tl;dr I learned how to decrypt .manifest files and used them to document data fields in Windows Defender. (.manifest can be seen here)

tl; dr我学习了如何解密.manifest文件并将其用于记录Windows Defender中的数据字段。 (.manifest可以在这里看到)

About 6 months ago, I was tasked with writing a parser for Windows Defender, to correctly get syslogs from endpoints into our SIEM platform at work. Writing the Regex was trivial, as I had been writing parsers for a couple of months at the time, but when it came to classifying the different logs, I ran into some issues.

大约6个月前，我的任务是为Windows Defender编写一个解析器，以将来自端点的系统日志正确地导入到我们工作的SIEM平台中。 正像我当时写解析器几个月的时间一样，编写正则表达式很简单，但是在分类不同的日志时，我遇到了一些问题。

The problem was the documentation from Microsoft, or rather, the lack of it. I simply could not find any documentation from Microsoft on the fields in the syslog messages. Okay, that might not be entirely fair, as Microsoft has some documentation on the different Event ID’s in the logs (link), but some of the data fields in a regular log are not documented and appear as “%%” followed by 3 digits.

问题是微软提供的文档，或者说缺少它。 我只是在syslog消息的字段中找不到Microsoft提供的任何文档。 好的，这可能并不完全公平，因为Microsoft在日志(链接)中有一些有关不同事件ID的文档，但是常规日志中的某些数据字段未记录在案，而是显示为“ %%”，后跟3位数字。

As with any problem you don’t know the answer to, I started searching online. I found the usual Microsoft documentation (linked further up), but nothing else really caught my eye at first. I went all the way to page 3 (i know most of you don’t do this) on one of the google searches when I finally came across this site. It was a weird Japanese xmail server, that hosted a manifest file for Windows Defender, and at the bottom of the file were definitions for everything I needed. Every line looked a bit like the following, and every value corresponded to something different.

对于您不知道答案的任何问题，我开始在线搜索。 我找到了通常的Microsoft文档(进一步链接在一起)，但是起初没有其他东西引起我的注意。 当我最终访问该网站时，我一直走到Google搜索之一的第3页(我知道你们大多数人都不这样做)。 这是一个奇怪的日语xmail服务器，它托管Windows Defender的清单文件，并且在文件底部是我所需的所有内容的定义。 每行看起来都如下所示，并且每个值都对应不同的内容。

<message ... symbol="MP_EVENT_WGA_VISTA_PRODUCT_NAME" value="827" />

So looking at the example log above, you can see there is a Data field called “Product Name” with a value of %%827. Taking that 827 and checking the manifest file, gives the product name: “MP_EVENT_WGA_VISTA_PRODUCT_NAME”. As I said in the beginning, this was about 6 months ago, and back then I had everything I wanted from that .manifest file, so I quit searching and completed the task. But when I had to make new parsers earlier today, I realized i had a problem.

因此，在上面的示例日志中，您可以看到有一个名为“产品名称”的数据字段，其值为%% 827。 拿827并检查清单文件，得到产品名称：“ MP_EVENT_WGA_VISTA_PRODUCT_NAME”。 就像我在开始时所说的那样，大约是6个月前，那时我已经从该.manifest文件中获得了所有想要的东西，所以我退出搜索并完成了任务。 但是当我今天早些时候不得不制作新的解析器时，我意识到我遇到了问题。

The range of values provided in the original .manifest, was only from 800–842, but taking a look at the log above we have values as high as 870. So I had to go back to finding a solution. The reason for the lack of values is, that the .manifest file corresponds to the Defender version 6.1.7600.16385. Searching for this version online provides a Microsoft helpdesk question from the 15th of May 2013.

原始.manifest中提供的值范围仅在800-842之间，但是看看上面的日志，我们看到的值高达870。因此，我不得不回头寻找解决方案。 缺少值的原因是.manifest文件对应于Defender版本6.1.7600.16385。 从5月15日到13日，在线搜索此版本提出了Microsoft服务台问题。

I took another look at the Japanese site, and noticed the URL looked weird.

我再次查看了日语站点，发现URL看起来很奇怪。

xmail.dojo.jp/sample/xmailcfg/cgi/file_download.cgi?_files_+Windows/winsxs/Manifests+amd64_security-malware-windows-defender-events_31bf3856ad364e35_6.1.7600.16385_none_118cf1dcd54a3dea.manifest

It was a cgi file that showed files on the local Windows Machine online, so I guessed that the path (C:\Windows\WinSxS\Manifests\) might have a new and updated .manifest. It did, but since 2013 Microsoft had made some changes. The files are now compressed. This was not a huge issue I imagined so I went back to Google and DDG. I found an old post from someone on mydigitallife called “Aunty Mel’s Cheap And Nasty SxS File Expander” and tried to find a download link. As most of the filesharing services had gone down, only a single one still had the file, but after running the program and then trying to solve the following issue for a while, I went on searching.

这是一个cgi文件，该文件在线显示了本地Windows计算机上的文件，因此我猜测路径(C：\ Windows \ WinSxS \ Manifests \)可能具有新的和更新的.manifest。 确实如此，但是自2013年以来，Microsoft进行了一些更改。 现在，文件已压缩。 这不是我想象的大问题，所以我回到了Google和DDG。 我在mydigitallife上发现了某人的旧帖子，名为“ Aunty Mel's Cheap And Nasty SxS File Expander”，并试图找到下载链接。 由于大多数文件共享服务都已关闭，因此只有一个文件共享服务，但是在运行该程序并尝试解决以下问题一段时间后，我继续进行搜索。

I eventually found a GitHub repo from hfiref0x that had exactly what I needed. I am grateful that he provided binaries, as I had some trouble compiling the code myself. The program is simple to run, I copied one of the manifest files to a folder with the sxsexp64.exe program, and run with the syntax described in the README of the GitHub repo. The output should look something like this:

我最终从hfiref0x找到了一个GitHub存储库，该存储库正是我所需要的。 我感谢他提供了二进制文件，因为我自己编译代码时遇到了一些麻烦。 该程序易于运行，我使用sxsexp64.exe程序将清单文件之一复制到文件夹中，并使用Gi​​tHub存储库的README中描述的语法运行。 输出应如下所示：

The final result should then be a manifest in XML format that is humanly readable, in which the remaining ID’s are. So after a couple of hours of searching and trying to figure out what I needed, I ended up with an entire list of the ids from 800–902.

然后，最终结果应该是人类可读的XML格式的清单，其中包含其余的ID。 因此，经过几个小时的搜索并试图找出我需要的东西，我最终得到了800-902之间的ID的完整列表。

The Decompressed .manifest can be seen here

解压缩的.manifest可以在这里看到

To be fair, this does not make it 100% clear to read for me, as I am no windows expert, but I am still not sure why Microsoft doesn’t have this documented anywhere. For now, I will concentrate on something else, and just enjoy my win.

公平地说，由于我不是Windows专家，所以这并不能100％清晰地为我阅读，但是我仍然不确定为什么Microsoft不在任何地方对此进行记录。 现在，我将专注于其他事情，然后享受我的胜利。