This tool parses Windows EVTX logs to extract login and logout sessions from a security.evtx file. It uses a Tkinter GUI to let you select the EVTX file and specify a time for correlating login and logout events.
- Extract login (EventID 4624) and logout events (EventID 4634, 4647)
- Correlate sessions based on a specified UTC time
- Output the correlated sessions to a CSV file
- Parse RDP Logs
- Parse User Profile Service Logs
- Event ID 5 "Load of user related registry hives"
- Event ID 67
- Parse Group-Policy Logs
- Event ID 5310
- Event ID 4005
- Event ID 4018
- Event ID 5017
- Event ID 4001
- Event ID 8001 (subtract time take from event time))
- Event ID 8005 (subtract time take from event time))
- Event ID 5018 (subtract time take from event time))
- Parse Known-Folders API Logs
- Event ID 1002 filter on username in path
- Parse Software Registry Hive
- Creation of "CreateExplorerShellUnelevatedTask" task
- Parse Multiple Machines at once.
- Provide check box to show Session with no logout events (useful when identifying RDP activity while Security event log is cleared)
- Python 3.7+
- tkcalendar
- evtx
- lxml
- Flask
Install the required packages using:
pip install -r requirements.txtWeb-based Flask app is available in the latest release.
Contributions are welcome! Feel free to fork the repository, make improvements, and submit a pull request.
This project is open-source and available under the MIT License.