Packages and Binaries:

grokevt

Scripts for reading Microsoft Windows event log files
GrokEVT is a collection of scripts built for reading Microsoft Windows NT/2000/XP/2003 event log files.

Currently the scripts work together on one or more mounted Microsoft Windows partitions to extract all information needed (registry entries, message templates, and log files) to convert the logs to a human-readable format.

This program is useful in forensics investigations.

Installed size: 122 KB
How to install: sudo apt install grokevt

Dependencies:

python3
python3-pyregfi
reglookup

grokevt-addlog

A tool for adding a raw event log to an existing GrokEVT database.

root@kali:~# grokevt-addlog -h
USAGE:
  /usr/bin/grokevt-addlog <DATABASE_DIR> <EVT_FILE> <NEW_TYPE> <BASE_TYPE>

This script takes a raw Windows event log and adds it to a
previously built database generated by grokevt-builddb.
See the man page for more details.

grokevt-builddb

Builds a database tree based on a single windows system for the purpose of event log conversion.

root@kali:~# grokevt-builddb -h
USAGE:
  grokevt-builddb [-v] [-c CSID] <CONFIG_PROFILE> <OUTPUT_DIR>

grokevt-builddb builds a database tree based on a
single windows system for the purpose of event log
conversion.  Please see the man page for more
information.
ERROR: Requires at least 2 arguments.

grokevt-dumpmsgs

A tool for dumping the contents of message databases built previously by grokevt-ripdll(1).

root@kali:~# man grokevt-dumpmsgs
grokevt-dumpmsgs(1)                                         grokevt-dumpmsgs(1)

NAME
     grokevt-dumpmsgs  -  A  tool for dumping the contents of message databases
     built previously by grokevt-ripdll(1).

SYNOPSIS
     grokevt-dumpmsgs message-db1 [message-db2 ...]

DESCRIPTION
     grokevt-dumpmsgs takes one or more message databases previously built with
     grokevt-ripdll(1) and prints out all entries to stdout. This is  mainly  a
     debugging tool, but may be useful for analyzing the message contents of PE
     files while developing other applications.

ARGUMENTS
     grokevt-dumpmsgs uses the following arguments:

     message-dbN
            If  multiple  message  databases are supplied, entries of all data-
            bases are printed to stdout in the order they are provided.

OUTOUT
     grokevt-dumpmsgs prints each database entry out on a single line,  in  two
     comma-separated  columns.  The first column is the message ID, which is in
     the format:

               XXXX-YYYYYYYY

     Here, XXXX represents the message's language code, and the YYYYYYYY repre-
     sents the message's relative virtual  address  (RVA)  within  the  message
     block of the PE file.  The second column contains the message itself. Mes-
     sages  containing  special characters (such as newlines or commas) are en-
     coded in the same manner  that  grokevt-parselog(1)  encodes  them  ("%XX"
     where XX is the hexadecimal value of the character).

BUGS
     Probably several. This particular script has not been extensively tested.

CREDITS
     Written by Timothy D. Morgan.

LICENSE
     Please see the file "LICENSE" included with this software distribution.

     This  program is distributed in the hope that it will be useful, but WITH-
     OUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY  or
     FITNESS  FOR A PARTICULAR PURPOSE. See the GNU General Public License ver-
     sion 3 for more details.

SEE ALSO
     grokevt(7)   grokevt-addlog(1)   grokevt-builddb(1)    grokevt-findlogs(1)
     grokevt-parselog(1) grokevt-ripdll(1)

File Conversion Utilities         20 June 2011              grokevt-dumpmsgs(1)

grokevt-findlogs

Attempts to find log file fragments in raw binary files, such as memory dumps and disk images.

root@kali:~# grokevt-findlogs --help
USAGE:
  grokevt-findlogs -?
  grokevt-findlogs [-v] [-h] [-H] [-o <OFFSET>] <RAW_FILE>

grokevt-findlogs attempts to find log file fragments in raw
binary files, such as memory dumps and disk images.
Please see the man page for more information.

grokevt-parselog

Parse a windows event log and generate human-readable output based on message resources stored in a database.

root@kali:~# grokevt-parselog -h
USAGE:
  grokevt-parselog -?|--help
  grokevt-parselog -l <DATABASE_DIR>
  grokevt-parselog -m <DATABASE_DIR> <LOG_TYPE>
  grokevt-parselog [-v] [-H] [-h] <DATABASE_DIR> <LOG_TYPE>

This program parses a windows event log and prints a
CSV version of the log to stdout.  Please see the man
page for more information.

grokevt-ripdll

A tool for extracting message resources from a PE-formatted file.

root@kali:~# grokevt-ripdll -h
USAGE:
  grokevt-ripdll <INPUT_DLL> <OUTPUT_DB>

grokevt-ripdll is a tool for extracting message resources from a PE-formatted file.
Please see the man page for more information.

Updated on: 2026-May-25

Edit this page

gr-osmosdr guymager