Remove individual lines from Windows XML Event Log (EVTX) files
Support: Win7 and later
Compare with DanderSpritz,my way don't need dll injection and support more version(Server2012 and later).(It can be used to delete the setup.evtx,others may be affected by competitive conditions.)
Need more test and suggestions.
The data structure and some code details are inspired by https://bbs.pediy.com/thread-219313.htm
My posts about the details:
- Windows XML Event Log (EVTX)单条日志清除(一)——删除思路与实例
- Windows XML Event Log (EVTX)单条日志清除(二)——程序实现删除evtx文件的单条日志记录
- Windows XML Event Log (EVTX)单条日志清除(三)——通过解除文件占用删除当前系统单条日志记录
- Windows XML Event Log (EVTX)单条日志清除(四)——通过注入获取日志文件句柄删除当前系统单条日志记录
- Windows XML Event Log (EVTX)单条日志清除(五)——通过DuplicateHandle获取日志文件句柄删除当前系统单条日志记录
Later I'll translate them into English.
Note:
- WinXP and Win7,ObjectTypeNumber = 0x1c
- Win8 and later,ObjectTypeNumber = 0x1e
Read an evtx file(c:\test\Setup.evtx),then delete an event log(EventRecordID=14).
The new evtx file is saved as c:\test\SetupNew.evtx.
Delete the eventlog by rewriting the evtx file.
Read an evtx file,then delete an event log.
The new file(temp.evtx) will be saved at the same path.
Delete the eventlog by using WinAPI EvtExportLog.
Number of events:15
Number of events:14
You can use DeleteRecordofFile.cpp to delete the second eventlog record(EventRecordID=14) of Setup.evtx.
Suspend or resume the Eventlog Service's thread.
Use to stop or resume the system to collect logs.
When the Eventlog Service is stopped(killed by me),I'll wait for it until it starts.
Use to stop the system to collect the logs when the Eventlog Service starts.
Kill the eventlog service's process and delete one eventlog record,then restart the Eventlog Service.
Delete the eventlog by rewriting the evtx file.
Kill the eventlog service's process and delete one eventlog record,then restart the Eventlog Service.
Delete the eventlog by using WinAPI EvtExportLog.
Note:
The EventRecordID of the events after the deleted one will not be changed.
Get specified .evtx file's handle and delete one eventlog record.
It can be used to delete the setup.evtx,others may be affected by competitive conditions.
Delete the eventlog by rewriting the evtx file.
Get specified .evtx file's handle and delete one eventlog record.
Read a .evtx file and replace the specified .evtx file with the data.
It can be used to delete the setup.evtx,others may be affected by competitive conditions.
Delete the eventlog by using WinAPI EvtExportLog.
Get specified .evtx file's handle and inject a dll(Dll-rewriting.dll),use the dll to delete one eventlog record.
Delete the eventlog by rewriting the evtx file.
Compile it into DLL.
Use the dll to delete one eventlog record.
Delete the eventlog by rewriting the evtx file.
Use API EvtExportLog to delete Eventlog Record.
The new file will be saved as temp.evtx.
Get specified .evtx file's handle and inject a dll(Dll-EvtExportLog.dll).
Read a .evtx file(from DeleteRecord-EvtExportLog.exe) and send the data to the dll,the dll will replace the specified .evtx file with the data.
Compile it into DLL.
Use the dll to delete one eventlog record.
Get data from Loader-EvtExportLog.exe,then replace the specified .evtx file with the data.