EVTX parser — Windows Event Log viewer in your browser
Drop a Windows .evtx event log. Parsing runs entirely in your browser via WebAssembly — nothing is uploaded.
Featured guides
- Windows Security Event ID cheat sheet for DFIRThe Windows event IDs that matter in an investigation, grouped by attack phase — with the log they live in, a one-line meaning, and a link to the deep-dive for each. A reference for incident response and threat hunting.
- Event ID 4624 explained: Windows successful logon and LogonType referenceWhat a 4624 record actually contains, why the LogonType field matters more than the event itself, and how to read them at scale.
- Event ID 4688 explained: Windows process creation auditing for DFIR4688 is the base-OS process create record, provided command-line auditing is on. Here is what is in it, how it differs from Sysmon 1, and the triage patterns that earn their keep.
- Event ID 4769 explained: Kerberos service tickets and kerberoasting4769 is the DC's record of every service-ticket request. Read it through the encryption type and you spot kerberoasting. Read it with 4768 and you spot pass-the-ticket.
A free online EVTX viewer that runs in your browser
EVTX parser is an online EVTX viewer and Windows Event Log parser. Open a .evtx file — Security.evtx, System.evtx, Application.evtx, Sysmon or PowerShell channels — and read every record without Event Viewer, without installing anything, and without a Windows host.
Parsing runs entirely client-side via a Rust parser compiled to WebAssembly, so your logs never leave the browser. Filter by Event ID, provider, channel or time, inspect the raw event XML, and export the results to CSV, JSON or XML in a couple of clicks. You can now open several .evtx files at once and triage them in one combined view.
Keep reading:Convert EVTX to XML, JSON or CSVOpen Security.evtxOpen System.evtxWindows Event ID referenceEVTX tools compared
Event log FAQ
- What is an EVTX file?
- EVTX is the binary Windows Event Log format introduced with Windows Vista. Each .evtx file is a sequence of 64 KB chunks; every chunk holds an XML template table plus a stream of records that reference those templates. Parsing rebuilds the full XML for each event.
- Where do I find .evtx files on Windows?
- Live logs live under C:\Windows\System32\winevt\Logs. The big three for forensics are Security.evtx (logons, privilege use), System.evtx (drivers, services), and Application.evtx (app errors). Sysmon and PowerShell channels are typically the most valuable for incident response.
- Does this tool upload my .evtx anywhere?
- No. Parsing happens in a Web Worker using a Rust EVTX parser compiled to WebAssembly. The file is read into your browser's memory and never transmitted. Disconnect your network if you want to verify.
- What does the Level column mean?
- EVTX levels are numeric: 1 Critical, 2 Error, 3 Warning, 4 Information, 5 Verbose. Microsoft maps a few well-known IDs (e.g. Security 4625 = failed logon at Information level) — severity alone is not a triage signal.
- Can it parse very large .evtx files?
- Parsing runs in a Web Worker thread. Memory scales with file size; a few hundred MB is comfortable in modern browsers. Larger collections can be exported with evtx_dump first and re-imported in slices.
- How do I read .evtx files without Windows?
- On Linux or macOS you have three practical options: evtx_dump (the Rust CLI from omerbenamram/evtx, MIT-licensed), python-evtx (libyal), or this site — which is the same Rust parser compiled to WebAssembly. All three rebuild the event XML offline; no Microsoft tooling needed.
- What is the difference between .evt and .evtx?
- .evt is the legacy binary log format used by Windows 2000/XP/2003 — fixed-size, flat record layout. .evtx replaced it in Windows Vista / Server 2008 with a chunked structure, XML template compression, and per-record provider GUIDs. .evt files are not readable by this parser; convert them with wevtutil first.
- Can I open .evtx in Notepad?
- No — .evtx is a binary format with chunked records and BinXML-compressed templates. Notepad will show mostly garbled text. Use Event Viewer (built into Windows), wevtutil, evtx_dump, or this in-browser parser.
- How do I parse .evtx in PowerShell?
- Use Get-WinEvent -Path 'C:\path\to\Security.evtx' on Windows; it accepts -FilterHashtable for ID/level/time filtering and -MaxEvents for sampling. For one-off triage on non-Windows hosts, evtx_dump --json (CLI) or this site is faster — Get-WinEvent needs a Windows runtime and the matching provider manifest to fully render messages.
- Where are Windows event logs stored?
- Active logs live in C:\Windows\System32\winevt\Logs as .evtx files; default channels are Application, System, Security, Setup and ForwardedEvents, plus per-application channels under Microsoft-Windows-* (e.g. Sysmon, PowerShell/Operational, TaskScheduler). Archived logs can be anywhere — KAPE and FTK Imager both pull the live directory by default.
- Which Event IDs should I monitor for security?
- The MITRE-aligned shortlist: 4624 (logon) and 4625 (failed logon) in Security, 4688 (process creation, with command-line auditing on), 4768/4769 (Kerberos TGT/TGS — kerberoasting), 4672 (special privileges), 4720/4726 (account created/deleted), 1102 (audit log cleared), 7045/7036 (service installation/state), and Sysmon 1/3/7/11 for process, network, image-load and file-create.