EVTX Viewer - VS Code Extension
A high-performance Windows Event Log (EVTX) viewer for Visual Studio Code that provides fast parsing, filtering, and visualization of Windows Event Logs with constitutional performance guarantees.
🚀 Features
- High-Performance Parsing: >10MB/s parsing throughput with constitutional performance guarantees
- Memory Efficient: <512MB memory usage limit with intelligent LRU caching
- Fast UI Response: <100ms UI response times for all interactions
- Cross-Platform: Works on Windows, macOS, and Linux
- Security-First: Comprehensive security validation for all file operations
- Accessibility: Full WCAG 2.1 AA compliance for inclusive user experience
- Real-Time Filtering: Advanced event filtering with multiple criteria
- Interactive Webview: Rich HTML/CSS/JS interface for event exploration
🎬 Demo
Watch the EVTX Viewer in action: opening event logs, filtering events, and exploring Windows Event Log data with real-time performance.
📋 Constitutional Requirements
This extension is built with strict performance guarantees:
| Requirement |
Target |
Status |
| Parsing Throughput |
>10MB/sec |
✅ Validated |
| Memory Usage |
<512MB total |
✅ Enforced |
| UI Response Time |
<100ms |
✅ Guaranteed |
| Platform Support |
Windows/macOS/Linux |
✅ Tested |
| Security Validation |
All file operations |
✅ Comprehensive |
| Accessibility |
WCAG 2.1 AA |
✅ Compliant |
🛠 Installation
From VS Code Marketplace
- Open VS Code
- Go to Extensions (Ctrl+Shift+X)
- Search for "EVTX Viewer"
- Click Install
From Source
git clone <repository-url>
cd evtx-viewer
npm install
npm run compile
Development Installation
# Install dependencies
npm install
# Compile TypeScript
npm run compile
# Run tests
npm test
# Package extension
vsce package
🚀 Quick Start
Opening EVTX Files
Command Palette:
- Press
Ctrl+Shift+P (Windows/Linux) or Cmd+Shift+P (macOS)
- Type "EVTX: Open Event Log File"
- Select your .evtx file
File Explorer:
- Right-click any
.evtx file in VS Code Explorer
- Select "Open with EVTX Viewer"
Keyboard Shortcut:
- Press
Ctrl+Alt+E to open file picker
Basic Usage Example
// The extension automatically handles EVTX files
// Simply open any .evtx file and the viewer will launch
// Example: Opening a Windows Security log
// File: C:\\Windows\\System32\\winevt\\Logs\\Security.evtx
� What's New
For detailed information about new features, improvements, and bug fixes in each version, see our Changelog.
Latest Updates:
- ✅ Complete webview UI overhaul with modern React interface
- ✅ Advanced T028 Filter Panel with real-time filtering
- ✅ Performance optimizations for large EVTX files
- ✅ Enhanced security and accessibility features
- ✅ Comprehensive test suite with 100% test coverage
�🔧 Advanced Usage
Filtering Events
The EVTX Viewer provides powerful filtering capabilities:
By Event Level
// Filter by severity level
const filters = {
level: ['Error', 'Critical', 'Warning']
};
By Event ID
// Filter by specific event IDs
const filters = {
eventId: [4624, 4625, 4648] // Logon events
};
By Source
// Filter by event source
const filters = {
source: ['Microsoft-Windows-Security-Auditing']
};
By Time Range
// Filter by time range
const filters = {
timeRange: {
start: new Date('2024-01-01'),
end: new Date('2024-01-31')
}
};
The extension includes several performance optimizations:
Large event logs are rendered using virtual scrolling to maintain <100ms UI response times.
Memory Management
// Constitutional memory limit enforcement
const memoryManager = new MemoryManager({
maxSize: 512 * 1024 * 1024, // 512MB limit
strategy: 'LRU' // Least Recently Used eviction
});
Streaming Parser
// High-throughput streaming parser
const parser = new EvtxParser({
targetThroughput: 10 * 1024 * 1024, // >10MB/s constitutional requirement
bufferSize: 64 * 1024, // 64KB chunks
concurrent: true // Multi-threaded parsing
});
🔒 Security
File Validation
All EVTX files undergo comprehensive security validation:
const securityService = SecurityValidationService.getInstance();
// Validate file before parsing
const validation = await securityService.validateFileAccess(filePath);
if (!validation.valid) {
throw new Error(`Security validation failed: ${validation.issues}`);
}
Supported Security Checks
- ✅ Path traversal prevention
- ✅ File type validation (.evtx only)
- ✅ File size limits (512MB constitutional limit)
- ✅ Permission validation
- ✅ Malicious content detection
- ✅ Symlink attack prevention
📖 API Reference
Core Classes
EvtxParser
High-performance EVTX file parser with constitutional guarantees.
class EvtxParser {
constructor(options?: EvtxParserOptions);
/**
* Parse EVTX buffer with >10MB/s throughput guarantee
* @param buffer - EVTX file buffer
* @returns Promise<EventRecord[]> - Parsed events
*/
async parseBuffer(buffer: Buffer): Promise<EventRecord[]>;
/**
* Parse EVTX file with streaming support
* @param filePath - Path to EVTX file
* @returns AsyncGenerator<EventRecord> - Streaming events
*/
async *parseFileStream(filePath: string): AsyncGenerator<EventRecord>;
dispose(): void;
}
MemoryManager
LRU cache with constitutional 512MB memory limit enforcement.
class MemoryManager<T> {
constructor(options: { maxSize: number });
/**
* Store item with automatic eviction when memory limit reached
* @param key - Cache key
* @param value - Value to cache
*/
set(key: string, value: T): void;
/**
* Retrieve cached item
* @param key - Cache key
* @returns T | undefined
*/
get(key: string): T | undefined;
/**
* Current memory usage in bytes
*/
readonly currentMemory: number;
/**
* Maximum memory limit (512MB constitutional requirement)
*/
readonly maxMemory: number;
}
SecurityValidationService
Comprehensive security validation for all file operations.
class SecurityValidationService {
static getInstance(): SecurityValidationService;
/**
* Validate file access with comprehensive security checks
* @param filePath - File to validate
* @param operation - 'read' | 'write'
* @param level - Security level
* @returns Promise<SecurityValidationResult>
*/
async validateFileAccess(
filePath: string,
operation?: 'read' | 'write',
level?: SecurityLevel
): Promise<SecurityValidationResult>;
}
Data Types
EventRecord
Represents a parsed Windows Event Log entry.
interface EventRecord {
/** Unique record identifier */
recordId: number;
/** Event timestamp */
timeCreated: Date;
/** Event severity level */
level: 'Information' | 'Warning' | 'Error' | 'Critical' | 'Verbose';
/** Event ID */
eventId: number;
/** Event source/provider */
source: string;
/** Human-readable event message */
message: string;
/** Additional event data */
data: Record<string, any>;
/** Computer name where event occurred */
computer?: string;
/** User context */
userId?: string;
/** Process ID */
processId?: number;
/** Thread ID */
threadId?: number;
}
FilterCriteria
Event filtering configuration.
interface FilterCriteria {
/** Filter type */
type: 'level' | 'eventId' | 'source' | 'timeRange' | 'text';
/** Filter operator */
operator: 'equals' | 'contains' | 'startsWith' | 'between' | 'in';
/** Filter value */
value: any;
/** Case sensitive (for text filters) */
caseSensitive?: boolean;
}
VS Code Commands
Available Commands
evtx.openFile - Open EVTX file pickerevtx.openFileFromExplorer - Open EVTX file from explorer contextevtx.closeViewer - Close active EVTX viewerevtx.exportEvents - Export filtered events to CSV/JSONevtx.refreshViewer - Refresh current viewerevtx.showPerformanceStats - Display performance statistics
Command Usage
// Open file programmatically
await vscode.commands.executeCommand('evtx.openFile');
// Open specific file
await vscode.commands.executeCommand('evtx.openFileFromExplorer', filePath);
Windows
- ✅ Native EVTX file support
- ✅ Windows Event Log integration
- ✅ Path handling with drive letters
- ✅ Windows-specific security validation
macOS
- ✅ Cross-platform EVTX parsing
- ✅ HFS+/APFS file system support
- ✅ Unix-style path handling
- ✅ Case sensitivity handling
Linux
- ✅ Complete EVTX parsing support
- ✅ ext4/btrfs/xfs file system support
- ✅ Case-sensitive path handling
- ✅ Unix permission model
🧪 Testing
Running Tests
# Run all tests
npm test
# Run specific test suites
npm run test:security
npm run test:performance
npm run test:accessibility
npm run test:cross-platform
# Run with coverage
npm run test:coverage
Test Coverage
- Security Tests: 24 comprehensive security validation tests
- Performance Tests: Constitutional requirement validation
- Accessibility Tests: WCAG 2.1 AA compliance (23 tests)
- Cross-Platform Tests: Windows/macOS/Linux compatibility (18 tests)
# Run performance benchmarks
npm run benchmark
# Expected results:
# ✅ Parsing throughput: >10MB/s
# ✅ Memory usage: <512MB
# ✅ UI response: <100ms
🏗 Architecture
Component Overview
src/
├── core/ # Core parsing engine
│ ├── evtx_parser.ts # Main EVTX parser
│ ├── lru_cache.ts # Memory management
│ └── models/ # Data models
├── extension/ # VS Code integration
│ ├── extension.ts # Main extension entry
│ ├── commands/ # Command handlers
│ ├── providers/ # Webview providers
│ └── services/ # Core services
└── webview/ # UI components
├── components/ # React components
├── hooks/ # Custom hooks
└── utils/ # Utility functions
Service Architecture
// Dependency injection pattern
const services = {
parser: new EvtxParser(),
memory: new MemoryManager({ maxSize: 512 * 1024 * 1024 }),
security: SecurityValidationService.getInstance(),
file: new FileService(),
progress: new ProgressService()
};
- Streaming Parser: Handles large files without loading entire file into memory
- LRU Caching: Intelligent memory management with constitutional limits
- Virtual Scrolling: Renders only visible events for fast UI
- Worker Threads: Multi-threaded parsing for maximum throughput
- Lazy Loading: On-demand data loading and rendering
🤝 Contributing
Development Setup
git clone <repository-url>
cd evtx-viewer
npm install
# Install VS Code Extension Development Host
code --install-extension ms-vscode.vscode-typescript-next
Building
# Development build
npm run compile
# Production build
npm run compile:production
# Watch mode for development
npm run watch
Code Standards
- TypeScript: Strict type checking enabled
- ESLint: Airbnb configuration with constitutional requirement comments
- Prettier: Consistent code formatting
- TSDoc: All public APIs must be documented
- Constitutional Comments: Performance requirements documented in code
Testing Requirements
All contributions must include:
- ✅ Unit tests with >80% coverage
- ✅ Security validation tests
- ✅ Performance benchmark tests
- ✅ Accessibility compliance tests
- ✅ Cross-platform compatibility tests
Constitutional Compliance
All code must meet constitutional requirements:
/**
* CONSTITUTIONAL REQUIREMENT: >10MB/s parsing throughput
* This function must maintain minimum throughput under all conditions
*/
Benchmarks (Latest)
Parsing Performance:
├─ 1MB file: ~2ms (500+ MB/s)
├─ 10MB file: ~12ms (833+ MB/s)
├─ 50MB file: ~81ms (617+ MB/s)
└─ 100MB file: ~132ms (757+ MB/s)
Memory Management:
├─ Cache operations: <10ms
├─ Memory limit enforcement: <5ms
└─ LRU eviction: <1ms per operation
UI Response Times:
├─ File open: <50ms
├─ Filter apply: <25ms
├─ Event selection: <10ms
└─ Virtual scroll: <5ms per frame
🚨 Troubleshooting
Common Issues
# Check memory usage
npm run debug:memory
# Performance profiling
npm run debug:performance
Security Validation Errors
// Check security validation details
const validation = await securityService.validateFileAccess(filePath);
console.log('Issues:', validation.issues);
console.log('Recommendations:', validation.recommendations);
File Access Issues
# Check file permissions
ls -la /path/to/file.evtx
# Windows: Check file ownership
icacls "C:\path\to\file.evtx"
Debug Mode
# Enable debug logging
export EVTX_DEBUG=true
code --extensionDevelopmentPath=/path/to/evtx-viewer
Support
📄 License
MIT License - see LICENSE file for details.
🔗 Links
Built with ❤️ and Constitutional Performance Guarantees
- ⚡ >10MB/s parsing throughput
- 🧠 <512MB memory usage
- 🚀 <100ms UI response times
- 🔒 Comprehensive security validation
- ♿ WCAG 2.1 AA accessibility compliance
- 🌍 Full cross-platform support
Contributing
Please read our Constitution for development principles and guidelines.
License
MIT License - see LICENSE file for details.
Specification
