00\"\r\n\tName=\""
}
]
// ... and 133 more files (download for full content)
About this extraction
This page contains the full source code of the libyal/libevtx GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 333 files (2.2 MB), approximately 592.5k tokens, and a symbol index with 578 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.