Skip to content

Sync with upstream/master (2025-08-12)#6

Merged
maximelb merged 5 commits intomasterfrom
sync-upstream-20250812-120637
Aug 12, 2025
Merged

Sync with upstream/master (2025-08-12)#6
maximelb merged 5 commits intomasterfrom
sync-upstream-20250812-120637

Conversation

@maximelb
Copy link
Copy Markdown

@maximelb maximelb commented Aug 12, 2025

Summary

  • Syncing fork with latest changes from upstream repository (Velocidex/evtx)
  • Brings in 4 latest bugfixes and improvements from upstream

Changes from upstream

Test plan

  • Verify existing tests pass
  • Confirm no conflicts with custom fork modifications
  • Review that custom fork features remain intact

🤖 Generated with Claude Code

scudette and others added 5 commits July 31, 2024 03:45
@scudette
Bugfix: When parsed within a template BinXMLElementStart is not same (V…
3e4ff3d 
…elocidex#30)

The struct layout is a bit different when parsed within a template or
not. Typically events forwarded from a different system do not have a
template interpolated so they will trigger this bug.

Dependency identifier is optional:
https://github.com/libyal/libevtx/blob/main/documentation/Windows%20XML%20Event%20Log%20(EVTX).asciidoc#414-element-start
@scudette
Bugfix: Support multiple messages for the same Event ID (Velocidex#31)
e5cd153 
Some event ID have multiple messages stored in the message lists - these
are generally designed for events which have different number of
properties. So for example the message file might contain two messages
for the same event id, one with 1 expansion and one with 2 expansions.
Then the application might emit an event to the log file with 2
properties or only 1 property of the same event id.

This pr stores both the messages and the number of expasions in the
message set and is able to select the most appropriate one for each
message - we aim to maximize the number of expasions available in the
message string.
@doracpphp
add chunk header LastEventRecOffset (Velocidex#32)
12e494a 
Added the 'Last event record data offset' field to the Chunk Header
because the data is present there.

Reference:
https://github.com/libyal/libevtx/blob/main/documentation/Windows%20XML%20Event%20Log%20(EVTX).asciidoc#31-chunk-header
@scudette
Bugfix: Substitution token should not parse XML in template context (V…
f4fa97e 
…elocidex#34)

Fixes: Velocidex#33
@maximelb
Merge remote-tracking branch 'upstream/master'
f8d00bf
@maximelb maximelb requested a review from lcbill August 12, 2025 19:08
@maximelb maximelb marked this pull request as ready for review August 12, 2025 19:08
@maximelb maximelb merged commit b0d21e8 into master Aug 12, 2025
1 check failed
@maximelb maximelb deleted the sync-upstream-20250812-120637 branch August 12, 2025 19:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lcbill lcbill lcbill approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@maximelb @lcbill @scudette @doracpphp