I am using the latest preview build. When attempting to parse saved CAPI2 event logs (

Issues parsing CAPI2 event logs about eventlogexpert HOT 5 CLOSED

maweeras-msft commented on June 9, 2024

Issues parsing CAPI2 event logs

from eventlogexpert.

Comments (5)

bill-long commented on June 9, 2024 1

I used to use EventViewerPro as well, and I was always annoyed at having to adjust time sliders. 😆 We haven't needed them with EventLogExpert, since we can load a 1 GB log in about 1 minute.

After discussing this with Joseph, I'm going create another branch and implement the approach of keeping the EventLogReader open and deferring ToXml() until the user asks for it, or maybe as a post-load background task, so we can maintain load performance while still providing full-fidelity XML. We'll see how that code looks before making a decision.

from eventlogexpert.

bill-long commented on June 9, 2024 1

We went with a solution of doing the initial load, then immediately loading all the XML in the background, while the user can still navigate and start looking at things. This is available in the latest prerelease which is now up. Please test it and provide feedback.

Thank you!

from eventlogexpert.

maweeras-msft commented on June 9, 2024 1

Looks much better than before so far. Thanks!

from eventlogexpert.

bill-long commented on June 9, 2024

It looks like this fix will require a large change which is likely to slow down log load time. The EventLogRecord that comes back from EventReader doesn't include anything that shows the UserData values.

Here's event ID 10, which I like for this example because it is relatively simple.

From Event Viewer:

Log Name:      Microsoft-Windows-CAPI2/Operational
Source:        Microsoft-Windows-CAPI2
Date:          2/6/2024 10:31:05 AM
Event ID:      10
Task Category: Build Chain
Level:         Information
Keywords:      Path Discovery,Path Validation
User:          LOCAL SERVICE
Computer:      DevVM
Description:
For more details for this event, please refer to the "Details" section
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
    <EventID>10</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>11</Task>
    <Opcode>1</Opcode>
    <Keywords>0x4000000000000003</Keywords>
    <TimeCreated SystemTime="2024-02-06T18:31:05.2075654Z" />
    <EventRecordID>1</EventRecordID>
    <Correlation />
    <Execution ProcessID="5148" ThreadID="2160" />
    <Channel>Microsoft-Windows-CAPI2/Operational</Channel>
    <Computer>DevVM</Computer>
    <Security UserID="S-1-5-19" />
  </System>
  <UserData>
    <CertGetCertificateChainStart>
      <EventAuxInfo ProcessName="svchost.exe" />
      <CorrelationAuxInfo TaskId="{EF36F761-16E4-432C-8D55-FE5EC19B632D}" SeqNumber="1" />
    </CertGetCertificateChainStart>
  </UserData>
</Event>

From EventReader:

PS C:\> $reader = New-Object System.Diagnostics.Eventing.Reader.EventLogReader("$home\Desktop\CAPI2.evtx", "FilePath")
PS C:\> $e = $reader.ReadEvent()
PS C:\> $e | fl *


Id                   : 10
Version              : 0
Qualifiers           :
Level                : 4
Task                 : 11
Opcode               : 1
Keywords             : 4611686018427387907
RecordId             : 1
ProviderName         : Microsoft-Windows-CAPI2
ProviderId           : 5bbca4a8-b209-48dc-a8c7-b23d3e5216fb
LogName              : Microsoft-Windows-CAPI2/Operational
ProcessId            : 5148
ThreadId             : 2160
MachineName          : DevVM
UserId               : S-1-5-19
TimeCreated          : 2/6/2024 10:31:05 AM
ActivityId           :
RelatedActivityId    :
ContainerLog         : C:\Users\bill\Desktop\CAPI2.evtx
MatchedQueryIds      : {}
Bookmark             : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName     : Information
OpcodeDisplayName    : Start
TaskDisplayName      : Build Chain
KeywordsDisplayNames : {Path Validation, Path Discovery}
Properties           : {}

For most events, we get the XML members from that Properties collection, which is empty here. Those same properties are used to render the Description. But the UserData doesn't appear anywhere on this object. However, we can get it by calling ToXml() (formatted the XML for readability):

PS C:\> $e.ToXml()
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
    <System>
        <Provider Name='Microsoft-Windows-CAPI2' Guid='{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}'/>
        <EventID>10</EventID>
        <Version>0</Version>
        <Level>4</Level>
        <Task>11</Task>
        <Opcode>1</Opcode>
        <Keywords>0x4000000000000003</Keywords>
        <TimeCreated SystemTime='2024-02-06T18:31:05.2075654Z'/>
        <EventRecordID>1</EventRecordID>
        <Correlation/>
        <Execution ProcessID='5148' ThreadID='2160'/>
        <Channel>Microsoft-Windows-CAPI2/Operational</Channel>
        <Computer>DevVM</Computer>
        <Security UserID='S-1-5-19'/>
    </System>
    <UserData>
        <CertGetCertificateChainStart>
            <EventAuxInfo ProcessName='svchost.exe'/>
            <CorrelationAuxInfo TaskId='{EF36F761-16E4-432C-8D55-FE5EC19B632D}' SeqNumber='1'/>
        </CertGetCertificateChainStart>
    </UserData>
</Event>

So one fix for this is to simply call ToXml(). We would need to either do this for everything when we load the log, impacting load performance and memory usage (storing all this XML in memory instead of generating it on the fly), or we need to hold on to the EventLogRecord objects in memory so we can do this later on demand (similar how we generate our own Xml on demand now), impacting memory usage only, but then we also need to keep that log session open as well.

Note also that ToXml() returns unindented XML with no whitespace, so if we use that, we also need to format it before displaying it.

ToXml() at load is easy to implement, so I did that and tested on my dev VM. In this example we are calling ToXml() at load time, but we are not formatting it until the user decides to look at it:

Log	Xml Method	Load Time
1 GB Security Log	Generate from Properties On-Demand	51 seconds
1 GB Security Log	ToXml() at Load Time	72 seconds
760 MB ProbeResult Log	Generate from Properties On-Demand	23 seconds
760 MB ProbeResult Log	ToXml() at Load Time	34 seconds

Note this also makes the XML look different. For example, we resolve things like Task and Level to strings in our own XML generation, but ToXml() does not. EventLogExpert with our own XML generation:

Log Name: Microsoft-Windows-CAPI2/Operational
Source: Microsoft-Windows-CAPI2
Date: 2/6/2024 10:31:05 AM
Event ID: 10
Task Category: Build Chain
Level: Information
Keywords: Path Validation Path Discovery
User:
Computer: DevVM
Description:
For more details for this event, please refer to the "Details" section
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
        <Provider Name="Microsoft-Windows-CAPI2" />
        <EventID>10</EventID>
        <Level>Information</Level>
        <Task>Build Chain</Task>
        <Keywords>0x4000000000000003</Keywords>
        <TimeCreated SystemTime="2024-02-06T18:31:05.2075654Z" />
        <EventRecordID>1</EventRecordID>
        <Channel>Microsoft-Windows-CAPI2/Operational</Channel>
        <Computer>DevVM</Computer>
        <ProcessID>5148</ProcessID>
        <ThreadID>2160</ThreadID>
    </System>
    <EventData>
    </EventData>
</Event>

EventLogExpert with ToXml():

Log Name: Microsoft-Windows-CAPI2/Operational
Source: Microsoft-Windows-CAPI2
Date: 2/6/2024 10:31:05 AM
Event ID: 10
Task Category: Build Chain
Level: Information
Keywords: Path Validation Path Discovery
User:
Computer: DevVM
Description:
For more details for this event, please refer to the "Details" section
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
    <EventID>10</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>11</Task>
    <Opcode>1</Opcode>
    <Keywords>0x4000000000000003</Keywords>
    <TimeCreated SystemTime="2024-02-06T18:31:05.2075654Z" />
    <EventRecordID>1</EventRecordID>
    <Correlation />
    <Execution ProcessID="5148" ThreadID="2160" />
    <Channel>Microsoft-Windows-CAPI2/Operational</Channel>
    <Computer>DevVM</Computer>
    <Security UserID="S-1-5-19" />
  </System>
  <UserData>
    <CertGetCertificateChainStart>
      <EventAuxInfo ProcessName="svchost.exe" />
      <CorrelationAuxInfo TaskId="{EF36F761-16E4-432C-8D55-FE5EC19B632D}" SeqNumber="1" />
    </CertGetCertificateChainStart>
  </UserData>
</Event>

I suppose we could implement ToXml() at load time and make it optional. I wonder how many users will care about something like a 30% longer load time in order to get full-fidelity XML.

from eventlogexpert.

maweeras-msft commented on June 9, 2024

Speaking for myself, I would be OK with a 30% load time increase if it was a setting I could toggle on/off that warned of the perf impact before enabling it.
Is it also possible to reduce the impact if we loaded a partial set of the log instead of all records? I used to use a different internal older event log tool a while back that loaded a percentage of records configurable via a slider. Although I almost always loaded it all before filtering to my preferences.

from eventlogexpert.

Issues parsing CAPI2 event logs about eventlogexpert HOT 5 CLOSED

Comments (5)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent