2.2.1 - Fixed Null Records

Bug fix for the issue identified in 2.2 where some records didn't have associated messages. These records turned out to be null values. When viewing these in the GUI you will get a message similar to the following:

The description for Event ID X from source Y cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

< ORIGINAL DATA HERE >

In other words, the program that created this event is not on the system. Since Windows dynamically generates messages (apparently for localization reasons), it cannot re-create the message event. I don't know how it does this in the GUI or why it doesn't do it programmatically, but it fills in a null value instead. Therefore, the best I can do at the moment is dump the entire XML so at least the data is there for searching.

In my case (in the event you want to know what to look for) the message will start with:

EventRecord.FormatDescription() returned a null value. This is usually because:
"Either the component that raises this event is not installed on your local computer
or the installation is corrupted. You can install or repair the component on the local computer."
The event likely originated on another system, below is the XML data associated with this event

< XML DUMP >

More information:
https://stackoverflow.com/questions/54853671/c-sharp-parsing-eventlog-from-another-host-formatdescription-is-null
https://www.reddit.com/r/csharp/comments/auayz5/parsing_eventlog_from_another_host/

$sha256sum EventFinder.exe
7460425d281455ef6f74e7262e09ee2d86ef8b0754cade399044fc67e5561854 EventFinder.exe

2.2 - Offline EVTX Parsing

• Added buttons/functionality to parse EVTX files from a folder, allowing analysis on dead systems/evidence
  • New bug? Some of the offline event logs I'm working with don't parse messages for certain events. However, these same events on my machine (both live and offline) do parse. I'm not sure if this is a bug, or something corrupted in the offline logs. Watch for blank "message" fields in your export and manually verify these!
• Fixed a bug where the CSV may not have been sorted correctly

2.1

Version 2.1

• Fixed two errors (issue #2 and #3 ) that resulted in crashes.
• Implemented a bit more robust error handling. Other errors should no longer crash, but will write an error log to the desktop, please report these.
• Added File/Help menu items, most notably so that I could implement an about window.

2.0

Version 2.0

• Version 1.0 to 1.2 was PowerShell based. Due to the large number of events that were written to PowerShell logs, I've re-written the entire script in C#. This is my first C# project, my first time using Visual Studio, and my first time integrating it with GitHub. I'm sure there are issues here, but it seems to work.

Found a bug within a few hours, not dropping a new release for it, just updating this one, hopefully it's fixed.