-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathevtxToXml.cs
64 lines (54 loc) · 2.3 KB
/
evtxToXml.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
using System;
using System.IO;
using System.Threading.Tasks;
using System.Xml;
namespace evtxToXml
{
public static class EvtxToXmlConverter
{
public static async Task ConvertEvtxFiles(string logPath, Action<double> updateProgress)
{
string[] evtxFiles = Directory.GetFiles(logPath, "*.evtx", SearchOption.AllDirectories);
int totalFiles = evtxFiles.Length;
int filesProcessed = 0;
foreach (string evtx in evtxFiles)
{
string xmlFilePath = Path.Combine(Path.GetDirectoryName(evtx), Path.GetFileNameWithoutExtension(evtx) + ".xml");
if (!File.Exists(xmlFilePath))
{
await Task.Run(() =>
{
string evtxContent = RunWevtutilQueryEvents(evtx);
string cleanedXmlContent = CleanXmlContent(evtxContent);
XmlDocument xmlDoc = new XmlDocument();
xmlDoc.LoadXml(cleanedXmlContent);
xmlDoc.Save(xmlFilePath);
Console.WriteLine($"Conversion successful. XML saved to {xmlFilePath}");
// Update progress bar
double progress = (double)++filesProcessed / totalFiles * 100;
updateProgress?.Invoke(progress);
});
}
}
}
private static string RunWevtutilQueryEvents(string evtxFile)
{
using (System.Diagnostics.Process process = new System.Diagnostics.Process())
{
process.StartInfo.FileName = "wevtutil";
process.StartInfo.Arguments = $"query-events \"{evtxFile}\" /logfile /element:root";
process.StartInfo.RedirectStandardOutput = true;
process.StartInfo.UseShellExecute = false;
process.StartInfo.CreateNoWindow = true;
process.Start();
string output = process.StandardOutput.ReadToEnd();
process.WaitForExit();
return output;
}
}
private static string CleanXmlContent(string xmlContent)
{
return xmlContent.Replace("\x01", "").Replace("\x0f", "").Replace("\x02", "");
}
}
}