{"id":21605313,"url":"https://github.com/omerbenamram/evtx","last_synced_at":"2026-04-01T22:25:25.892Z","repository":{"id":34407638,"uuid":"178617867","full_name":"omerbenamram/evtx","owner":"omerbenamram","description":"A Fast (and safe) parser for the Windows XML Event Log (EVTX) format","archived":false,"fork":false,"pushed_at":"2026-03-21T23:54:29.000Z","size":8054,"stargazers_count":892,"open_issues_count":12,"forks_count":78,"subscribers_count":21,"default_branch":"master","last_synced_at":"2026-03-22T12:18:39.443Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/omerbenamram.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE-APACHE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2019-03-30T22:29:15.000Z","updated_at":"2026-03-21T23:54:32.000Z","dependencies_parsed_at":"2024-06-18T15:28:44.887Z","dependency_job_id":"1b9ad6c9-432a-43c5-9f59-e872bc866bbe","html_url":"https://github.com/omerbenamram/evtx","commit_stats":{"total_commits":534,"total_committers":16,"mean_commits":33.375,"dds":0.2359550561797753,"last_synced_commit":"6f374c8d42370397a6fd45d69ebb9b46dfbf73ae"},"previous_names":[],"tags_count":48,"template":false,"template_full_name":null,"purl":"pkg:github/omerbenamram/evtx","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/omerbenamram%2Fevtx","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/omerbenamram%2Fevtx/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/omerbenamram%2Fevtx/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/omerbenamram%2Fevtx/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/omerbenamram","download_url":"https://codeload.github.com/omerbenamram/evtx/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/omerbenamram%2Fevtx/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31292639,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-01T21:15:39.731Z","status":"ssl_error","status_checked_at":"2026-04-01T21:15:34.046Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-24T20:01:58.279Z","updated_at":"2026-04-01T22:25:25.818Z","avatar_url":"https://github.com/omerbenamram.png","language":"Rust","funding_links":[],"categories":["Other Lists","others"],"sub_categories":["🛡️ DFIR:"],"readme":"\u003ch1 align=\"center\"\u003e\u003cimg style=\"padding:0;vertical-align:bottom;\" height=\"32\" width=\"32\" src=\"/eventvwr.ico\"/\u003e EVTX\u003c/h1\u003e\n\u003cdiv align=\"center\"\u003e\n \u003cp\u003e\n  \u003cstrong\u003e\n   A cross-platform parser for the Windows XML EventLog format\n  \u003c/strong\u003e\n\n \u003c/p\u003e\n\u003c/div\u003e\n\n\u003cbr /\u003e\n\n\u003cdiv align=\"center\"\u003e\n  \u003c!-- Crates version --\u003e\n  \u003ca href=\"https://crates.io/crates/evtx\"\u003e\n    \u003cimg src=\"https://img.shields.io/crates/v/evtx.svg?style=flat-square\"\n    alt=\"Crates.io version\" /\u003e\n  \u003c/a\u003e\n  \u003c!-- Downloads --\u003e\n  \u003ca href=\"https://crates.io/crates/evtx\"\u003e\n    \u003cimg src=\"https://img.shields.io/crates/d/evtx.svg?style=flat-square\"\n      alt=\"Download\" /\u003e\n  \u003c/a\u003e\n  \u003c!-- docs.rs docs --\u003e\n  \u003ca href=\"https://docs.rs/evtx\"\u003e\n    \u003cimg src=\"https://img.shields.io/badge/docs-latest-blue.svg?style=flat-square\"\n      alt=\"docs.rs docs\" /\u003e\n  \u003c/a\u003e\n   \u003ca href=\"https://github.com/rust-secure-code/safety-dance/\"\u003e\n    \u003cimg src=\"https://img.shields.io/badge/unsafe-forbidden-success.svg\"\n      alt=\"safety-dance\" /\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://github.com/omerbenamram/evtx/actions/workflows/test.yml\"\u003e\n    \u003cimg src=\"https://github.com/omerbenamram/evtx/actions/workflows/test.yml/badge.svg\"\n      alt=\"Build status\" /\u003e\n  \u003c/a\u003e\n\u003c/div\u003e\n\n\u003c/br\u003e\n\n## Features\n\n - 🔒 Implemented using 100% safe rust - and works on all platforms supported by rust (that have stdlib).\n - ⚡ Fast - see benchmarks below. It's faster than any other implementation by order(s) of magnitude!\n - 🚀 Multi-threaded.\n - ✨ Supports XML and JSON outputs, both being directly constructed from a shared intermediate representation (IR) (no xml2json conversion is performed!)\n - ⛏️ Supports some basic recovery of missing records/chunks!\n - 🐍 Python bindings are available as well at https://github.com/omerbenamram/pyevtx-rs (and at PyPi https://pypi.org/project/evtx/)\n\n## Web-based Viewer (EVTX Web)\n\n![EVTX Web Screenshot](/evtx_web_ui.png)\n\nPrefer a zero-install option?  A fully-featured EVTX explorer runs right in your browser, powered by the same Rust core compiled to WebAssembly.\n\n👉 **Try it now:** \u003chttps://omerbenamram.github.io/evtx/\u003e\n\nEverything happens locally – files never leave your machine.  Highlights:\n\n* Drag-and-drop `.evtx` files (or click to browse) – handles very large logs!\n* Blazing-fast parsing via WebAssembly and virtual-scroll rendering\n* Faceted filters on level, provider, channel, Event ID, and dynamic `EventData` fields – all backed by DuckDB-WASM\n* Full-text search, column management, and on-the-fly JSON/XML export of the filtered set\n* Light/dark themes, keyboard navigation, and a Windows-style UI\n\nThe viewer is served statically from GitHub Pages; after the first load it works completely offline.\n\n## Installation (associated binary utility):\n  - Download latest executable release from https://github.com/omerbenamram/evtx/releases\n    - Releases are automatically built for for Windows, macOS, and Linux. (64-bit executables only)\n  - Build from sources using  `cargo install evtx`\n\n# `evtx_dump` (Binary utility):\nThe main binary utility provided with this crate is `evtx_dump`, and it provides a quick way to convert `.evtx` files to\ndifferent output formats.\n\nSome examples\n  - `evtx_dump \u003cevtx_file\u003e` will dump contents of evtx records as xml.\n  - `evtx_dump -o json \u003cevtx_file\u003e` will dump contents of evtx records as JSON.\n  - `evtx_dump -f \u003coutput_file\u003e -o json \u003cinput_file\u003e` will dump contents of evtx records as JSON to a given file.\n  - `cat \u003cevtx_file\u003e | evtx_dump -o jsonl -` will read the EVTX file from stdin (useful for piping/decompression).\n\n`evtx_dump` can be combined with [fd](https://github.com/sharkdp/fd) for convenient batch processing of files:\n  - `fd -e evtx -x evtx_dump -o jsonl` will scan a folder and dump all evtx files to a single jsonlines file.\n  - `fd -e evtx -x evtx_dump '{}' -f '{.}.xml'` will create an xml file next to each evtx file, for all files in folder recursively!\n  - If the source of the file needs to be added to json, `xargs` (or `gxargs` on mac) and `jq` can be used: `fd -a -e evtx | xargs -I input sh -c \"evtx_dump -o jsonl input | jq --arg path \"input\" '. + {path: \\$path}'\"`\n\n**Note:** by default, `evtx_dump` will try to utilize multithreading, this means that the records may be returned out of order.\n\nTo force single threaded usage (which will also ensure order), `-t 1` can be passed.\n\n## Offline template rendering (WEVT_TEMPLATE)\n\nEVTX records can reference template definitions stored in provider binaries (EXE/DLL/SYS). `evtx_dump` can extract those templates into an offline cache and use them at render time.\n\n**Note:** this functionality requires building `evtx_dump` with the Cargo feature `wevt_templates` (release binaries may already include it).\n\n- Build a cache (single portable `.wevtcache` file):\n  - `evtx_dump extract-wevt-templates --input \u003cprovider.dll\u003e --output /tmp/wevt_cache.wevtcache --overwrite`\n- Dump an EVTX file while using the cache (deterministic rule: only applies when a record fails due to an explicit missing/corrupt template GUID):\n  - `evtx_dump --wevt-cache /tmp/wevt_cache.wevtcache \u003clog.evtx\u003e`\n\nDebugging helpers:\n- Dump a record’s `TemplateInstance` substitution values (JSONL):\n  - `evtx_dump dump-template-instances --input \u003clog.evtx\u003e --record-id \u003cID\u003e | head -n1`\n- Render a specific template GUID with substitutions (XML to stdout):\n  - `evtx_dump apply-wevt-cache --cache /tmp/wevt_cache.wevtcache --template-guid \u003cGUID\u003e --evtx \u003clog.evtx\u003e --record-id \u003cID\u003e`\n\nSee [`docs/wevt_templates.md`](docs/wevt_templates.md) for details and background (issue #103).\n\n## Example usage (as library):\n```rust\nuse evtx::EvtxParser;\nuse std::path::PathBuf;\n\n// Change this to a path of your .evtx sample.\nlet fp = PathBuf::from(format!(\"{}/samples/security.evtx\", std::env::var(\"CARGO_MANIFEST_DIR\").unwrap()));\n\nlet mut parser = EvtxParser::from_path(fp).unwrap();\nfor record in parser.records() {\n    match record {\n        Ok(r) =\u003e println!(\"Record {}\\n{}\", r.event_record_id, r.data),\n        Err(e) =\u003e eprintln!(\"{}\", e),\n    }\n}\n```\n\nThe parallel version is enabled when compiling with feature \"multithreading\" (enabled by default).\n\n## Performance benchmarking\n\nWhen using multithreading - `evtx` is significantly faster than any other parser available.\nFor single core performance, it is both the fastest and the only cross-platform parser than supports both xml and JSON outputs.\n\nPerformance was benched on my machine using `hyperfine` (statistical measurements tool).\n\nI'm running tests on a 12-Core AMD Ryzen 3900X.\n\nBench run: **January 2026**.\n\nSystem: **Arch Linux** (`Linux 6.17.9-arch1-1 x86_64`).\n\nBenchmark commit: `e01782a`.\n\nLibraries benched:\n\n- `python-evtx`(https://github.com/williballenthin/python-evtx) - With CPython and PyPy\n- `pyevtx-rs`(https://github.com/omerbenamram/pyevtx-rs) / `evtx`(https://pypi.org/project/evtx/) - Python bindings for this library\n- `libevtx`(https://github.com/libyal/libevtx)\n- `golang-evtx`(https://github.com/0xrawsec/golang-evtx.git) - only JSON (uses multithreading)\n- `evtx`(https://github.com/Velocidex/evtx) - only JSON.\n- `evtx` (This library)\n\n\n|                  | evtx (1 thread)      | evtx (8 threads)      | evtx (24 threads)         | libevtx (C)          | velocidex/evtx (go)  | golang-evtx (uses multiprocessing) | pyevtx-rs (CPython 3.13.11) | python-evtx (CPython 3.13.11) | python-evtx (PyPy 7.3.19) |\n|------------------|----------------------|-----------------------|---------------------------|----------------------|----------------------|------------------------------------|-----------------------------|------------------------------|--------------------------|\n| 30MB evtx (XML)  | 275.9 ms ±   2.1 ms  | 96.9 ms ±   1.3 ms    | **79.5 ms ±   3.0 ms**    | 2.439 s ±   0.035 s  | No support           | No support                         | 0.367s (ran once)           | 2m41.075s (ran once)         | 40.096s (ran once)       |\n| 30MB evtx (JSON) | 280.7 ms ±   1.2 ms  | 94.1 ms ±   1.5 ms    | **77.9 ms ±   5.5 ms**    | No support           | 5.467 s ±   0.038 s  | 1.344 s ±   0.005 s               | 0.398s (ran once)           | No support                    | No support               |\n\n**Note**: numbers shown are `real-time` measurements (time it takes for invocation to complete). `user-time` measurements are higher when more using multithreading/multiprocessing, because of the synchronization overhead.\n\nWith 8 threads - `evtx` is more than **1600x** faster than `python-evtx` when dumping xml logs.\n\nWith maximum viable threads (number of logical cores) - `evtx` is about **14-17x** faster `golang-evtx`. Both implementations utilize similar multithreading strategies.\n\n## Caveats\n\n- Currently unimplemented:\n   - CDATA nodes.\n   - EVTHandle node type.\n\nIf the parser errors on any of these nodes, feel free to open an issue or drop me an email with a sample.\n\n## License\n\nLicensed under either of\n\n * Apache License, Version 2.0, ([LICENSE-APACHE](LICENSE-APACHE) or http://www.apache.org/licenses/LICENSE-2.0)\n * MIT license ([LICENSE-MIT](LICENSE-MIT) or http://opensource.org/licenses/MIT)\n\nat your option.\n\n### Contribution\n\nUnless you explicitly state otherwise, any contribution intentionally submitted\nfor inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any\nadditional terms or conditions.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fomerbenamram%2Fevtx","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fomerbenamram%2Fevtx","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fomerbenamram%2Fevtx/lists"}