Repairing Corrupted Windows Event Log FilesReturn to Main Forensics Help Page The Windows event log database contains an object that the author calls a floating footer. It will be positioned at the offset where the next record will be written. This floating footer object contains metadata that is maintained in real time. The four fields (four 4-byte fields) of metadata in the floating footer are, respectively, the offset to oldest record, the offset to next record, the record number of next record, and the record number of oldest record. These same four fields are present in the event log file header, starting at byte offset 16, but are not kept in real time. They are only updated or synchronized with the real time data from the floating footer when the event log service terminates normally or when you use event viewer to "save log file as". Furthermore a byte status field (byte offset 36 of header) will be an odd value when the file is open or was not closed properly, typically 0x09, 0x0B and so forth with any odd value serving the purpose. When closed properly and these four fields are synched, this file status byte will be even, typically 0x08 or 0x00 (any even value is valid). If the file was not properly closed, the four fields will not have been synched and the file status byte will be odd. When you attempt to open such a file with any viewer reliant upon the event log API, it will be reported as corrupt. This frequently occurs in forensics when you pull the plug or do a live acquisition. EnCase doesn't rely upon that API and will parse them without repair. If you wish to use them in a viewer reliant upon the event log API, you'll need to repair the header. To repair the event log file, you simply need to copy the four fields from the floating footer into their corresponding location in the header and then set the file status byte to any even value. Save and you are done. It's really that simple. The changes you are making are only to the header metadata. You are in no way changing data in any event log record. Document your steps in your report so that you can show what you did and why.
|
Step 1: Open the corrupted file in your favorite hex
viewer. Winhex is used in this example. Locate the floating
footer. Search for: 0x11111111222222223333333344444444 The floating header actually begins at 0x28000000, which immediately precedes the above string. The floating header terminates with the same hex value, which is 0x28000000. These values also serve to define the size of the floating header in bytes (evaluate as 32 little endian integer), which is 40 bytes. The sixteen bytes (byte offsets 20-35 relative to object) that follow the last "4" in the above string are the four 4-byte fields (offset to oldest record, offset to next record, record number of next record, and record number of oldest record). Evaluate them as 32 bit little endian values if you'd like. Highlighted in the screenshot are the four fields. Copy their hex values to your clipboard. Note: You will find the floating header situated at the byte offset for the next record to be written. If you evaluate the second field (0xC0FB0000) as a 32 bit little endian integer, you find it resolves to 64,448. If you look at the screen shot, you see the first byte of the floating header (0x28) sitting at that offset. |
|
Step 2: Go the to header at the beginning of the file, specifically to byte offset 16 (first byte is byte offset 0). Locate the four fields beginning at this offset. They are highlighted in the adjacent screen shot and they are the same fields bearing the same name and same order as in the previous figure as found in the floating header, only these fields have yet to be synched with current data. | |
Step 3: Paste the hex values from your clipboard into the byte offsets 16 to 31, which are the four fields. Adjacent figure shows this being done. Compare these values with one seen in step 2. You may find some "repair instructions" that tell you to synch only the middle two fields. This will only work if the oldest record hasn't changed since the last "synch". You can see in this example that those instructions would have failed because all four fields had changed. | |
Step 4: Change the file status byte (offset 36 in
header) to an even value. Here it has been changed to 0x00. You
could use 0x08 or even 0xFE. Any even value satisifes! If you
look at the figure in Step 3, this prior value was odd and would not allow
the file to be opened even if the fields were synched. This view shows all four fields synched and the file status byte changed to an even value. This file is ready to be saved. |
|
Step 5. Save your changes in your hex editor. Open the file with Event Viewer. | |
For those of you who would prefer an automated solution for repairing these logs, Rich Murphey has written a tool that automates the method described above. You may find it at the link to the right. | http://www.murphey.org/fixevt.html |
You may encounter a situation in which the "footer" is not present in its expected format. When you search for the telltale string that denotes the footer, you will get a message that the string can't be found. If you look around, you may see, in place of the footer, something that looks like the view to the left. | |
Just what causes this anomaly is unknown, at least to me. It is rare, fortunately, and it is repairable, but not using the method described thus far. The repair method that works, is using the Windows event log service to do the job. | |
The first step in the process is to place the corrupted event log file on a machine with the same O/S that created it. The next step is to visit your local security policy (under administrative tools) and turn off all auditing so that you are not creating event logs or at least minimizing them. (What you are about to do is to replace your event log with the corrupted one. Once repaired, you don't wish to have your event logs co-mingled with the evidentiary ones if you can help it.) | |
The next step is to visit the services menu located under
administrative tools. Locate the event log service and open its
properties. Unlike most services, you can't stop the event log
service, but you can disable it upon startup. Therefore, change its
startup type from automatic to disabled. Reboot your computer and your system will now be running without the event log service. Go to %SystemRoot%\System32\Config and locate your event log file that corresponds with the corrupted one. Rename your event log file to something you can remember and place the corrupted one in its place. |
|
It is now time to revisit the services menu and change
the startup type to automatic so that you can restart the event log service.
With that done, right click on the event log service and choose "Start".
The event log service will now restart and repair your corrupted event log
file as it does so. Once the service has started, go to the event viewer and to the event log that was corrupted. You should be able to view the data. To get your data out, right click on the log file and choose "Save Log File As", giving it a name and location of your choosing. At this point, you have repaired your corrupted data file and copied a repaired copy to a safe location. |
|
The final step is to restore your system to its former
state. First, visit the service menu and change the event log startup
to disabled. Reboot your system with your event log service stopped.
Go to the folder containing your event log files and remove the repaired
file, replacing it with your original event log file, renamed to its default
name. Next, go to the services menu and change the event log service startup to automatic and then restart the service. You event log service should now be running. The final step is to return to your local security policy menu and to turn on your auditing settings to their prior state. This completes the process. |
|
You will find that this process will repair the event logs, but you may also find that the number of event log records will be significantly less. This technique should be used only when it is necessary to analyze the logs with a tool that relies upon the event log service API and that repair is necessary. Since you may lose records in the repair process, it is best to process this type of corrupted file with a tool that parses the data without the API, such as EnCase's Windows event log parser, which will process all records without data loss. | |
This web site was created to provide assistance to computer forensics examiners engaging in cyber-crime investigations. This field is rapidly evolving and changing as technology marches forward. It is, therefore, intended to be a growing and evolving resource. As you conduct your examinations and investigations, if you encounter information, links, or have suggestions that would help others, please let me know so I can add it to this site. My email address is sbunting@udel.edu . Thank you.
This site created and maintained by: | ||
Retired Captain, University of Delaware Police | ||