During a investigation we encounter an evtx file of 8Gb, that plaso (and libevtx) fail to fully extract all records.
After further investigation it seems like the threshold is ~4Gb,
On my generated sample, Windows event viewer shows ~10 000 000 records (screenshot take few time after evtx export, but it the same order of magnitude)
evtxexport identify the number of records, but only 360 000 records are parsed and it fail once offset of data is above 4G.
I have generated a 6Gb Security.evtx for test purpose available here : https://tf.orange.com/f/fb862d57f39241979b71/?dl=1.
Link expires on 2026-05-15 does not hesitate to reach me using my using this issue or email : william.billaud [at] orange . com,
I can also share more regarding how the file was created (but tldr : enabling process logging + dumb script to execute a lot of cmd).
Test using libevtx
- git clone, checkout on tag #20251118 and compiled.
❯ ./evtxtools/evtxinfo Security_6g.evtx
evtxinfo 20251118
❯ ./evtxtools/evtxexport -v -l log.txt Security_6g.evtx -f xml > security_6g.txt
Windows Event Viewer Log (EVTX) information:
Version : 3.2
Number of records : 7243942
Number of recovered records : 2997068
❯ rg -F '<EventID>' security_6g.txt | wc -l
3633139
Nearly half of records are missings.
Tests using plaso
-
plaso 20260415 + libevtx-python 20251118, installed via git clone + pip install in venv
-
log2timeline --parsers winevtx --debug ~/Documents/tools/github/libevtx/Security_6g.evtx
-
pinfo -vvv 20260430T110500-Security_6g.evtx.plaso return the following :
************************** Plaso Storage Information ***************************
Filename : 20260430T110500-Security_6g.evtx.plaso
Format version : 20230327
Serialization format : json
--------------------------------------------------------------------------------
*********************************** Sessions ***********************************
808bc0d4-6ddf-4708-a1a8-2bb77d816cd8 : 2026-04-30T09:05:00.188607+00:00
--------------------------------------------------------------------------------
**************** Session: 808bc0d4-6ddf-4708-a1a8-2bb77d816cd8 *****************
Start time : 2026-04-30T09:05:00.188607+00:00
Completion time : 2026-04-30T09:34:30.684421+00:00
Product name : plaso
Product version : 20260415
Command line arguments :
/home/<USERNAME>/Documents/tools/github/plaso/.venv/bin/log2timeline
--parsers winevtx --debug
/home/<USERNAME>/Documents/tools/github/libevtx/Security_6g.evtx
Parser filter expression : winevtx
Enabled parser and plugins : winevtx
Preferred encoding : UTF-8
Preferred time zone : UTC
Debug mode : True
Artifact filters : N/A
Filter file : N/A
--------------------------------------------------------------------------------
******************************** Event sources *********************************
0 : type: OS, location:
/home/<USERNAME>/Documents/tools/github/libevtx/Security_6g.evtx
--------------------------------------------------------------------------------
************************* Events generated per parser **************************
Parser (plugin) name : Number of events
--------------------------------------------------------------------------------
winevtx : 13260164
Total : 13260164
--------------------------------------------------------------------------------
No events labels stored.
******************* Extraction warnings generated per parser *******************
Parser (plugin) name : Number of warnings
--------------------------------------------------------------------------------
winevtx : 3610803
--------------------------------------------------------------------------------
************** Path specifications with most extraction warnings ***************
Number of warnings : Pathspec
--------------------------------------------------------------------------------
3610803 : type: OS, location:
/home/<USERNAME>/Documents/tools/github/libevtx/Security_6g.evtx
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
**************************** Extraction warning: 0 *****************************
Message : unable to parse event record: 3633139 with error:
pyevtx_file_get_record_by_index: unable to retrieve
record: 3633139. libevtx_io_handle_read_chunk: invalid
chunk file offset value out of bounds.
libfdata_list_get_element_value: unable to read element
data at offset: 4294971904 (0x100001200).
libfdata_list_get_element_value_by_index: unable to
retrieve element value. libevtx_file_get_record_by_index:
unable to retrieve record values: 3633139.
Parser chain : winevtx
Path specification : type: OS, location:
/home/<USERNAME>/Documents/tools/github/libevtx/Security_6g.evtx
--------------------------------------------------------------------------------
<TRUNC>
From my "real" sample, the extraction warning was the following, data offset is also around 4G
**************************** Extraction warning: 7 *****************************
Message : unable to parse event record: 3801043 with error:
pyevtx_file_get_record_by_index: unable to retrieve
record: 3801043. libevtx_io_handle_read_chunk: invalid
chunk file offset value out of bounds.
libfdata_list_get_element_value: unable to read element
data at offset: 4294973840 (0x100001990).
libfdata_list_get_element_value_by_index: unable to
retrieve element value. libevtx_file_get_record_by_index:
unable to retrieve record values: 3801043.
During a investigation we encounter an evtx file of 8Gb, that plaso (and libevtx) fail to fully extract all records.
After further investigation it seems like the threshold is ~4Gb,
On my generated sample, Windows event viewer shows ~10 000 000 records (screenshot take few time after evtx export, but it the same order of magnitude)
evtxexport identify the number of records, but only 360 000 records are parsed and it fail once offset of data is above 4G.
I have generated a 6Gb Security.evtx for test purpose available here : https://tf.orange.com/f/fb862d57f39241979b71/?dl=1.
Link expires on 2026-05-15 does not hesitate to reach me using my using this issue or email : william.billaud [at] orange . com,
I can also share more regarding how the file was created (but tldr : enabling process logging + dumb script to execute a lot of cmd).
Test using libevtx
Nearly half of records are missings.
Tests using plaso
plaso 20260415 + libevtx-python 20251118, installed via git clone + pip install in venv
log2timeline --parsers winevtx --debug ~/Documents/tools/github/libevtx/Security_6g.evtxpinfo -vvv 20260430T110500-Security_6g.evtx.plasoreturn the following :From my "real" sample, the extraction warning was the following, data offset is also around 4G