What is a .EVTX file?
EVTX is a Windows Event Log, recording system and security events. Opened by Event Viewer.
- Did you know
- EVTX is the Windows Event Log read by Event Viewer, introduced with Windows Vista in 2006.
- EVTX stores its entries in a proprietary binary XML known as BinXML, grouped into 64 KB chunks for efficiency.
- Repeated event text is held once in a per-chunk template table and merely referenced by later records, saving space.
- What Analyser reads
- Inspect security and crypto files: PEM private/public keys (RSA/EC/Ed25519, PKCS#1 vs PKCS#8, encryption), OpenSSH .pub with SHA-256 fingerprint, PuTTY .ppk, PKCS#10 CSR, X.509 CRL, PKCS#7 bundles, OpenVPN/WireGuard configs, Java KeyStores, Apple .mobileconfig/.mobileprovision, Windows .reg (with autorun flagging), and pcap/pcapng captures - warning when a private key or secret is present.
- Depth of analysis
- .EVTX is an identification-grade format: Analyser recognises it from its bytes and decodes the header metadata it carries, rather than opening it in a full viewer. Formats that do get a full viewer are marked "Full" on the formats page.
- Open a .EVTX file
- Drag a .EVTX file onto the Analyser home page (or tap to pick one). It is identified entirely in your browser - nothing is uploaded, there is no account, and it works offline once installed.