:py:mod:`dissect.eventlog.wevt`
===============================

.. py:module:: dissect.eventlog.wevt


Module Contents
---------------

Classes
~~~~~~~

.. autoapisummary::

   dissect.eventlog.wevt.CRIM
   dissect.eventlog.wevt.WEVT
   dissect.eventlog.wevt.WEVT_TYPE
   dissect.eventlog.wevt.MAPS_WEVT_TYPE
   dissect.eventlog.wevt.TTBL_WEVT_TYPE



Functions
~~~~~~~~~

.. autoapisummary::
   :nosignatures:

   dissect.eventlog.wevt.validate_signature



Attributes
~~~~~~~~~~

.. autoapisummary::

   dissect.eventlog.wevt.header_dev
   dissect.eventlog.wevt.c_wevt_headers


.. py:data:: header_dev
   :value: Multiline-String

    .. raw:: html

        <details><summary>Show Value</summary>

    .. code-block:: python

        """
        struct Event_Descriptor {
            char      ProviderId[16];
            uint32    offset;
        };
        
        struct CRIM_HEADER {
            char             signature[4];
            uint32           size;
            uint32           unknown;
            uint32           providers;
            Event_Descriptor event_providers[providers];
        };
        
        struct WEVT_TYPES {
            uint32    type;
            uint32    offset;
        }
        
        struct WEVT {
            char        signature[4];
            uint32      size;
            uint32      message_table_id;
            uint32      nr_of_types;
            WEVT_TYPES  types[nr_of_types];
        };
        
        struct WEVT_TYPE {
            char    signature[4];
            uint32  size;
            uint32  nr_of_items;
        };
        """

    .. raw:: html

        </details>

   

.. py:data:: c_wevt_headers

   

.. py:function:: validate_signature(signature, expected_signature)


.. py:class:: CRIM(fh: io.BufferedReader)


   Start header of the WEVT_TEMPLATE
   Holds the number of providers inside the template

   .. py:property:: file_size

      Return size of the whole file.

   .. py:method:: wevt_headers()

      Get the WEVT object for a specific provider



.. py:class:: WEVT(provider, fh)


   Parse WEVT format and reads the files data into memory.
   Additionally, it goes through all items inside the file.

   .. py:property:: len_types


   .. py:property:: payload_types


   .. py:property:: provider_id


   .. py:property:: size


   .. py:method:: __iter__()


   .. py:method:: __repr__()

      Return repr(self).



.. py:class:: WEVT_TYPE(offset, data: memoryview)


   A wrapper that is used to create a wevt_object.
   This class assigns this object the correct offset value
   and passes the size of the data.

   .. py:property:: nr_of_items


   .. py:property:: size


   .. py:attribute:: valid_signatures
      :value: ['CHAN', 'TEMP', 'PRVA', 'TASK', 'KEYW', 'LEVL', 'OPCO', 'VMAP', 'BMAP', 'MAPS', 'TTBL', 'EVNT']

      

   .. py:method:: __iter__()



.. py:class:: MAPS_WEVT_TYPE(offset, data: memoryview)


   Bases: :py:obj:`WEVT_TYPE`

   A specific MAPS type, that behaves differently from WEVT_TYPE

   The MAPS header holds the offsets of its object just behind its header in any order.

   .. py:method:: __iter__()



.. py:class:: TTBL_WEVT_TYPE(offset, data: memoryview)


   Bases: :py:obj:`WEVT_TYPE`

   A specific WEVT Type that loads multiple TEMP.

   .. py:method:: __iter__()