resource_file_get_provider: invalid resource file (runing on linux) #3
Description
I have been poking at the code, trying to parse various EVTX logs, using latest github releases.
Works very good for the 4 standard logs, compiles as static, GREAT!
The one thing that stumbled me is using resource providers. I couldn't figure a way to point evtxexport to the right path of the (dll in this case) provider.
I am trying to parse "Microsoft-Windows-Application-Experience/Program-Telemetry.evtx" from a mounted image of Win2008(ja) server, mounted under mnt/host/C
/tmp/evtxexport -c windows-932 -r "mnt/host/C/Windows/System32/config" -p "mnt/host/C/Windows/System32" mnt/host/C/Windows/System32/winevt/Logs/Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx
The (head) of the result being:
evtxexport 20160107
Event number : 1
Written time : Aug 11, 2013 13:12:06.2323313900 UTC
Event level : Information (4)
User security identifier : S-1-5-18
Computer name : MASKED
Provider identifier : {EEF54E71-0661-422D-9A98-82FD4940B820}
Source name : Microsoft-Windows-Application-Experience
Event identifier : 0x000002bd (701)
Resource filename : %SystemRoot%\system32\aeevts.dll
Unable to export record: 0.
What can be a proper way to handle the %SystemRoot% and/or the whole path to the resource, in this case mnt/host/C/Windows/System32/aeevts.dll ? Is this supposed to be working in Windows (sorry, no testing win environment)?
I guess one way is to add option to replace envvars like %SystemRoot%, or just take the filename and append to -p resource_files_path provided path.