Home

Awesome

What is this?

GrokEVT is a collection of scripts built for reading Windows® NT/2K/XP/2K3 event log files. GrokEVT is released under the GNU GPL, and is implemented in Python. The scripts work together on one or more mounted Windows® partitions to extract all information needed (registry entries, message templates, and log files) to convert the logs to a human-readable format.

Where do I learn more?

See the main project site. You'll find official releases there and more documentation.

What if I have trouble?

Ask for help on the development mailing list or submit an issue here on GitHub.

Is this project maintained anymore?

GrokEVT is quickly becoming obsolete since it only supports the log format used in Windows 2003 and earlier. Newer versions of Windows use an even more complex (inane) file format for storing logs and I've never found the time/motivation to add support for the newer format. The newer format has been documented by other forensics researchers though, and I'd certainly help out if someone wanted to step in and add that support to GrokEVT.

How do I contribute?

We love contributions. However, for now this GitHub mirror is just that, a static mirror, so please don't submit pull requests. Just send us patches on the development mailing list.