fox-it / dissect.etl Goto Github PK

hi,

I'm trying to use dissect.etl on an etl file generated by WindowsUpdate, but can't extract the details of each event : is this possible ?

WindowsUpdate manifest is present in the manifests subfolder, but I can't see how to use it or rely on it...

a little help would be greatly appreciated ;-)

regards, lacsaP.

Currently, the focus was on the manifest provider.
there are other providers (mostly legacy) that need to be incorporated.

Ordered in terms of priority:

• TMF: Currently used

• MOF: Legacy

• WPP: Legacy

  There was also the idea to create some etl files for those systems... Those are old windows versions. It was introduced in windows 2000.

  And included, there is a high chance that the buffer class needs to be changed to accommodate older buffer headers.

Pretty print specific information of the TMF provider

Pretty print other information of an event

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/tracerpt_1#BKMK_EXAMPLES

This tools dumps provider schemas, although the information is not complete

Research ticket

Branch dissect.etl with cstruct patches and dependency on >=4.0.dev <=5.0.dev