Sunday, May 6, 2007

First off, Harlan Carvey mentions that his new book has information about this on page 205; I still haven't made it out to buy the book yet, but the day isn't over. Harlan also mentions that the file is created when IE7 is installed.

Wow, there's been quite a response to the first post. . . A couple of things that Andreas Schuster requested. This is the contents of the HKLM\System\CurrentControlSet\Services\EventLog\Internet Explorer


and this is the HKLM\System\CurrentControlSet\Services\EventLog\Internet Explorer:



This is Internet.evt opened in a hex editor:



the remainder of the file appears to be empty. Using psloglist against the file appears to dump the contents of the file.

2 comments:

Andreas said...

Bill,

thanks a lot for your detailed description. The file seemingly consists of a header and the cursor (aka footer) records. While the header looks OK, the cursor does not. Assuming that only null bytes follow, the cursor points into empty space.

I found a similar file on my test system (the only one with IE7). The file is named Windows.evt. Again the header is OK and the cursor record seems to be garbled. The offsets and record numbers are different from yours, but mine certainly are from a different installer package (German locale).

Also the configuration in the registry is incomplete. There should be at least a "File" entry pointing to your Internet.evt. (It was missing on my system, too. I created one but I still can't get IE7 to log anything).

So obviously something went wrong during either during packaging or the installation of IE7.

Andreas said...

Frank Heyne, author of several tools to analyze Windows event log files, posted some interesting observations on Vista and NT style event logs: http://www.heysoft.de/Frames/Vista_Remarks1_en.htm