What are the differences between Windows EVT and EVTX log files?
Windows Event files were classified as .evt files up until Windows XP.
Windows Vista and newer started calling event log files .evtx
You can convert between the two! :)
(this is a lot like .doc vs .docx in MS Word between the Office '03 and '07 releases)
EDIT TO FOLLOW YOUR EDIT:
ALSO I saw this link about compatibility of loading in evt files on older versions of Windows, etc...it seems you may not be the first to run into this problem!
Related videos on Youtube
08 : 00
11 : 15
01 : 39
01 : 57
49 : 48
Matt B
Updated on September 18, 2022Comments
-
Matt B almost 2 years
Windows is moving to the *.EVTX format for their logging files, but we still have clients that have versions that write to the older *.EVT format. What are the differences in how those files are built, with a view to if they are parsed differently.
The problem I'm having is when I try to open a *. EVT file in windows 7, I get a lot of invalid data errors, but when I turn around and open them in XP, it seems to work fine.
For full disclosure, I'm seeing the same behaviour when I save the log out of the viewer, and when I try copying the files directly from the windows32 folder path.
-
joeqwerty over 11 yearsReplace "is moving" with "has moved". -
fstolz over 11 yearsJust edited my answer to include a freebie utility that may load your evt files in windows 7 as apparently that's a built in behavior! Sigh...you learn something every day.
-
-
Matt B over 11 yearsSo following the office analogy, I'm guessing that there's a format change using XML to store the data in the EVTX format, but that it should be pretty transparent opening an EVT on 7 or 2008, but not so much opening an EVTX on XP or 2003?
-
fstolz over 11 yearsCorrect, you'd likely have to either open the evtx using an XML editor OR use wevtutil to convert it to an .evt file if you'd like to try and open it using the windows event viewer.
