Tuesday, 2 December 2008

Procedure For Recovering A Corrupted Event Log

On an active system, new events are written to the end of the log file. When a soft-shutdown is performed, the log data is realigned to its proper location. If a hard shutdown or live acquisition is performed, this data may not have been properly flushed creating an unreadable log file. The results in a log file is corrupt error.

Steps to Recover:

1. Copy out the Windows event log you are interested in (e.g. SecEvent.Evt, SysEvent.Evt or AppEvent.Evt).

2. Before proceeding, try to open the file with your event viewer. If you get the message, “The event log is corrupted”, then continue with the following steps.

3. Open the Event Log with a HEX file editor (e.g. UltraEdit, HexEdit, WinHex, etc).

4. Search for the ASCII (TEXT) string: 3333DDDD.

5. This puts you right in the middle of the HEX string: 11 11 11 11 22 22 22 22 33 33 33 33 44 44 44 44

6. The “11 11 11 …” hex string is the start of the log file header. The four bytes immediately preceding the “11 11 11…” should be (hex) 28 00 00 00. This is the Record Length (40 bytes).

7. Immediately following the “… 44 44 44 44” you should see a 4-byte sequence: 30 00 00 00, This is the status flag.

30 00 00 00 is “dirty”, meaning the log file has not been flushed. 01 00 00 00 is “clean”.

If you see anything else, it is probably the offset location from the start of the next record to be written to the log. You may still proceed, it can still work.

8. Make a note of the next 4-bytes. This is the ALLOCATED SIZE of the log file.

9. Make a not of the next 4-bytes. This is the NUMBER OF ACTIVE RECORDS in the log file.

10. Next, go back to the start of the log file. Now you will start manually filling in the log file header.

11. Check the first 4-bytes of the file, it should be: 30 00 00 00; If not, change it.

12. Next, go to offset 20 (Byte offset count starts at ZERO)

13. Type in the ALLOCATED SIZE bytes

14. This should put you at byte #24

15. Type in the NUMBER OF ACTIVE RECORDS bytes

16. Following this (at offset 28) should be: 01 00 00 00 (if not, change it)

17. Go to offset 36, change to: 08 00 00 00.

18. That’s it! You should now be able to open the log file with you event viewer.

No comments:

Post a Comment