System.evtx — the Windows System event log
System.evtx records what the operating system, drivers and services do on a Windows host. It is where service-based persistence, driver loads and unexpected reboots show up, and you can open it here in your browser without Event Viewer or a Windows machine.
What is System.evtx?
System.evtx lives in C:\Windows\System32\winevt\Logs next to Security.evtx and Application.evtx. It holds the System channel: service installation and state changes (from the Service Control Manager), driver events, Event Log service start/stop, and time or power transitions.
For DFIR it is the companion to Security.evtx: a malicious service installed for persistence (7045) and started (7036) is recorded here, and the Event Log start/stop pair (6005/6006) plus 104 help you spot gaps where logging was off or cleared.
Key System.evtx Event IDs
How to open a System.evtx file
Drop System.evtx onto the parser above (or load it together with Security.evtx for a combined timeline). Parsing runs locally via a Rust/WebAssembly parser — the log never leaves your browser. Filter by Event ID, inspect each record's raw XML, and export to CSV, JSON or XML.