Skip to content

Failed to read Windows EventLog resources database #4988

New issue
New issue
Open
#4998
Open
Failed to read Windows EventLog resources database#4988
#4998
@kidrek

Description

@kidrek
kidrek
opened on Sep 24, 2025

I encountered an error yesterday when I used the psteal/psort tools.
This error seems to be caused by the Windows EventLog resources Analyzer : winevt_rc.py.
Source : https://plaso.readthedocs.io/en/latest/_modules/plaso/output/winevt_rc.html

Have you encountered this error before ?

Traceback (most recent call last):
  File "/usr/bin/psteal.py", line 33, in <module>
    sys.exit(load_entry_point('plaso==20250918', 'console_scripts', 'psteal')())
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/plaso/scripts/psteal.py", line 88, in Main
    tool.ProcessStorage()
  File "/usr/lib/python3/dist-packages/plaso/cli/psteal_tool.py", line 362, in ProcessStorage
    output_engine.ExportEvents(
  File "/usr/lib/python3/dist-packages/plaso/multi_process/output_engine.py", line 474, in ExportEvents
    self._ExportEvents(
  File "/usr/lib/python3/dist-packages/plaso/multi_process/output_engine.py", line 280, in _ExportEvents
    self._ExportEvent(
  File "/usr/lib/python3/dist-packages/plaso/multi_process/output_engine.py", line 175, in _ExportEvent
    self._FlushExportBuffer(
  File "/usr/lib/python3/dist-packages/plaso/multi_process/output_engine.py", line 356, in _FlushExportBuffer
    output_module.WriteFieldValuesOfMACBGroup(
  File "/usr/lib/python3/dist-packages/plaso/output/interface.py", line 99, in WriteFieldValuesOfMACBGroup
    field_values = self.GetFieldValues(
                   ^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/plaso/output/shared_json.py", line 189, in GetFieldValues
    field_values['message'] = self._field_formatting_helper.GetFormattedField(
                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/plaso/output/shared_json.py", line 89, in GetFormattedField
    output_value = callback_function(
                   ^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/plaso/output/formatting_helper.py", line 318, in _FormatMessage
    message_formatter.FormatEventValues(output_mediator, event_values)
  File "/usr/lib/python3/dist-packages/plaso/formatters/interface.py", line 293, in FormatEventValues
    helper.FormatEventValues(output_mediator, event_values)
  File "/usr/lib/python3/dist-packages/plaso/formatters/winevt.py", line 52, in FormatEventValues
    self._winevt_resources_helper.GetParameterString(
  File "/usr/lib/python3/dist-packages/plaso/output/winevt_rc.py", line 1215, in GetParameterString
    message_string = self._ReadParameterMessageString(
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/plaso/output/winevt_rc.py", line 1085, in _ReadParameterMessageString
    self._ReadEnvironmentVariables(storage_reader)
  File "/usr/lib/python3/dist-packages/plaso/output/winevt_rc.py", line 1008, in _ReadEnvironmentVariables
    self._environment_variables = list(storage_reader.GetAttributeContainers(
                                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'GetAttributeContainers'

best regards

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions