python-evtx
raw JSON → 0.8.1 verified Fri May 01 auth: no python
A pure Python parser for Windows event log files (.evtx). Version 0.8.1 supports Python >=3.9, provides XML and JSON dump functionality, and extracts event records from EVTX files. Maintenance is active with occasional releases.
pip install python-evtx Common errors
error ModuleNotFoundError: No module named 'evtx' ↓
cause Installed package under a different name or not installed at all.
fix
Run: pip install python-evtx
error AttributeError: module 'evtx' has no attribute 'Evtx' ↓
cause Incorrect import pattern; tried 'import evtx' then 'evtx.Evtx(...)'.
fix
Use 'from evtx import Evtx' then 'Evtx("file.evtx")'.
error OSError: [Errno 22] Invalid argument ↓
cause File path contains non-ASCII characters on Windows or is malformed.
fix
Ensure the EVTX file path is properly encoded and exists. Use raw strings or os.path.normpath.
Warnings
breaking Python 2.7 support removed in v0.8.0; Python 3.8+ required. v0.7.x development had pinned dependencies due to Python 2 deprecation. Upgrade to v0.8.1. ↓
fix Upgrade python-evtx to v0.8.1 and use Python >=3.8.
gotcha The module name is 'evtx', not 'python_evtx' or 'PyEvtx'. Import with 'from evtx import Evtx'. ↓
fix Use correct import: from evtx import Evtx or from evtx import PyEvtxParser
gotcha Large EVTX files can consume significant memory if records are loaded all at once. Use the iterator interface (parser.records()) rather than converting to a list. ↓
fix Iterate over parser.records() instead of list(parser.records()) for large files.
deprecated The lxml library is optional but recommended for XML output. Without lxml, XML generation may fall back to a less robust implementation. ↓
fix Install lxml via pip to ensure full XML support.
Imports
- Evtx wrong
import Evtxcorrectfrom evtx import Evtx - PyEvtxParser
from evtx import PyEvtxParser
Quickstart
from evtx import PyEvtxParser
parser = PyEvtxParser('example.evtx')
for record in parser.records():
print(record['data'])