You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Parse and extract Windows Event Log (.evtx) files using Eric Zimmerman's EvtxECmd. Covers CLI flags, output formats (CSV/JSON/XML), event filtering, Volume Shadow Copy support, and the map system.
metadata
tool-name
tool-vendor
EvtxECmd
Eric Zimmerman
EvtxECmd Skill
EvtxECmd is a Eric Zimmerman's tool that uses maps to extract and normalize many event types into structured output suitable for timeline analysis and forensic investigation. Forensic interpretation of event logs (Event ID meanings, investigation workflows, lateral movement analysis, etc.) belongs in a separate analysis skill.
Single-letter options use a single dash (-). Multi-character options use double dashes (--).
Input (one required)
Flag
Description
-f
Single .evtx file to process
-d
Directory containing .evtx files to process
Output Formats
Flag
Description
--csv
Directory to write CSV output
--csvf
Custom filename for CSV output (overrides default)
--json
Directory to write JSON output
--jsonf
Custom filename for JSON output (overrides default)
--xml
Directory to write XML output
--xmlf
Custom filename for XML output (overrides default)
It's recommended to specify at least one output format to write results to a file. Forensic output can be very large and may consume the context window. CSV is the most common choice for analysis with Timeline Explorer or Excel.
Filtering
Use UTC consistently when filtering and correlating logs; do not mix local-time assumptions with UTC filter values.
Flag
Description
--inc
Include only these Event IDs (comma-separated)
--exc
Exclude these Event IDs (comma-separated)
--sd
Start date (UTC) -- drop events older than this
--ed
End date (UTC) -- drop events newer than this
Options
Flag
Description
Default
--dt
Custom date/time format string
yyyy-MM-dd HH:mm:ss.fffffff
--maps
Path to event map files
Maps folder next to the executable
--vss
Process Volume Shadow Copies on the drive
FALSE
--dedupe
Deduplicate across -f/-d and VSCs by SHA-1
TRUE
--sync
Download latest maps from GitHub before processing
FALSE
--fj
Include full JSON payload in output
FALSE
--tdt
Time discrepancy threshold in seconds
1
--met
Show processing metrics
TRUE
--debug
Show debug information
FALSE
--trace
Show trace information
FALSE
Common Output Fields (CSV)
When EvtxECmd processes logs through its maps, it normalizes data into columns. A map can fail to match or only partially extract fields. Map updates can change output column population across runs, affecting reproducibility. Common output columns often include the following, though exact columns depend on tool version and map matches.
Maps are the core feature that makes EvtxECmd powerful. They define how raw event XML data is extracted and placed into the normalized output columns. Maps are stored as YAML files in the Maps directory. Updating maps during an investigation can change field extraction and output consistency.
--sync downloads the latest community maps from GitHub. Requires network access.
Custom maps can be added to the Maps directory for proprietary or uncommon event sources.
If an event has no matching map, the raw XML payload is still included in the output.