Windows事件日志技巧

我是在客户现场前些天在看一些数据中心设计方案。雷竞技电脑网站当然像在一天中网络极客的生活中的许多事情，灵活性的关键是让啤酒的时间更快。在IT人员在那里对某事的热议，所以我只是认为这是谁是最好的医生是谁。我走过去，希望我有我的长围巾和拳头充满果冻婴儿到毛皮是不同意汤姆贝克是博士，他是什么肖恩·康纳利是007。但是，没有，这是有关备份的乡亲。备份？天哪......我知道这意味着什么。有关备份参数是像国内税收署的信件;他们从来没有很好的，有人是一个惊喜较短2英寸然后死亡。问题是真正关心试图挽回一些损坏的事件日志。当我建议刚修复区域，而不是恢复它们，失去时间的数据，乡亲们看着我，好像我的父亲，当他抓住了我拖到他的赛车。 Yeah man! Windows Event Log subsystem is really like the good ole Microsoft Jet database. So many of the little tricks we used to use to keep that dude consistent we can still use to fix our Event Logs if they ever take a nosedive. There's a bunch of ways to do this but here is the method I used to breathe life back into these. Background: Event logs store columns of data. Each log has a header, floating footer (normally the problem child) and of course records. There are normally three files SysEvent.evt, SecEvent.evt and AppEvent.evt. These are stored in the systemRoot\system32\config folder. Normally these files get corrupt when four of the fields between the header and floating footer get inconsistent with each other. Fixing them is really as simple as manually setting the offsets. The floating footer object contains real time metadata. These four fields are four 4-byte fields that are offset to oldest record, the offset to next record, the record number of next record, and the record number of oldest record. Now, these same four fields are also present in the event log file header (non-real time). You can find these because they start at offset 16 and are only updated/sync'ed with the real time data when the event log service gracefully shuts down or you use execute a save log file as command. This is the best part; you are just repairing metadata and not actually data. This is really important to note and understand. I have been an expert witness at trials and douche bag lawyers will key in on that fact that you are changing the data and therefore compromised data. This is certainly not the case. Here's how to recover those files and get folks to man up some beers in your direction.步骤00x01：如果你还没有下载的真棒工具;WinHex中http://www.x-ways.net/winhex/确保你走出去，让该工具弹指一挥间祖鲁语。它真的会派上用场的道路。步骤00x02：停止事件日志服务步骤00x03：现在使用WinHex打开了这是在错误的文件。我们需要找到在这片海域十六进制的浮动页脚。这是由十六进制字符串0x11111111标识。现在查找位于0x28000000头。现在好了，我们已经找到了两个对象是同步的彼此不和，因此损坏了。步骤00x04：因此，让我们的字符串0x2800000011111111222222223333333344444444后的字节右看看。这是16字节的字符串，弥补了事件ID，下一个事件，最早的事件等领域的第一个字节。现在这16个字节复制到记事本。本案的情况大部分时间是字节偏移量（在头36）是一个奇数值。当文件被打开或没有正确关闭时值为0x09或0x0B中的偏移量，但真正和奇数值表示有问题。当它被正确关闭正好相反，是真实的。该值设置为偶数通常0x08的或为0x00，但任何价值，甚至会工作。步骤00x05：现在只要粘贴您从上面复制的偏移0x00000016的16字节的值步骤00x06：最后，去抵消头36和文件状态字节更改为偶数值。我通常使用00，但只要它是偶数。一个简单的保存，关闭并重新启动事件日志服务。和你去那里！我得给一个大的OLE喊出史蒂夫彩旗用于发布取证使用此方法。我用它所有的取证和非取证一样的时间。好消息是，我们能够在飞行中恢复这些日志，查看数据中心的设计，使其观看酿酒打球了冰镇啤酒！雷竞技电脑网站男人是这样一个伟大的国家或者是什么！吉米·雷乘务长花絮文件传输协议医生是谁导致了在电视分拆至少五次尝试。最成功的是火炬木，医生是谁的字谜。