Sun, 13 Oct 2013

Fix a corrupt event log .:.permalink.:.

When performing forensics on a machine it's often best to pull the plug rather than perform a normal shutdown. On windows boxes this can corrupt the event log. To fix this once I got some good advice from lance Mueller of guidance software:

Here are simple instructions or repairing a "corrupted" (reportedly 
corrupted) event log....

This works with all three common Event logs (app, sec, sys)

Copy out the event log and use your favorite hex editor:

1. Do search for \x11\x11\x11\x11\x22\x22\x22\x22
2. Skip 20 from the beginning of the found text (\x11\x11...etc)
3. Copy the next 8 bytes and paste at the begining of the file, 
starting at offset 20
4. Goto offset 36 and change value to "8"
5. Save the file
6. Open with Windows Event Viewer (eventvwr.exe)

Worked like a charm for me. I'm posting this here mostly so I don't have to track it down again next time I need it!

Posted at: Sun, 13 Oct 2013 | category: /itsec