aur/CHANGELOG.md

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

[0.11.0 - 2026-01-03]

Breaking changes (WEVT_TEMPLATE cache)

• The offline WEVT template cache is now a single .wevtcache file (directory + index.jsonl is no longer supported).
  • evtx_dump extract-wevt-templates --input <provider.{dll,exe,sys}> --output /tmp/wevt_cache.wevtcache --overwrite
  • evtx_dump --wevt-cache /tmp/wevt_cache.wevtcache <log.evtx>
• WevtCache is now pure in-memory (no internal filesystem I/O). Load cache blobs at your boundary and pass an Arc<WevtCache> into ParserSettings.
• CLI flag renames:
  • --wevt-cache-index → --wevt-cache
  • apply-wevt-cache --cache-index → apply-wevt-cache --cache

Fixed

• Fix MAPS parsing for providers whose MAPS offsets are not monotonic (e.g. wevtsvc.dll).
  • Parse maps deterministically (implied first map + offsets array order).
  • Use each VMAP’s declared size field (no “next offset” boundary guessing / sorting).

Added

• Git-LFS tracked DLL/EXE fixtures under samples/dlls/ + insta snapshot tests for canonical WEVT_TEMPLATE extraction stats (validated against libfwevt via pyfwevt).

Full Changelog: v0.10.0...v0.11.0

[0.10.0 - 2025-12-31]

Highlights

• ~3× faster JSON/XML rendering compared to 0.9.0, powered by the new IR + streaming renderers.
  • On samples/security.evtx (single-threaded): JSONL 45.4ms → 16.5ms (~2.76×), XML 33.2ms → 11.3ms (~2.95×).
• WEVT_TEMPLATE support (optional wevt_templates feature): extract templates from provider binaries and use an offline cache as a fallback when EVTX embedded templates are missing/corrupt.
• EVTX Web: a WebAssembly-powered viewer (see PR #252).

Breaking changes (API + behavior)

• Removed the token-tree output API:
  • BinXmlOutput, XmlOutput, JsonOutput, and EvtxRecord::into_output(..) were removed.
  • Use EvtxRecord::into_xml(), EvtxRecord::into_json(), or EvtxRecord::into_json_value() instead.
  • If you need structured access, use the new IR types under evtx::model::ir.
• EvtxRecord is now IR-based:
  • EvtxRecord::tokens (and evtx::model::{deserialized, raw, xml}) were removed/replaced.
  • Records now carry tree: evtx::model::ir::IrTree (plus binxml_offset/binxml_size).
• EvtxRecordHeader::record_data_size() now returns Result<u32> and can error on corrupted data_size values.
• EvtxChunk no longer exposes the old TemplateCache (template_table); chunk parsing/rendering is now driven by the IR + template instantiation cache.
• Timestamps switched from chrono::DateTime<Utc> to jiff::Timestamp in EvtxRecord, EvtxRecordHeader, and SerializedEvtxRecord.
• Error type changes (affects match statements):
  • EvtxError::FailedToParseChunk now carries Box<ChunkError>.
  • DeserializationError IO variants were renamed (UnexpectedIoError → IoWithContext, RemoveMe → Io) and new WEVT/IO truncation errors were added.
  • ChunkError::FailedToBuildTemplateCache was removed.
• JSON indentation behavior changed:
  • ParserSettings::indent(..) is still used for XML, but JSON output is now always compact in the streaming renderer. If you need pretty JSON, reformat the returned value/string yourself.

Added

• Streaming JSON renderer + new parsing architecture (PR #267).
• New intermediate representation (IR) for BinXML (PR #278).
• WEVT_TEMPLATE extraction + offline cache + rendering helpers (PR #274).
• evtx_dump: support reading EVTX from stdin (PR #271).
• Re-export RecordId from crate root (PR #272).
• Fix parsing when chunk header offsets are too large (PR #273).
• Web-based viewer (WASM) (PR #252).

Fixed

• When validate_checksums is disabled, fix multiple infinite-loop cases on malformed EVTX files (PR #263, #264).

Performance

• IR tree replaces the old token vector (Vec<...>) in the hot path, dramatically reducing allocations and improving cache locality.
• Streaming renderers write JSON/XML directly to a sink (no serde_json::Value construction on the default path).
• Fast UTF-16 escaping via the new utf16-simd crate + sonic-rs writer integration.
• Chunk arena pooling in the multithreaded path reduces per-chunk allocator churn.

WEVT usage (offline template cache)

This is optional and requires building with the Cargo feature wevt_templates.

• Build a cache index (JSONL) + extracted blobs:
  • evtx_dump extract-wevt-templates --input <provider.dll> --output-dir /tmp/wevt_cache --overwrite > /tmp/wevt_cache/index.jsonl
• Use the cache when dumping EVTX (fallback only when embedded templates are missing/corrupt):
  • evtx_dump --wevt-cache-index /tmp/wevt_cache/index.jsonl <log.evtx>
• Library usage:
  • Load the index and attach it to ParserSettings via ParserSettings::wevt_cache(Some(Arc::new(WevtCache::load(..)?))).

Full Changelog: v0.9.0...v0.10.0

[0.9.0 - 2025-02-21]

Added

• Migrated to rust edition 2024.

[0.8.5 - 2025-02-21]

Fixed

• #249 - Extra Whitespace in LogonProcessName Field

[0.8.4 - 2024-04-04]

Fixed

• (bugfix) Fix json output when a node with attributes has the same key several times. thanks @yardlogs

[0.8.2 - 2024-04-04]

Added

• Binaries for linux and mac are now PGO optimized (should yield 10-20% performance improvement).

Changed

• Dependencies updated to their latest versions.

Fixed

• (bugfix) Fix off-by-6 bug in assemble.rs by @dgmcdona in https://github.com/omerbenamram/evtx/pull/238

[0.8.1 - 2023-02-17]

Fixed

• https://github.com/omerbenamram/evtx/issues/232 - Support for size_t, thanks @alexkornitzer

[0.8.0 - 2022-08-29]

Added

• A new feature for evtx-dump which allows selective dumping of event ranges.
• Added builds for apple silicon macs via cross compilation.

Changed

• Ignore invalid header flags - thanks @Oskar65536
• Don't panic when a date has an invalid value (Use 1061.1.1 if raw value is 0, return an error otherwise) #209
• Use insta for snapshot testing
• Convert #text to an array if multiple elements with the same name exist

Fixed

• https://github.com/omerbenamram/evtx/issues/201
• https://github.com/omerbenamram/evtx/issues/209
• https://github.com/omerbenamram/evtx/issues/221

[0.7.2 - 2021-04-01]

Changed

• Fix flags to be proper bitmasks and add no-CRC flag (#188) - thanks @Robo210

[0.7.1 - 2021-03-26]

Changed

• fast-alloc is no longer on by default, to support static MUSL builds for evtx-dump to enable it, build with --features fast-alloc.
• static binaries are now published for linux! take evtx-dump with you everywhere :)
• CI was migrated to github actions from azure pipelines.

[0.6.9 - 2021-01-30]

Fixed

• Fixed some imports which mistakingly imported serde internals.

[0.6.8 - 2020-10-01]

Fixed

• Allow for arbitrarily large EVTX files to parse correctly. (#128)

[0.6.7 - 2020-08-28]

Added

• calculated_chunk_count field to EvtxParser
• impl Debug for EvtxParser

Changed

• Use calculated chunk count rather than header chunk count to continue parsing past 4294901760 bytes of chunk data.
• Moved function/error chunk indexes to u64 instead of u16 to allow for chunk indexes larger than u16 MAX

[0.6.6 - 2020-01-22]

Fixed

Another tiny fix where the parser might loop for very specific samples - @codekoala thanks for the patch!

[0.6.5 - 2020-01-14]

10% Speedup by using LTO on release.

Changed

• Enabled link-time-optimizations.

[0.6.4 - 2020-01-14]

This release should make evtx_dump 3 times faster on windows machines! Also - about 25% faster on linux machines.

NOTE: this does not affect library code using evtx, only the binary target evtx_dump.

If you are using evtx as a library, you might benefit significantly from adapting a custom allocator!

Changed

• Added jemalloc/rpmalloc(windows) to take advantage of smarter allocation management.
• Use buffered writing on evtx_dump.
• Better utilization of cached strings.

[0.6.3 - 2020-01-11]

This version should be 10-15% faster!

Fixed

• When using separate json attributes, if the element's value is empty, remove the empty mapping. #71

[0.6.2 - 2019-12-17]

Fixed

• An edge case where huge files could cause the parser to get stuck.

[0.6.1 - 2019-12-05]

Fixed

• A regression with --seperate-json-attributes caused by improvements in 0.6.0 to JSON parsing for non-standard xml documents.

[0.6.0 - 2019-11-26]

Added

• Support for EntityRef nodes.

Changed

• Error reporting should be better with this version.

Fixed

• A bug where parser was accepting NUL bytes as strings.
• Fixed a bug where UTF-16 strings would yield more bytes after UTF-8 conversion and would be rejected.
• Support an edge case when some data might be missing from OpenStartElement node.
• A bug where XML records having multiple nodes with the same name will be incorrectly converted to JSON, ex.

<HTTPResponseHeadersInfo>
    <Header>HTTP/1.1 200 OK</Header>
    <Header>Connection: keep-alive</Header>
    <Header>Date: Thu, 18 May 2017 11:37:58 GMT</Header>
    <Header>Content-Length: 813</Header>
    <Header>Content-Type: application/pkix-crl</Header>
    <Header>Last-Modified: Tue, 02 May 2017 22:24:24 GMT</Header>
    <Header>ETag: 0x8D491A9FD112A27</Header>
    <Header>Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0</Header>
    <Header>x-ms-request-id: 477c132d-0001-0045-443b-c49ae1000000</Header>
    <Header>x-ms-version: 2009-09-19</Header>
    <Header>x-ms-lease-status: unlocked</Header>
    <Header>x-ms-blob-type: BlockBlob</Header>
</HTTPResponseHeadersInfo>

Will now be converted to:

{
  "HTTPResponseHeadersInfo": {
    "Header": "x-ms-blob-type: BlockBlob",
    "Header_1": "HTTP/1.1 200 OK",
    "Header_10": "x-ms-version: 2009-09-19",
    "Header_11": "x-ms-lease-status: unlocked",
    "Header_2": "Connection: keep-alive",
    "Header_3": "Date: Thu, 18 May 2017 11:37:58 GMT",
    "Header_4": "Content-Length: 813",
    "Header_5": "Content-Type: application/pkix-crl",
    "Header_6": "Last-Modified: Tue, 02 May 2017 22:24:24 GMT",
    "Header_7": "ETag: 0x8D491A9FD112A27",
    "Header_8": "Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0",
    "Header_9": "x-ms-request-id: 477c132d-0001-0045-443b-c49ae1000000"
  }
}

[0.5.1 - 2019-10-30]

Fixed

• A bug which causes a panic (bounds check) on some corrupted records.

[0.5.0 - 2019-10-07]

Added

• EvtxParser::records_json_value() to allow working with records with a serde_json::Value. See test_into_json_value_records for an example.
• EvtxRecord::into_output, allowing serializing a record using a user-defined BinXmlOutput type.

Changed

• SerializedEvtxRecord is now generic over it's data, allowing a simplified BinXmlOutput trait.

[0.4.2 - 2019-09-05]

Added

• --separate_json_attributes to allow producing a flat JSON structure.

Changed

• updated deps.

[0.4.0 - 2019-06-01]

File output is now supported by evtx_dump

Added

• --output to allow writing to files, --no-confirm-overwrite to allow binary to overwrite existing files.

Changed

• Logs are now printed to stderr instead of stdout
• Failure exit code is now 1 instead of -1
• Some of the structs used in parsing evtx have been moved to winstructs

[0.3.3] - 2019-05-23

Fixed

• A sneaky dbg! print found it's way into the release, added #![deny(clippy:dbg_macro)] to ensure this won't happen again.

[0.3.2] - 2019-05-20

Changed

• EvtxParser::from_read_seek is now public.
• updated deps.

[0.3.1] - 2019-05-19

Implemented Ansi codecs!

Added

• --ansi-codec to control the codec that will be used to decode ansi encoded strings inside the document.

Fixed

• Parser will now print nicer messages when passed non-evtx files.

[0.3.0] - 2019-05-14

This is a minor release due to the removal of failure.

Added

• --backtraces to control backtraces in errors
• -v, -vv, -vv to control trace output in evtx_dump.

Changed

• All errors in the crate are all of a uniform evtx::err::Error type. Errors are implemented with snafu, and are std compatible. In addition, errors now all contain backtraces.

Fixed

• Parser will now correctly parse files which refer to binxml fragments as sized values. (#33)

[0.2.6] - 2019-05-09

Fixed

• Parser is less strict with samples that contain multiple EOF markers (inside nested XML fragments)

[0.2.5] - 2019-05-03

This version is the first .2 version to have python support!

Added

• IntoIterChunks for owned iteration over the chunks.

[0.2.4] - 2019-05-01

Added

• --no-indent flag for xml and json
• --dont-show-record-number to avoid printing records number.
• -o jsonl for JSON lines output (same as -o json --no-indent --dont-show-record-number).

Fixed

• Parser is less strict in dirty samples which contain some amount of corrupted binxml data, and will try to recover the record.

• Don't unwrap on empty binxmlname elements.

[0.2.2] - 2019-04-29

Added

• Performance improvements. Parser should be ~15% faster (thanks @ohadravid)
• --validate-checksums flag to optionally be strict about checksum checks for chunk headers.

Fixed

• Fixed missing data when parsing StringArray nodes. (thanks @ohadravid)
• Samples containing empty chunks (thanks @ohadravid)

[0.2.1] - 2019-04-21

Changed

• More API is now public, for use by library authors who want access to lower level primitives and types.

[0.2.0] - 2019-04-20

This release contains some minor breaking changes to the API.

Added

• Added JSON output support! JSON support is powered by serde and is zero-copy! This means there isn't much performance difference between the XML output and the JSON output.

• The deserializer is now lazy (thanks @ohadravid !). This will allow to perform some filtering on records based on their metadata before serializing them to save time.

Changed

• Changed parallel iteration to rely only on ParserSettings, so .parallel_records has been removed.
• EvtxParser now needs to be mutable when deserializing records.
• When outputting target as XML, inner xml strings will be escaped, when using JSON, they will not be escaped.

Fixed

• Parser will now coerce values of booleans which are not zero or one to true.

[0.1.9] - 2019-04-19

Added

• Now supporting SystemTime, floating types, and all numerical array types.

Fixed

• strip nuls from ascii strings as well.

Changed

• Now using quick-xml, which microbenchmarks show that is about 15-20% faster than xml-rs.

[0.1.8] - 2019-04-18

Fixed

• Removed trailing nul terminators from all strings.

Changed

• Changed hex formatting padding.
• Changed binary output formatting to hexdump.

[0.1.7] - 2019-04-18

Fixed

• Range error when reading last chunk (#2)

Changed

• Parser will now try to read more records even when surpassing the declared chunk number.

[0.1.6] - 2019-04-13

Fixed

• Fixed missing xml close tag (#1)

Changed

• Removed .unwrap() from xml parsing code.

[0.1.5] - 2019-04-02

Added

• renamed associated binary to evtx_dump

Fixed

• changed assert_eq to debug_assert_eq, to ensure the library won't crash in FFI.

[0.1.4] - 2019-04-01

Fixed

• A regression introduced from #6 for files with a single chunk.

[0.1.3] - 2019-04-01

Changed

• Removed some uses on .unwrap() inside the records iterator, to communicate errors better.

Fixed

• A bug with files that have only a single chunk failing at the end.

[0.1.2] - 2019-03-31

Added

• Multithreading support via rayon

Changed

• Removed unsafe memory mapping code, use generics instead.

Fixed

[0.1.1] - 2019-03-30

Added

Changed

• Fixed a bug with chunk iteration

Fixed

• Fixed a bug with chunk iteration

[0.1.0] - 2019-03-30

Initial Release