Skip to content

Python development

Jump to bottom
Joachim Metz edited this page Jul 13, 2022 · 3 revisions

libevtx comes with Python-bindings named pyevtx.

Below are examples how use pyevtx. They assume you have a working version of pyevtx on your system. To build pyevtx see Building.

Import

To be able to use pyevtx in your Python scripts add the following import:

import pyevtx

Get version

The get_version() module function can be used to retrieve the version of the pyevtx.

pyevtx.get_version()

This will return a textual string (Unicode) that contains the libevtx version. Since pyevtx is a wrapper around libevtx it does not have a separate version.

Open file

Open a file by path

evtx_file = pyevtx.file()

evtx_file.open("Application.Evtx")

...

evtx_file.close()

The explicit call to evtx_file.close() is not required. Close only must be called once all operations on the file have been completed.

Open a file using a file-like object

file_object = open("Application.Evtx", "rb")

evtx_file = pyevtx.file()

evtx_file.open_file_object(file_object)

...

evtx_file.close()

The explicit call to evtx_file.close() is not required. Close only must be called once all operations on the file have been completed and will not close the file-like object itself.

Also see

import pyevtx

help(pyevtx)
help(pyevtx.file)
Clone this wiki locally