Although era of Windows XP is over, there are still a great number of PCs running this operating system or Windows 2003 Server. According to different researches, in 2018 Windows XP market share was more than 4% of all desktop operating systems. Windows 2003 Server still has more than 10% of server operating systems. Moreover, Microsoft still supports Windows Embedded POSReady 2009 which is based on Windows XP.
This means that millions of computers across the globe still run XP-based OS and log their events in classic (evt) event logs.
When Windows Vista appeared in 2007, it introduced a new event log format along with new Event Viewer. This Event Viewer went through Windows 7, 8, and got to Windows 10 practically unchanged. It was designed to open event log files in both formats – new (evtx) and legacy (evt).
Unfortunately, Windows API doesn’t support evt files anymore and API function OpenBackupEventLog returns error 1500 (Log file is corrupted) when opening evt files. That’s why many third-party event viewers cannot read evt files on modern Windows. Event Viewer parses evt files and displays them like native evtx files. However, Windows 10 Event Viewer stopped working correctly. First, we noticed that it doesn’t display event date and time for evt log files exported with Event Log Explorer (our application can export events to legacy format). Suggesting that this issue could be a bug of Event Log Explorer, we took several event log files from Windows XP – we saved several event logs as files using Windows XP Event Viewer and got a couple of “live” legacy event logs. In every case, Windows 10 Event Viewer failed to display event datetime for these log files.
Since event timestamp is a key field for any forensic examination, this makes impossible using Windows Event Viewer as a forensic tool for legacy log analysis.
Event Log Explorer doesn’t have this problem and displays event date and time correctly.