-
Notifications
You must be signed in to change notification settings - Fork 62
/
DeleteRecord-EvtExportLog.cpp
67 lines (55 loc) · 1.78 KB
/
DeleteRecord-EvtExportLog.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#include <windows.h>
#include <winevt.h>
#pragma comment(lib,"wevtapi.lib")
BOOL DeleteRecord(LPWSTR ReadPath, LPWSTR lpEventRecordId)
{
LPWSTR lpPath = new WCHAR[MAX_PATH];
LPWSTR lpQuery = new WCHAR[MAX_PATH];
LPWSTR lpTargetLogFile = new WCHAR[MAX_PATH];
ZeroMemory(lpPath, MAX_PATH);
ZeroMemory(lpQuery, MAX_PATH);
ZeroMemory(lpTargetLogFile, MAX_PATH);
GetSystemDirectory(lpPath, MAX_PATH);
lstrcat(lpPath, L"\\winevt\\logs\\");
lstrcat(lpPath, ReadPath);
printf("[+]ReadPath:%ws\n", lpPath);
printf("[+]EventRecordID:%ws\n", lpEventRecordId);
lstrcat(lpQuery, L"Event/System[EventRecordID!=");
lstrcat(lpQuery, lpEventRecordId);
lstrcat(lpQuery, L"]");
lstrcat(lpTargetLogFile, L".\\temp.evtx");
if (!EvtExportLog(NULL, lpPath, lpQuery, lpTargetLogFile, EvtExportLogFilePath)) {
printf("[!]EvtExportLog error,%d\n", GetLastError());
return FALSE;
}
return TRUE;
}
int main(int argc, char *argv[])
{
if (argc != 3)
{
printf("Use API EvtExportLog to delete Eventlog Record.\nThe new file will be saved as temp.evtx.\n\n");
printf("Usage:\n");
printf("%s <eventlog file path> <EventlogRecordID>\n", argv[0]);
printf("eg:\n");
printf(" %s system.evtx 1910\n", argv[0]);
return 0;
}
wchar_t ReadPath[100];
swprintf(ReadPath, 100, L"%hs", argv[1]);
_wcslwr_s(ReadPath, wcslen(ReadPath) + 1);
wchar_t lpEventRecordId[100];
swprintf(lpEventRecordId, 100, L"%hs", argv[2]);
_wcslwr_s(lpEventRecordId, wcslen(lpEventRecordId) + 1);
if (DeleteRecord(ReadPath, lpEventRecordId))
{
printf("[+]Delete success\n");
printf("[+]The new file is saved as temp.evtx\n");
}
else
{
printf("[!]Delete error\n");
printf("[!]Maybe you should delete \"temp.evtx\" first,then run me\n");
}
return 0;
}