v0.11.1

chore(release): 0.11.1

v0.11.0

What's Changed

• wevt_templates: switch offline cache to single .wevtcache file by @omerbenamram in #279

Full Changelog: v0.10.0...v0.11.0

v0.10.0

[0.10.0 - 2025-12-31]

Highlights

• ~3× faster JSON/XML rendering compared to 0.9.0, powered by the new IR + streaming renderers.
  • On samples/security.evtx (single-threaded): JSONL 45.4ms → 16.5ms (~2.76×), XML 33.2ms → 11.3ms (~2.95×).
• WEVT_TEMPLATE support (optional wevt_templates feature): extract templates from provider binaries and use an offline cache as a fallback when EVTX embedded templates are missing/corrupt.
• EVTX Web: a WebAssembly-powered viewer (see PR #252).

Breaking changes (API + behavior)

• Removed the token-tree output API:
  • BinXmlOutput, XmlOutput, JsonOutput, and EvtxRecord::into_output(..) were removed.
  • Use EvtxRecord::into_xml(), EvtxRecord::into_json(), or EvtxRecord::into_json_value() instead.
  • If you need structured access, use the new IR types under evtx::model::ir.
• EvtxRecord is now IR-based:
  • EvtxRecord::tokens (and evtx::model::{deserialized, raw, xml}) were removed/replaced.
  • Records now carry tree: evtx::model::ir::IrTree (plus binxml_offset/binxml_size).
• EvtxRecordHeader::record_data_size() now returns Result<u32> and can error on corrupted data_size values.
• EvtxChunk no longer exposes the old TemplateCache (template_table); chunk parsing/rendering is now driven by the IR + template instantiation cache.
• Timestamps switched from chrono::DateTime<Utc> to jiff::Timestamp in EvtxRecord, EvtxRecordHeader, and SerializedEvtxRecord.
• Error type changes (affects match statements):
  • EvtxError::FailedToParseChunk now carries Box<ChunkError>.
  • DeserializationError IO variants were renamed (UnexpectedIoError → IoWithContext, RemoveMe → Io) and new WEVT/IO truncation errors were added.
  • ChunkError::FailedToBuildTemplateCache was removed.
• JSON indentation behavior changed:
  • ParserSettings::indent(..) is still used for XML, but JSON output is now always compact in the streaming renderer. If you need pretty JSON, reformat the returned value/string yourself.

Added

• Streaming JSON renderer + new parsing architecture (PR #267).
• New intermediate representation (IR) for BinXML (PR #278).
• WEVT_TEMPLATE extraction + offline cache + rendering helpers (PR #274).
• evtx_dump: support reading EVTX from stdin (PR #271).
• Re-export RecordId from crate root (PR #272).
• Fix parsing when chunk header offsets are too large (PR #273).
• Web-based viewer (WASM) (PR #252).

Fixed

• When validate_checksums is disabled, fix multiple infinite-loop cases on malformed EVTX files (PR #263, #264).

Performance

• IR tree replaces the old token vector (Vec<...>) in the hot path, dramatically reducing allocations and improving cache locality.
• Streaming renderers write JSON/XML directly to a sink (no serde_json::Value construction on the default path).
• Fast UTF-16 escaping via the new utf16-simd crate + sonic-rs writer integration.
• Chunk arena pooling in the multithreaded path reduces per-chunk allocator churn.

WEVT usage (offline template cache)

This is optional and requires building with the Cargo feature wevt_templates.

• Build a cache index (JSONL) + extracted blobs:
  • evtx_dump extract-wevt-templates --input <provider.dll> --output-dir /tmp/wevt_cache --overwrite > /tmp/wevt_cache/index.jsonl
• Use the cache when dumping EVTX (fallback only when embedded templates are missing/corrupt):
  • evtx_dump --wevt-cache-index /tmp/wevt_cache/index.jsonl <log.evtx>
• Library usage:
  • Load the index and attach it to ParserSettings via ParserSettings::wevt_cache(Some(Arc::new(WevtCache::load(..)?))).

Full Changelog: v0.9.0...v0.10.0

v0.9.0

What's Changed

• Rust 2024 by @omerbenamram in #250

Full Changelog: v0.8.5...v0.9.0

v0.8.5

Full Changelog: v0.8.4...v0.8.5

Fixed #249

v0.8.4

What's Changed

• Bump actions/download-artifact from 1 to 4.1.7 in /.github/workflows by @dependabot in #244
• Fix json output when a node with attributes has the same key several times by @yardlogs in #245

New Contributors

• @yardlogs made their first contribution in #245

Full Changelog: v0.8.3...v0.8.4

v0.8.3

What's Changed

• Preserve order when using JSON output by @ac-rn in #242
• chore: update to build with rust 1.80 by @chenrui333 in #243
• chore: update dependencies (quick-xml)

New Contributors

• @ac-rn made their first contribution in #242
• @chenrui333 made their first contribution in #243

Full Changelog: v0.8.2...v0.8.3

v0.8.2

What's Changed

• (bugfix) Fix off-by-6 bug in assemble.rs by @dgmcdona in #238
• update to clap v4 by @omerbenamram in #233
• updated workflow for pgo by @omerbenamram in #239

New Contributors

• @dgmcdona made their first contribution in #238

Full Changelog: v0.8.1...v0.8.2

v0.8.1

What's Changed

• update to quickxml 0.24 by @omerbenamram in #229
• Bump bumpalo from 3.11.0 to 3.12.0 by @dependabot in #231
• feat: add initial support for size_t by @alexkornitzer in #232

New Contributors

• @dependabot made their first contribution in #231
• @alexkornitzer made their first contribution in #232

Full Changelog: v0.8.0...v0.8.1