-
Notifications
You must be signed in to change notification settings - Fork 399
/
Evtx-to-Xml.ps1
66 lines (53 loc) · 2.17 KB
/
Evtx-to-Xml.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
<#
.SYNOPSIS
Tool to convert a local .evtx file into a xml file using wevtutil.
.DESCRIPTION
Evtx-to-Xml converts a local directroy of evtx files, strips out
non-printable characters, and saves it in an xml format.
This script will only process files that do not already havea an xml file.
To force an overwrite, either delete or use the force.
Author: Grant Sales
Date: 2019.05.13
.PARAMETER Debug
When this switch is provided, it will output to screen and not save xml to disk
.PARAMETER Force
When this switch is provided, it will process all files and overwrite existing xml files.
.PARAMETER Debug
When this switch is provided, it will run get-help $PSScriptRoot\Evtx-to-Xml.ps1 -Detailed; exit
.EXAMPLE
.\Evtx-to-Xml.ps1
.EXAMPLE
.\Evtx-to-Xml.ps1 -Debug
.EXAMPLE
.\Evtx-to-Xml.ps1 -Help
#>
param(
[string]$Output,
[switch]$Debug,
[switch]$Force,
[switch]$Help
)
## Check if -Help
If ($Help) {get-help $PSScriptRoot\Evtx-to-Xml.ps1 -Detailed; exit}
## Get input evtx files
$evtx_files = Get-ChildItem -Path ./ -Filter "*.evtx" -Recurse
foreach ($evtx in $evtx_files){
$xml_file_path = ($evtx.Directory.FullName + "\" + $evtx.BaseName + ".xml")
if (!(Test-Path $xml_file_path) -or $Force) {
## XML File doesn't Exist or force is set
## Convert evtx to xml
write-host "Converting $evtx to $xml_file_path"
$evtx_file = $evtx.FullName
## Cannot convert value "System.Object[]" to type "System.Xml.XmlDocument". Error: "'', hexadecimal value 0x01, is an invalid character. Line 35, position 75."
## Cannot convert value "System.Object[]" to type "System.Xml.XmlDocument". Error: "'', hexadecimal value 0x0F, is an invalid character. Line 35, position 75."
## Cannot convert value "System.Object[]" to type "System.Xml.XmlDocument". Error: "'', hexadecimal value 0x02, is an invalid character. Line 35, position 75."
$xml = [xml]((wevtutil query-events "$evtx_file" /logfile /element:root) -replace "\x01","" -replace "\x0f","" -replace "\x02","")
if ($Debug){
## If -Debug pretty print to screen
$xml.Save([Console]::Out)
}
else {
$xml.Save($xml_file_path)
}
}
}