Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EvtxECmd: Record error at offset #187

Open
forensenellanebbia opened this issue Apr 13, 2022 · 4 comments
Open

EvtxECmd: Record error at offset #187

forensenellanebbia opened this issue Apr 13, 2022 · 4 comments

Comments

@forensenellanebbia
Copy link

Description
When I try to parse some of evtx files from this set EVTX samples - EVTX-to-MITRE-Attack, EvtxECmd (latest version) displays some error messages and produces a blank CSV with just the header.

For instance, this is one the files I can't parse: ID1116-1117-Defender%20threat%20detected.evtx
I can view the contents of the evtx with Event Viewer or Get-WinEvent with no issues.

Debug message
Here's a snippet of the message:

evtxecmd -f "c:\temp\EVTX-to-MITRE-Attack-master\Antivirus\ID1116-1117-Defender threat detected.evtx" --csv "c:\tools\evtxecmd" --debug

[2022-04-13 01:21:00.3628260 INF] Processing c:\temp\EVTX-to-MITRE-Attack-master\Antivirus\ID1116-1117-Defender threat detected.evtx...
[2022-04-13 01:21:00.3698752 INF] Chunk count: 1, Iterating records...
[2022-04-13 01:21:00.3747379 DBG] Processing chunk at offset 0x1000. Events found so far: 0
[2022-04-13 01:21:00.4054372 ERR] Record error at offset 0x1200, record #: 1 error: Specified argument was out of the range of valid values. (Parameter Value Type NullType is not handled! Handle it!)
System.ArgumentOutOfRangeException: Specified argument was out of the range of valid values. (Parameter Value Type NullType is not handled! Handle it!)
   at evtx.Tags.Value..ctor(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk) in D:\Code\evtx\evtx\Tags\Value.cs:line 26
   at evtx.Tags.TagBuilder.BuildTag(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk) in D:\Code\evtx\evtx\Tags\TagBuilder.cs:line 271
   at evtx.Tags.OpenStartElementTag..ctor(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk, Boolean hasAttribute) in D:\Code\evtx\evtx\Tags\OpenStartElementTag.cs:line 53
   at evtx.Tags.TagBuilder.BuildTag(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk) in D:\Code\evtx\evtx\Tags\TagBuilder.cs:line 264
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk) in D:\Code\evtx\evtx\EventRecord.cs:line 44
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber) in D:\Code\evtx\evtx\ChunkInfo.cs:line 208
[...]
[2022-04-13 01:21:00.4451981 INF] Record #1: Error: Specified argument was out of the range of valid values. (Parameter Value Type NullType is not handled! Handle it!)
[2022-04-13 01:21:00.4457700 INF] Record #2: Error: Index was out of range. Must be non-negative and less than the size of the collection. (Parameter startIndex)
[2022-04-13 01:21:00.4463243 INF] Record #3: Error: Index was out of range. Must be non-negative and less than the size of the collection. (Parameter startIndex)
[2022-04-13 01:21:00.4468750 INF] Record #4: Error: Index was out of range. Must be non-negative and less than the size of the collection. (Parameter startIndex)
[2022-04-13 01:21:00.4474257 INF] Record #5: Error: Index was out of range. Must be non-negative and less than the size of the collection. (Parameter startIndex)
[2022-04-13 01:21:00.4479763 INF] Record #6: Error: Index was out of range. Must be non-negative and less than the size of the collection. (Parameter startIndex)
[2022-04-13 01:21:00.4491654 INF] Processed 1 file in 1,1180 seconds
[2022-04-13 01:21:00.4546050 INF] Files with errors
[2022-04-13 01:21:00.4555647 INF] c:\temp\EVTX-to-MITRE-Attack-master\Antivirus\ID1116-1117-Defender threat detected.evtx error count: 6```
@forensenellanebbia
Copy link
Author

forensenellanebbia commented Apr 13, 2022 via email
edited
Loading

@EricZimmerman
Copy link
Owner

Are these forwarded event logs by chance?

@forensenellanebbia
Copy link
Author

I'm sorry, I don't know. The readme in the repository doesn't say if the events were forwarded:

readme

But I get a similar issue when I try to parse another evtx file that I extracted from a VM running Win10 1809 (where there's no WEF): evtx_win10.zip

@AndrewRathbun
Copy link

But I get a similar issue when I try to parse another evtx file that I extracted from a VM running Win10 1809 (where there's no WEF): evtx_win10.zip

For this, I get the following errors:

Processing C:\Users\CFUser\Downloads\evtx_win10\Microsoft-Windows-Windows Firewall With Advanced Security%4FirewallDiagnostics.evtx...
Chunk count: 1, Iterating records...
Record error at offset 0x1200, record #: 1 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x1B20, record #: 2 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x2080, record #: 3 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x23D8, record #: 4 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x2730, record #: 5 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x2A88, record #: 6 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x2DE0, record #: 7 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x3138, record #: 8 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x3490, record #: 9 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x37E8, record #: 10 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x39E8, record #: 11 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x3D40, record #: 12 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x4098, record #: 13 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x43F0, record #: 14 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x4748, record #: 15 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x4AA0, record #: 16 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x4DF8, record #: 17 error: 'Element' is an invalid XmlNodeType.
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
   at System.Xml.XmlReader.FinishReadElementContentAsXxx()
   at System.Xml.XmlReader.ReadElementContentAsString()
   at evtx.EventRecord.BuildProperties()
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)

Event log details
Flags: None
Chunk count: 1
Stored/Calculated CRC: 4DFDFABA/4DFDFABA
Earliest timestamp:
Latest timestamp:
Total event log records found: 0

Records included: 0 Errors: 17 Events dropped: 0

Errors
Record #1: Error: 'Element' is an invalid XmlNodeType.
Record #2: Error: 'Element' is an invalid XmlNodeType.
Record #3: Error: 'Element' is an invalid XmlNodeType.
Record #4: Error: 'Element' is an invalid XmlNodeType.
Record #5: Error: 'Element' is an invalid XmlNodeType.
Record #6: Error: 'Element' is an invalid XmlNodeType.
Record #7: Error: 'Element' is an invalid XmlNodeType.
Record #8: Error: 'Element' is an invalid XmlNodeType.
Record #9: Error: 'Element' is an invalid XmlNodeType.
Record #10: Error: 'Element' is an invalid XmlNodeType.
Record #11: Error: 'Element' is an invalid XmlNodeType.
Record #12: Error: 'Element' is an invalid XmlNodeType.
Record #13: Error: 'Element' is an invalid XmlNodeType.
Record #14: Error: 'Element' is an invalid XmlNodeType.
Record #15: Error: 'Element' is an invalid XmlNodeType.
Record #16: Error: 'Element' is an invalid XmlNodeType.
Record #17: Error: 'Element' is an invalid XmlNodeType.

Processed 1 file in 0.5099 seconds


Files with errors
C:\Users\CFUser\Downloads\evtx_win10\Microsoft-Windows-Windows Firewall With Advanced Security%4FirewallDiagnostics.evtx error count: 17

For instance, this is one the files I can't parse: ID1116-1117-Defender%20threat%20detected.evtx I can view the contents of the evtx with Event Viewer or Get-WinEvent with no issues.

For this one, I get:

Processing C:\Users\CFUser\Downloads\ID1116-1117-Defender threat detected.evtx...
Chunk count: 1, Iterating records...
Record error at offset 0x1200, record #: 1 error: Specified argument was out of the range of valid values.
Parameter name: Value Type NullType is not handled! Handle it!
System.ArgumentOutOfRangeException: Specified argument was out of the range of valid values.
Parameter name: Value Type NullType is not handled! Handle it!
   at evtx.Tags.Value..ctor(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk)
   at evtx.Tags.TagBuilder.BuildTag(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk)
   at evtx.Tags.OpenStartElementTag..ctor(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk, Boolean hasAttribute)
   at evtx.Tags.TagBuilder.BuildTag(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk)
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x24D8, record #: 2 error: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
   at System.ThrowHelper.ThrowArgumentOutOfRangeException(ExceptionArgument argument, ExceptionResource resource)
   at System.BitConverter.ToUInt16(Byte[] value, Int32 startIndex)
   at evtx.ChunkInfo.GetStringTableEntry(UInt32 offset)
   at evtx.Tags.OpenStartElementTag..ctor(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk, Boolean hasAttribute)
   at evtx.Tags.TagBuilder.BuildTag(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk)
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x3538, record #: 3 error: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
   at System.ThrowHelper.ThrowArgumentOutOfRangeException(ExceptionArgument argument, ExceptionResource resource)
   at System.BitConverter.ToUInt16(Byte[] value, Int32 startIndex)
   at evtx.ChunkInfo.GetStringTableEntry(UInt32 offset)
   at evtx.Tags.OpenStartElementTag..ctor(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk, Boolean hasAttribute)
   at evtx.Tags.TagBuilder.BuildTag(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk)
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x45F0, record #: 4 error: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
   at System.ThrowHelper.ThrowArgumentOutOfRangeException(ExceptionArgument argument, ExceptionResource resource)
   at System.BitConverter.ToUInt16(Byte[] value, Int32 startIndex)
   at evtx.ChunkInfo.GetStringTableEntry(UInt32 offset)
   at evtx.Tags.OpenStartElementTag..ctor(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk, Boolean hasAttribute)
   at evtx.Tags.TagBuilder.BuildTag(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk)
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x5650, record #: 5 error: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
   at System.ThrowHelper.ThrowArgumentOutOfRangeException(ExceptionArgument argument, ExceptionResource resource)
   at System.BitConverter.ToUInt16(Byte[] value, Int32 startIndex)
   at evtx.ChunkInfo.GetStringTableEntry(UInt32 offset)
   at evtx.Tags.OpenStartElementTag..ctor(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk, Boolean hasAttribute)
   at evtx.Tags.TagBuilder.BuildTag(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk)
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)
Record error at offset 0x6748, record #: 6 error: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
   at System.ThrowHelper.ThrowArgumentOutOfRangeException(ExceptionArgument argument, ExceptionResource resource)
   at System.BitConverter.ToUInt16(Byte[] value, Int32 startIndex)
   at evtx.ChunkInfo.GetStringTableEntry(UInt32 offset)
   at evtx.Tags.OpenStartElementTag..ctor(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk, Boolean hasAttribute)
   at evtx.Tags.TagBuilder.BuildTag(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk)
   at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk)
   at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber)

Event log details
Flags: None
Chunk count: 1
Stored/Calculated CRC: 2B054F09/2B054F09
Earliest timestamp:
Latest timestamp:
Total event log records found: 0

Records included: 0 Errors: 6 Events dropped: 0

Errors
Record #1: Error: Specified argument was out of the range of valid values.
Parameter name: Value Type NullType is not handled! Handle it!
Record #2: Error: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
Record #3: Error: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
Record #4: Error: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
Record #5: Error: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
Record #6: Error: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex

Processed 1 file in 0.5749 seconds


Files with errors
C:\Users\CFUser\Downloads\ID1116-1117-Defender threat detected.evtx error count: 6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@EricZimmerman @forensenellanebbia @AndrewRathbun