Starting with Windows Vista, Microsoft transitioned from the legacy .evt format to the modern .evtx (XML) format. These files are not plain text; they require specialized parsers or the native Windows Event Viewer to read.
C:\Windows\System32\winevt\Logs\.evtx channel has a predefined maximum size (often 20MB by default for the Security log). Once this limit is reached, the oldest events are immediately overwritten. On a busy Domain Controller, the Security log might only cover a window of a few hours.Windows generates hundreds of log channels, but Incident Responders primarily focus on a handful of critical files to establish initial access, execution, and persistence.
Security.evtx (The Holy Grail)
The most critical log for tracking adversarial behavior. It records authentication (logons/logoffs), privilege escalation, process creation, and object access. Forensic Note: Many critical events in this log require explicit Group Policy Object (GPO) auditing to be enabled.
System.evtx (System Health & Services)
Tracks the core operating system. It records system startups/shutdowns, driver loads, and crucially, the installation of new Windows Services (a primary persistence mechanism).
Application.evtx (Software Activity)
Records events generated by installed software. It is highly useful for identifying application crashes, legacy antivirus alerts, or database errors.
Operational Logs (Granular Context)
Specific subsystems have their own highly detailed logs. Examples include:
Microsoft-Windows-TerminalServices-*.evtx (For RDP tracking).Microsoft-Windows-TaskScheduler%4Operational.evtx (For scheduled tasks).Microsoft-Windows-PowerShell%4Operational.evtx (For script block logging).To accelerate triage, analysts must master the correlation of specific Event IDs across different logs.
Security.evtx)Security.evtx)System.evtx): Service Installation. The definitive indicator of a deployed backdoor or PsExec execution.Security.evtx): Scheduled Task Creation.Security.evtx): User Account Creation (Backdoor accounts).Because EVTX files are highly incriminating, sophisticated adversaries will attempt to clear them. Fortunately, the act of clearing the logs generates an indelible alert.
During a massive incident, manually opening .evtx files in Event Viewer is inefficient. DFIR teams rely on high-speed parsers to ingest the binary XML into CSV or SIEM platforms for timeline correlation.
:: EvtxECmd parses individual files or entire directories of EVTX logs.:: It uses 'Maps' to automatically enrich the output (e.g., resolving Logon Type 3 to "Network").
EvtxECmd.exe -d "C:\Forensics\Export\winevt\Logs" --csv "C:\Forensics\Results" --csvf timeline_events.csv# A quick live-triage command to extract the last 50 failed logons (Brute Force hunt)Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} -MaxEvents 50 | Select-Object TimeCreated, Id, Message