Skip to content

Add support for getting localized strings from sidecar .mta files exported by windows event viewer #284

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dev-joss wants to merge 12 commits into
base: master
Choose a base branch
from
Open

Add support for getting localized strings from sidecar .mta files exported by windows event viewer #284

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
cee24ca
feat: add mta support and tests
dev-joss Feb 11, 2026
befdfc6
fix: keep json output valid with show-message
dev-joss Feb 11, 2026
8c3291c
fix: extract EventID from IR tree instead of misusing record ID
dev-joss Feb 11, 2026
482e110
refactor: move MTA cache out of ParserSettings into EvtxDump
dev-joss Feb 11, 2026
c0fbb9b
fix: extract EventRecordID from record payload instead of header
dev-joss Feb 11, 2026
c903ff1
chore: remove obsolete MTA debug test
dev-joss Feb 11, 2026
bc0b35f
docs: add MTA file format documentation to mta.rs module
dev-joss Feb 11, 2026
2985a20
style: rustfmt mta.rs
dev-joss Feb 11, 2026
9d5894a
refactor: decode MTA message strings by known length instead of null …
dev-joss Feb 11, 2026
84f63cc
refactor: deserialize JSON properly when extracting EventRecordID
dev-joss Feb 11, 2026
f91c48c
refactor: revert changes to evtx_dump.rs
dev-joss Feb 11, 2026
552db47
style: fix formatting in Debug implementation for ParserSettings
dev-joss Feb 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
240 changes: 240 additions & 0 deletions samples/mta/test.csv
View file
Open in desktop

Large diffs are not rendered by default.

Binary file added samples/mta/test.evtx
View file
Open in desktop
Binary file not shown.
Binary file added samples/mta/test_1033.MTA
View file
Open in desktop
Binary file not shown.
2 changes: 2 additions & 0 deletions src/evtx_parser.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -224,6 +224,7 @@ impl ParserSettings {
self
}


pub fn validate_checksums(mut self, validate_checksums: bool) -> Self {
self.validate_checksums = validate_checksums;

Expand Down Expand Up @@ -252,6 +253,7 @@ impl ParserSettings {
self.wevt_cache.as_ref()
}


pub fn should_separate_json_attributes(&self) -> bool {
self.separate_json_attributes
}
Expand Down
5 changes: 3 additions & 2 deletions src/evtx_record.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,13 +29,13 @@ pub struct EvtxRecord<'a> {
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct EvtxRecordHeader {
pub data_size: u32,
pub event_record_id: RecordId,
pub event_record_id: RecordId, // Not same as EventRecordId in payload
pub timestamp: Timestamp,
}

#[derive(Debug, Clone, PartialEq, Eq)]
pub struct SerializedEvtxRecord<T> {
pub event_record_id: RecordId,
pub event_record_id: RecordId, // Not same as EventRecordId in payload
pub timestamp: Timestamp,
pub data: T,
}
Expand Down Expand Up @@ -273,3 +273,4 @@ impl<'a> EvtxRecord<'a> {
Ok(out)
}
}

2 changes: 2 additions & 0 deletions src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,12 @@ pub use evtx_file_header::{EvtxFileHeader, HeaderFlags};
pub use evtx_parser::{EvtxParser, IntoIterChunks, IterChunks, ParserSettings};
pub use evtx_record::{EvtxRecord, EvtxRecordHeader, RecordId, SerializedEvtxRecord};
pub use utils::utf16::{Utf16LeDecodeError, Utf16LeSlice};
pub use mta::{MtaError, MtaFile, MtaResult};

pub mod binxml;
pub mod err;
pub mod model;
pub mod mta;

// Optional: PE resource parsing to extract WEVT_TEMPLATE blobs (see issue #103).
#[cfg(feature = "wevt_templates")]
Expand Down
Loading