3gstudent / eventlogedit-evtx--evolution Goto Github PK
View Code? Open in Web Editor NEWRemove individual lines from Windows XML Event Log (EVTX) files
eventlogedit-evtx--evolution's Issues
I think i have the .exe files but when I run them the cmd just blinks and dissappears
How to remove specific logs?
1
I need tutorial on how to make this work.
Can you tell me step by step what should I do?
issue DeleteRecordofFileEx.exe
Hello , I created c:\temp folder and I moved DeleteRecordofFileEx.exe from https://github.com/3gstudent/Eventlogedit-evtx--Evolution/releases/tag/v1.0.0 and when I run CMD run as a Admin and run I got this see pic:
My goal is to remove one record from eventvwr I wanted to remove one record id and to generate that temp.evtx( after I run this command DeleteRecordofFileEx.exe System.evtx 7055 but there is no temp.evtx) Could you please help?
可以修改日志吗?
About memcpy()
When the program runs to memcpy() in DeleteRecord() on another computer, it crashes.
Why not do a perfect version?
Why not do a can solve closed and restart Eventlog service generate EventID for 7034 and 7036, and solve the problem of missing EventRecordID version?Modify DeleteRecordbyTerminateProcess. CPP operation process is as follows should be ok:
1.Try to EnableDebugPrivilege... Done
2.Try to OpenProcess... Done
(add ) Try to suspend eventlog Thead
3.Try to TerminateProcess... Done
4.Try to CloseFileHandle... Done
5.Try to Copy evtx file to current path... Done
6.Try to Delete the eventlog... Done
7.Try to replace evtx file... Done
8.Try to delete temp.evtx... Done
(add ) Try to eventlog process and suspend Thead
9.Try to Restart eventlog service...
(add ) Try to suspend eventlog Thead
request: win32 binary
is it possible to have binaries for windows 32bit?
I get 40+ errors and 2+ warnings when compiling.
I get all of these errors when compiling all of the files, if needed I can send all the warnings and errors for all files. Thanks for your help in advance.
When i tried to compile DeleteRecordByTerminateProcessEx.cpp
--------------------Configuration: mingw5 - CUI Debug, Builder Type: MinGW--------------------
Compiling F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp...
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:2:20: winevt.h: No such file or directory
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:14: error: ISO C++ forbids declaration of NTSTATUS' with no type [Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:14: error: typedef NTSTATUS' is initialized (use typeof instead)
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:14: error: expected primary-expression before "attribute"
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:14: error: expected ,' or ;' before '(' token
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:142: error: printf' was not declared in this scope [Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:155: error: cannot convert WCHAR*' to const CHAR*' for argument 10' to BOOL EnumServicesStatusExA(SC_HANDLE__*, SC_ENUM_TYPE, DWORD, DWORD, BYTE*, DWORD, DWORD*, DWORD*, DWORD*, const CHAR*)' [Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:160: error: printf' was not declared in this scope
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:164: error: cannot convert WCHAR*' to const CHAR*' for argument 10' to BOOL EnumServicesStatusExA(SC_HANDLE__, SC_ENUM_TYPE, DWORD, DWORD, BYTE, DWORD, DWORD*, DWORD*, DWORD*, const CHAR*)'
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:168: error: cannot convert CHAR*' to const wchar_t*' for argument 1' to size_t wcslen(const wchar_t*)'
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:168: error: _wcslwr_s' was not declared in this scope [Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:169: error: cannot convert CHAR*' to const wchar_t*' for argument 1' to wchar_t* wcsstr(const wchar_t*, const wchar_t*)' [Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:171: error: printf' was not declared in this scope
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:192: error: cannot convert WCHAR*' to CHAR*' for argument 1' to UINT GetSystemDirectoryA(CHAR*, UINT)'
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:193: error: cannot convert WCHAR*' to CHAR*' for argument 1' to CHAR* lstrcatA(CHAR*, const CHAR*)'
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:194: error: cannot convert WCHAR*' to CHAR*' for argument 1' to CHAR* lstrcatA(CHAR*, const CHAR*)'
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:195: error: cannot convert WCHAR*' to CHAR*' for argument 1' to CHAR* lstrcatA(CHAR*, const CHAR*)'
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:196: error: cannot convert WCHAR*' to CHAR*' for argument 1' to CHAR* lstrcatA(CHAR*, const CHAR*)'
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:197: error: cannot convert WCHAR*' to CHAR*' for argument 1' to CHAR* lstrcatA(CHAR*, const CHAR*)'
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:199: error: cannot convert WCHAR*' to CHAR*' for argument 1' to CHAR* lstrcatA(CHAR*, const CHAR*)'
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:201: error: EvtExportLogFilePath' was not declared in this scope [Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:201: error: EvtExportLog' was not declared in this scope
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:202: error: printf' was not declared in this scope [Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:218: error: _NtQuerySystemInformation' was not declared in this scope
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:218: error: expected ;' before "NtQuerySystemInformation" [Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:219: error: NtQuerySystemInformation' was not declared in this scope
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:221: error: printf' was not declared in this scope [Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:227: error: printf' was not declared in this scope
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:233: error: printf' was not declared in this scope [Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:238: error: NtQuerySystemInformation' was not declared in this scope
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:242: error: printf' was not declared in this scope [Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:273: error: printf' was not declared in this scope
[Warning] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:282: warning: cast to pointer from integer of different size
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:307: error: printf' was not declared in this scope [Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:324: error: printf' was not declared in this scope
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:336: error: printf' was not declared in this scope [Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:342: error: cannot convert WCHAR*' to CHAR*' for argument 1' to UINT GetSystemDirectoryA(CHAR*, UINT)' [Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:343: error: cannot convert WCHAR*' to CHAR*' for argument 1' to CHAR* lstrcatA(CHAR*, const CHAR*)' [Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:344: error: cannot convert WCHAR*' to CHAR*' for argument 1' to CHAR* lstrcatA(CHAR*, const CHAR*)' [Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:345: error: printf' was not declared in this scope
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:357: error: cannot convert _TCHAR*' to WCHAR*' for argument 1' to BOOL DeleteRecord(WCHAR*, WCHAR*)'
[Warning] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:377: warning: NULL used in arithmetic
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:386: error: cannot convert _TCHAR*' to WCHAR*' for argument 1' to BOOL CloseFileHandle(WCHAR*, DWORD)'
[Warning] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:387: warning: NULL used in arithmetic
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:395: error: cannot convert const wchar_t*' to const CHAR*' for argument 1' to BOOL CopyFileA(const CHAR*, const CHAR*, BOOL)'
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyTerminateProcessEx.cpp:401: error: cannot convert const wchar_t*' to const CHAR*' for argument 1' to BOOL DeleteFileA(const CHAR*)'
[Error] g++.exe: 5\mingw\include: No such file or directory
[Error] g++.exe: 5\mingw\include\c++\3.4.5: No such file or directory
[Error] g++.exe: 5\mingw\lib\gcc\mingw32\3.4.5\include: No such file or directory
[Error] g++.exe: 5\mingw\bin: No such file or directory
[Error] g++.exe: 5\mingw\mingw32\bin: No such file or directory
Complete Build DeleteRecordbyTerminateProcessEx: 48 error(s), 3 warning(s)
DeleteRecordByGetHandle
--------------------Configuration: mingw5 - CUI Debug, Builder Type: MinGW--------------------
Compiling F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyGetHandle.cpp...
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyGetHandle.cpp:59: error: ISO C++ forbids declaration of NTSTATUS' with no type [Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyGetHandle.cpp:59: error: typedef NTSTATUS' is initialized (use typeof instead)
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyGetHandle.cpp:59: error: expected primary-expression before "attribute"
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyGetHandle.cpp:59: error: expected ,' or ;' before '(' token
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyGetHandle.cpp:144: error: invalid conversion from int (*)()' to void*'
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyGetHandle.cpp:366: error: integer constant is too large for "long" type
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyGetHandle.cpp:397: error: integer constant is too large for "long" type
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyGetHandle.cpp:398: error: integer constant is too large for "long" type
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyGetHandle.cpp:399: error: integer constant is too large for "long" type
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyGetHandle.cpp:474: error: integer constant is too large for "long" type
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyGetHandle.cpp:474: error: integer constant is too large for "long" type
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyGetHandle.cpp:524: error: integer constant is too large for "long" type
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyGetHandle.cpp:524: error: integer constant is too large for "long" type
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyGetHandle.cpp:530: error: integer constant is too large for "long" type
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyGetHandle.cpp:531: error: integer constant is too large for "long" type
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyGetHandle.cpp:532: error: integer constant is too large for "long" type
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyGetHandle.cpp:611: error: sscanf_s' was not declared in this scope [Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyGetHandle.cpp:627: error: invalid conversion from int' to const wchar_t*' [Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyGetHandle.cpp:627: error: initializing argument 2 of int swprintf(wchar_t*, const wchar_t*, ...)'
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyGetHandle.cpp:628: error: _wcslwr_s' was not declared in this scope [Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyGetHandle.cpp:635: error: _NtQuerySystemInformation' was not declared in this scope
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyGetHandle.cpp:635: error: expected ;' before "NtQuerySystemInformation" [Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyGetHandle.cpp:636: error: NtQuerySystemInformation' was not declared in this scope
[Error] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyGetHandle.cpp:655: error: `NtQuerySystemInformation' was not declared in this scope
[Warning] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyGetHandle.cpp:691: warning: cast to pointer from integer of different size
[Warning] F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyGetHandle.cpp:751: warning: cast to pointer from integer of different size
[Error] g++.exe: 5\mingw\include: No such file or directory
[Error] g++.exe: 5\mingw\include\c++\3.4.5: No such file or directory
[Error] g++.exe: 5\mingw\lib\gcc\mingw32\3.4.5\include: No such file or directory
[Error] g++.exe: 5\mingw\bin: No such file or directory
[Error] g++.exe: 5\mingw\mingw32\bin: No such file or directory
Complete Compile F:\Lkms19\Hry\editlog\Eventlogedit-evtx--Evolution-master\DeleteRecordbyGetHandle.cpp: 29 error(s), 2 warning(s)
so i just spent 5 hours reading the details which are in chinese and I have no clue how to work with the .exe files?
it just opens cmd and blinks.
Request: for a port
Hi,
could you please make a port of this code into powershell ?
Thanks
openfile error
Hello,
I get openfile error when running DeleteRecordofFile.exe from commandline.
What does it mean? Any suggestions how to fix it? I dont have the logs open.
Thanx.
how to get here? please help
xml EvtxRecordId Error!
Here!
DeleteRecordofFile and DeleteRecordbyGetHandle:
*v7 = eventRecordIdentifier;
===>
*v7 = *v7 - 1;
When the first recordID is not 1 , it will be wrong.
Help???
I installed python and pip but i dont know what to do next. how to enable evtx commands? what to do with the .cpp files on your page? Please help.
FreeSpaceOffset is 0
At the file Eventlogedit-evtx--Evolution/DeleteRecordofFile.cpp
unsigned char *ChecksumBuf1 = new unsigned char[currentChunk->FreeSpaceOffset - 512];
memcpy(ChecksumBuf1, (PBYTE)currentChunk + 512, currentChunk->FreeSpaceOffset - 512);
crc32 = GetCRC32(ChecksumBuf1, currentChunk->FreeSpaceOffset - 512);
In this portion of code, you may have a bug/untreated case if there is the value of FreeSpaceOffset is 0.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.