Windows Eventlog の見方？（解析）

Blog

2023.02.252023.10.22

Element start #7

OpenStartElementTagToken: 0x01
DependencyIdentifier: 0x0002
DataSize: 0x001C
ElementNameOffset: 0x049C
Unknown: 0x00000000
NameHash: 0xCE64
NumberOfCharacters: 0x04
Name: "Task"(0x0054, 0x0061, 0x0073, 0x006B, 0x0000)

Close start element tag

Optional substitution

OptionalSubstitutionToken: 0x0E
SubstitutionIdentifier: 0x0002
ValueType:0x06(UInt16Type)

Close end element tag

<Task>%0x0002</Task>

Element Start #8

OpenStartElementTagToken: 0x01
DependencyIdentifier: 0x0001
DataSize: 0x0020
ElementNameOffset: 0x04BF
Unknown: 0x00000000
NameHash: 0x1EAE
NumberOfCharacters: 0x06
Name: "Opecode"(0x004F, 0x0070, 0x0063, 0x006F, 0x0064, 0x0065) 
CloseStartElementTag: 0x02

Optional substitution

OptionalSubstitutionToken: 0x0E
SubstitutionIdentifier: 0x0001
ValueType:0x04(UInt8Type)

Close end element tag

<Opecode>%0x0001</Opecode>

Element Start #9

OpenStartElementTagToken: 0x01
DependencyIdentifier: 0x0005
DataSize: 0x0024
ElementNameOffset: 0x04E6
Unknown: 0x00000000
NameHash: 0xCF6A
NumberOfCharacters: 0x08
Name: "Keywords"(0x004B, 0x0065, 0x0079, 0x0077, 0x006F, 0x0072, 0x0064, 0x0073, 0x0000) 
CloseStartElementTag: 0x02

Optional substitution

OptionalSubstitutionToken: 0x0E
SubstitutionIdentifier: 0x0005
ValueType:0x15(HexInt64Type)

Close end element tag

<Keywords>%0x0005</Keywords>

Element Start #10

OpenStartElementTagToken: 0x41
DependencyIdentifier: 0xFFFF
DataSize: 0x0050
ElementNameOffset: 0x0511
Unknown: 0x00000000
NameHash: 0x8E3B
NumberOfCharacters: 0x0B
Name: "TimeCreated"(0x0054, 0x0069, 0x006D, 0x0065, 0x0043, 0x0072, 0x0065, 0x0061, 0x0074, 0x0065, 0x0064, 0x0000)

Attribute List

DataSize：0x27

Attribute

AttributeToken: 0x06
AttributeNameOffset: 0x053A
Unknown: 0x0000026A
NameHash: 0x7E3C
NumberOfCharacters: 0x0A
Name: "SystemTime"(0x0053, 0x0079, 0x0073, 0x0074, 0x0065,0x006D,0x0054,0x0069,0x006D,0x0065,0x0000)

Optional substitution

OptionalSubstitutionToken: 0x0E
SubstitutionIdentifier: 0x0006
ValueType:0x11(FileTimeType)

Close empty element tag

<TimeCreated SystemTime=%0x0006 />

Element Start #11

OpenStartElementTagToken: 0x1
DependencyIdentifier: 0xFFFF
DataSize: 0x0050
ElementNameOffset: 0x0511
Unknown: 0x00000000
NameHash: 0x8E3B
NumberOfCharacters: 0x0B
Name: "EventRecordID"()

Optional substitution

OptionalSubstitutionToken: 0x0E
SubstitutionIdentifier: 0x000A
ValueType:0x0A(UInt64Type)

Close end element tag

<EventRecordID>%000A</EventRecordID>

Element Start #12

OpenStartElementTagToken: 0x41
DependencyIdentifier: 0xFFFF
DataSize: 0x0085
ElementNameOffset: 0x059D
Unknown: 0x00000000
NameHash: 0xF2A2
NumberOfCharacters: 0x0B
Name: "Correlation"

Attribute List

DataSize：0x5C

Attribute

AttributeToken: 0x46
AttributeNameOffset: 0x05C6
Unknown: 0x00000000
NameHash: 0xF10A
NumberOfCharacters: 0x0A
Name: "ActivityID"(0x0041, 0x0063, 0x0074, 0x0069, 0x0074,0x0069,0x0076,0x0069,0x0074,0x0079,0x0049,0x0044,0x0000)

Optional substitution

OptionalSubstitutionToken: 0x0E
SubstitutionIdentifier: 0x0007
ValueType:0x0F(GuidType)

Attribute

AttributeToken: 0x06
AttributeNameOffset: 0x05ED
Unknown: 0x000003FA
NameHash: 0x35C5
NumberOfCharacters: 0x11
Name: "RelatedActivityID"

Optional substitution

OptionalSubstitutionToken: 0x0E
SubstitutionIdentifier: 0x0012
ValueType:0x0F(GuidType)

Close empty element tag

<Correlation ActivityID="%0x0007" RelatedActivityID="%0x0012" />

Element Start #13

OpenStartElementTagToken: 0x41
DependencyIdentifier: 0xFFFF
DataSize: 0x006D
ElementNameOffset: 0x0629
Unknown: 0x00000000
NameHash: 0xB5B8
NumberOfCharacters: 0x09
Name: "Execution"

Attribute List

DataSize：0x48

Attribute

AttributeToken: 0x46
AttributeNameOffset: 0x064E
Unknown: 0x000005C6
NameHash: 0xD70A
NumberOfCharacters: 0x09
Name: "ProcessID"

Optional substitution

OptionalSubstitutionToken: 0x0E
SubstitutionIdentifier: 0x0008
ValueType:0x08(UInt32Type
)

Attribute

AttributeToken: 0x06
AttributeNameOffset: 0x0673
Unknown: 0x0000049C
NameHash: 0x3985
NumberOfCharacters: 0x08
Name: "ThreadID"

Optional substitution

OptionalSubstitutionToken: 0x0E
SubstitutionIdentifier: 0x0009
ValueType:0x08(UInt32Type)

Close empty element tag

<Execution ProcessID="%0x0008" ThreadID="%0x0009" />

Element Start #14

OpenStartElementTagToken: 0x01
DependencyIdentifier: 0xFFFF
DataSize: 0x0032
ElementNameOffset: 0x069D
Unknown: 0x00000000
NameHash: 0x6183
NumberOfCharacters: 0x07
Name: "Channel"
CloseStartElementTag: 0x02

Value text

ValueToken: 0x05
ValueType: 0x01
NumberOfCharacters:0x08
Value: Security

Close end element tag

<Channel>Security</Channel>

Element Start #15

OpenStartElementTagToken: 0x01
DependencyIdentifier: 0xFFFF
DataSize: 0x003C
ElementNameOffset: 0x06D6
Unknown: 0x00000511
NameHash: 0x6E3B
NumberOfCharacters: 0x08
Name: "Computer"
CloseStartElementTag: 0x02

Value Text

ValueToken: 0x05
ValueType: 0x01
NumberOfCharacters:0x0C
Value: TestComputer

Close end element tag

<Computer>TestComputer</Computer>

Element Start #16

OpenStartElementTagToken: 0x41
DependencyIdentifier: 0xFFFF
DataSize: 0x0042
ElementNameOffset: 0x0719
Unknown: 0x00000000
NameHash: 0x2E0A
NumberOfCharacters: 0x08
Name: "Security"

Attribute List

DataSize：0x1F

Attribute

Value	Identifier	Description
0x00	BinXmlTokenEOF	End of file
0x01 0x41	BinXmlTokenOpenStartElementTag	Open start element tag Indicates the start of a start element, correlates to ‘<‘ in ‘<Event>’
0x02	BinXmlTokenCloseStartElementTag	Close start element tag Indicates the end of a start element, correlates to ‘>’ in ‘<Event>’
0x03	BinXmlTokenCloseEmptyElementTag	Close empty element tag Indicates the end of a start element, correlates to ‘/>’ in ‘<Event/>’
0x04	BinXmlTokenEndElementTag	Close end element tag Indicates the end of element, correlates to ‘</Event>’
0x05 0x45	BinXmlTokenValue	Value
0x06 0x46	BinXmlTokenAttribute	Attribute
0x07 0x47	BinXmlTokenCDATASection	CDATA section
0x08 0x48	BinXmlTokenCharRef	Character entity reference
0x09 0x49	BinXmlTokenEntityRef	Entity reference
0x0a	BinXmlTokenPITarget	Processing instructions (PI) target XML processing instructions
0x0b	BinXmlTokenPIData	Processing instructions (PI) data XML processing instructions
0x0c	BinXmlTokenTemplateInstance	Template instance
0x0d	BinXmlTokenNormalSubstitution	Normal substitution
0x0e	BinXmlTokenOptionalSubstitution	Optional substitution
0x0f	BinXmlFragmentHeaderToken	Fragment header token