EVTX parser — Windows Event Log viewer in your browser

Drop a Windows .evtx event log. Parsing runs entirely in your browser via WebAssembly — nothing is uploaded.

Drop .evtx here or click to chooseFiles stay on your device. Pure client-side parsing.

Featured guides

Event ID 4624 explained: Windows successful logon & LogonType referenceWhat a 4624 record actually contains, why the LogonType field matters more than the event itself, and how to read them at scale.
Event ID 4688 explained: Windows process creation auditing for DFIR4688 is the base-OS process create record — provided command-line auditing is on. Here's what's in it, how it differs from Sysmon 1, and the triage patterns that earn their keep.
Event ID 4769 explained: Kerberos service tickets & kerberoasting4769 is the DC's record of every service-ticket request. Read it through the encryption type and you spot kerberoasting; read it with 4768 and you spot pass-the-ticket.
EVTX file format explained: chunks, templates & BinXML internalsHow a .evtx file is laid out at the byte level — file header, 64 KB chunks, the template table, and the BinXML record stream that references it.

Event log FAQ

What is an EVTX file?: EVTX is the binary Windows Event Log format introduced with Windows Vista. Each .evtx file is a sequence of 64 KB chunks; every chunk holds an XML template table plus a stream of records that reference those templates. Parsing rebuilds the full XML for each event.
Where do I find .evtx files on Windows?: Live logs live under C:\Windows\System32\winevt\Logs. The big three for forensics are Security.evtx (logons, privilege use), System.evtx (drivers, services), and Application.evtx (app errors). Sysmon and PowerShell channels are typically the most valuable for incident response.
Does this tool upload my .evtx anywhere?: No. Parsing happens in a Web Worker using a Rust EVTX parser compiled to WebAssembly. The file is read into your browser's memory and never transmitted. Disconnect your network if you want to verify.
What does the Level column mean?: EVTX levels are numeric: 1 Critical, 2 Error, 3 Warning, 4 Information, 5 Verbose. Microsoft maps a few well-known IDs (e.g. Security 4625 = failed logon at Information level) — severity alone is not a triage signal.
Can it parse very large .evtx files?: Parsing runs in a Web Worker thread. Memory scales with file size; a few hundred MB is comfortable in modern browsers. Larger collections can be exported with evtx_dump first and re-imported in slices.
How do I read .evtx files without Windows?: On Linux or macOS you have three practical options: evtx_dump (the Rust CLI from omerbenamram/evtx, MIT-licensed), python-evtx (libyal), or this site — which is the same Rust parser compiled to WebAssembly. All three rebuild the event XML offline; no Microsoft tooling needed.
What is the difference between .evt and .evtx?: .evt is the legacy binary log format used by Windows 2000/XP/2003 — fixed-size, flat record layout. .evtx replaced it in Windows Vista / Server 2008 with a chunked structure, XML template compression, and per-record provider GUIDs. .evt files are not readable by this parser; convert them with wevtutil first.
Can I open .evtx in Notepad?: No — .evtx is a binary format with chunked records and BinXML-compressed templates. Notepad will show mostly garbled text. Use Event Viewer (built into Windows), wevtutil, evtx_dump, or this in-browser parser.
How do I parse .evtx in PowerShell?: Use Get-WinEvent -Path 'C:\path\to\Security.evtx' on Windows; it accepts -FilterHashtable for ID/level/time filtering and -MaxEvents for sampling. For one-off triage on non-Windows hosts, evtx_dump --json (CLI) or this site is faster — Get-WinEvent needs a Windows runtime and the matching provider manifest to fully render messages.
Where are Windows event logs stored?: Active logs live in C:\Windows\System32\winevt\Logs as .evtx files; default channels are Application, System, Security, Setup and ForwardedEvents, plus per-application channels under Microsoft-Windows-* (e.g. Sysmon, PowerShell/Operational, TaskScheduler). Archived logs can be anywhere — KAPE and FTK Imager both pull the live directory by default.
Which Event IDs should I monitor for security?: The MITRE-aligned shortlist: 4624 (logon) and 4625 (failed logon) in Security, 4688 (process creation, with command-line auditing on), 4768/4769 (Kerberos TGT/TGS — kerberoasting), 4672 (special privileges), 4720/4726 (account created/deleted), 1102 (audit log cleared), 7045/7036 (service installation/state), and Sysmon 1/3/7/11 for process, network, image-load and file-create.