Giters

EricZimmerman / evtx

C# based evtx parser with lots of extras

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

syntax errors with System1 and System42 maps

lawrenpoh opened this issue · comments

commented

Hi, running into problems with syntax errors for System1 and System42 maps with similar error message shown below.
`Syntax error in 'C:\Zimmerman\EvtxExplorer\Maps\System_1.map':
Author: Eric Zimmerman
Description: Sleep/wake events
EventId: 1
Channel: "System"
Provider: "Microsoft-Windows-Power-Troubleshooter"
Maps:

Property: PayloadData1
PropertyValue: Sleep duration "%SleepDuration%"
Values:
  -
    Name: SleepDuration
    Value: "/Event/EventData/Data[@Name=\"SleepDuration\"]"

  • Property: PayloadData2
    PropertyValue: Wake source "%WakeSourceType%"
    Values:

    Name: WakeSourceType
Value: "/Event/EventData/Data[@Name=\"WakeSourceType\"]"

  • Property: PayloadData3
    PropertyValue: Wake source text "%WakeSourceText%"
    Values:

    Name: WakeSourceText
Value: "/Event/EventData/Data[@Name=\"WakeSourceText\"]"

Lookups:

Name: WakeSourceType
Default: Unknown code
Values:
    0: Unknown
    1: Power button
    3: Waking from sleep to hibernate
    5: Device (See WakeSourceText for details)
    6: Timer (See WakeSourceText for details)

Valid properties include:

UserName

RemoteHost

ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.

PayloadData1 through PayloadData6

#Sample Event - derived from the event template.
#
#
#
#1
#3
#4
#0
#0
#0x8000000000000000
#
#2671
#
#
#System
#win-gist
#
#
#
#2020-09-18 03:18:35.0664609
#2020-09-18 03:28:35.8899669
#1029
#6389
#5716
#1042
#0
#0
#0
#1912628224
#4
#4
#6
#128
#Windows will execute 'NT TASK\Microsoft\Windows\UpdateOrchestrator\Reboot_AC' scheduled task that requested waking the computer.
#52
#18
#0
#\Device\HarddiskVolume3\Windows\System32\svchost.exe
#SystemEventsBroker
#98
#
#
Property 'Provider' not found on type 'evtx.EventLogMap'.

Verify all properties against example files or manual and try again.`

commented

Sounds like you need to update to the latest binary version of the executable.

Redownload it and then try again. That property was added when I did my last update but I can't remember if I bumped the version number or not

commented

I just updated the other day when I had this issue and I believe it went from 0.6.0.1 to 0.6.0.2, with .2 being the one that can properly handle the new added property.

commented

0602 with SHA1: E8897D8A806F3C1DB477B9A104924F7029AD81F8 syncs fine

i also just processed a system hive without issue. do the ps1 update script again and see what it does

commented

@lawrenpoh did updating work for you? It worked for me and I had no issues when I had this problem. It seems like updating EVTXECmd is the way to go for this.

commented