Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EVTX-Possible bug #241

Open
bluDuckB3ar opened this issue Sep 27, 2024 · 3 comments
Open

EVTX-Possible bug #241

bluDuckB3ar opened this issue Sep 27, 2024 · 3 comments
Assignees
Labels
bug Something isn't working

Comments

@bluDuckB3ar
Copy link

The bug appears to be related to duplicate keys within the map files used by EvtxECmd. Specifically, you are encountering errors when EvtxECmd tries to load the following map files:

Microsoft-Windows-VHDMP-Operational_Microsoft-Windows-VHDMP_1.map
Microsoft-Windows-VHDMP-Operational_Microsoft-Windows-VHDMP_2.map
The error messages indicate that these map files contain entries with the same key, leading to a System.ArgumentException.

---------------------------------------------------------------- This is an easy resolve by just deleting the file attaching my terminal output

I was able to fix it by deleting those two map files but was able to replicate the issue on a vm with a fresh install of windows. this was tested through PS 5 - 7 and on .net 6

this would be great in helping someone else if they came across it later

logs evtx.txt

@AndrewRathbun
Copy link
Collaborator

I'll look into this later today! Thanks for reporting 👍

@AndrewRathbun AndrewRathbun self-assigned this Sep 27, 2024
@AndrewRathbun AndrewRathbun added the bug Something isn't working label Sep 27, 2024
@bluDuckB3ar
Copy link
Author

maps-dir.csv

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants