Free Download

Built in Rust

Sherlock Forensics Universal Events Viewer Stop reading event IDs. Start reading sentences.

Forensic-grade triage on Windows event logs in plain English. Click "Have I Been Hacked?" and get a five-phase incident summary. Click "USB Devices Connected" and see every drive that ever touched the box across three different Windows channels.

Free to view, filter and triage. Forensic Edition unlocks export and branded PDF reports.

Sherlock Forensics Universal Events Viewer is a forensic event-log triage tool that turns raw Windows event logs into plain-English narratives. One-click buttons answer the questions that actually matter. Did anyone log in? Was the audit log cleared? Did Defender get disabled? Free to use; Forensic Edition unlocks export and branded PDF reports.

EVTX viewer + parser

EVTX Viewer + Parser: Read Windows Event Logs Without Microsoft Tools

EVTX is the modern Windows event log format introduced with Windows Vista and Server 2008, replacing the older EVT format used in Windows XP and Server 2003. Sherlock Forensics Universal Events Viewer is a standalone EVTX viewer + EVTX parser that reads both formats without requiring Microsoft Event Viewer, the Windows SDK, the EvtxECmd CLI or any admin permissions. Open any .evtx file from any Windows source: a workstation under examination, an EVTX file copied from a compromised endpoint, an EVTX file extracted from a disk image, an EVTX file produced by a Sysmon installation.

Most "free EVTX viewers" require either importing the .evtx file into Microsoft's Event Viewer (which itself only loads the file if Windows trusts the source and you have UAC consent) or installing the EvtxECmd parser via the Eric Zimmerman tools bundle. Both paths take 10 to 30 minutes and require admin rights. Sherlock Universal Events Viewer opens the same .evtx file in one click with no admin permission requested, no SDK install, no command-line knowledge.

The Sherlock EVTX parser handles common edge cases that break other tools: corrupted .evtx headers, partial event records from interrupted writes, channel-specific schema differences between Application, Security, System and the Microsoft-Windows-* sub-channels. The same EVTX viewer surface handles modern Windows 10/11 event logs and legacy Server 2008 event logs identically.

For a single ad-hoc question ("what does this .evtx file contain?") the free Sherlock EVTX viewer gets you the answer in 30 seconds. For forensic-grade analysis with chain-of-custody output, the Forensic Edition adds court-ready PDF reports, SHA-256 hashing per event and structured forensic export below.

Free Forever

What You Get for Free

  • Load any .evtx file from disk or auto-discover every event log on the current system
  • 16 one-click triage buttons across 6 categories (logon activity, account changes, Defender events, USB, scheduled tasks, persistence)
  • Plain-English narrative for every event (Flesch 60 to 65 reading level)
  • Raw event JSON always visible. Never narrative-only
  • "Have I Been Hacked?" five-phase incident triage
  • "Ransomware Pre-Flight Check"
  • IOC scanner with surrounding-events blast-radius tab
  • PowerShell base64 auto-decoder
  • Scheduled task XML extractor
  • Ghost RDP detector (sessions with no matching logon)
  • Time-tampering detector (clock changes outside normal NTP drift)
  • Defender state classifier (tiers config changes High/Medium/Low by registry path)
  • Cross-channel USB correlation (Security 6416 + Partition/Diagnostic + WPD-MTP)
  • Service-install with suspicious image-path detection
  • Right-click hide with pattern grouping (collapses repetitive noise)
  • Keyboard navigation through 400k+ events
  • "All Other Events" browse for the long tail

Forensic-grade event log analysis

Event Log Forensics: Compromise Indicators, Lateral Movement and Credential Dumping

Event log forensics on a compromised Windows endpoint looks for specific high-value patterns. The Windows security log records the same event taxonomy Microsoft documents in the Security Auditing reference, but reading the raw EVTX without analytical structure misses the patterns that matter to an incident responder. Sherlock Forensics Universal Events Viewer applies forensic-IR detection rules across the event log timeline so the compromise indicators surface in the triage view, not the raw XML.

Logon Failures and Brute-Force Detection

Event ID 4625 is the failed logon record in the Windows security log. A single Event ID 4625 is unremarkable. A cluster of Event ID 4625 events with the same source workstation, different account names and minute-scale timestamps is a brute-force or password-spray attack signature. Sherlock UEV correlates Event ID 4625 events across the failed-logon timeline, surfaces the cluster patterns and flags the affected account names. The companion Event ID 4624 (successful logon) is correlated alongside Event ID 4625 so the responder sees when a brute force actually succeeded.

Credential Dumping Indicators

Credential dumping is the post-compromise step where an attacker extracts password hashes or Kerberos tickets from a compromised endpoint to enable lateral movement. The Windows security log records credential-dumping-adjacent activity in Event ID 4672 (special privileges assigned to new logon, common for SYSTEM and admin sessions) and Event ID 4648 (logon attempted with explicit credentials, common in lateral movement workflows). Sherlock UEV flags Event ID 4672 anomalies (SYSTEM logons from non-service accounts), unusual Event ID 4648 patterns (explicit credentials presented to non-domain-controller targets) and other credential dumping compromise indicators.

Lateral Movement and Kerberos Ticket Abuse

Lateral movement is the step where an attacker moves from the initial compromise point to other endpoints on the network. The Kerberos ticket events (Event ID 4768 Kerberos authentication ticket, Event ID 4769 Kerberos service ticket, Event ID 4770 Kerberos ticket renewal, Event ID 4771 Kerberos pre-authentication failure) carry the signal for golden ticket and silver ticket attacks. A golden ticket attack issues a Kerberos ticket-granting ticket with a 10-year lifetime from a stolen krbtgt account hash; the lateral movement that follows shows up as Event ID 4769 service ticket requests from anomalous source workstations. Sherlock UEV's forensic-IR rules detect the Kerberos ticket anomalies and flag the lateral movement patterns in the timeline view.

The combined logon failures + credential dumping + lateral movement detection surface is what makes the Forensic Edition court-defensible for incident response work. This event log forensics methodology is what separates Sherlock Universal Events Viewer from a generic EVTX reader and event log forensics is exactly the buyer-intent the Forensic Edition is priced to serve. Each detected compromise indicator carries timestamp, source workstation, target system and Event ID metadata in the forensic PDF report below. For the parallel mobile-side incident response workflow (Android device forensics) see the Sherlock Forensics Android Acquirer. For the broader incident response timeline see the first 72 hours of a data breach and the ransomware recovery process.

Forensic Edition

Export and Report ($97)

  • Export starred events to CSV (spreadsheet-ready)
  • Export to JSON (SIEM / case-management ingestion)
  • Export to Markdown (converts cleanly to anything)
  • Export to branded PDF report with cover page, executive summary, per-event narrative + metadata grid + raw blob
  • Reveal-in-Explorer jump to exported file
  • Suite license unlocks every Sherlock Pro tool
Every export includes the narrative and the raw event blob. Together. Always. That is the forensic invariant. Explanation and evidence travel as a pair so the chain of custody from raw log to finished report is unbroken.

When you need each tool

When You Need Sherlock Forensics UEV vs Windows Event Viewer

Use caseWindows Event ViewerSherlock UEV
Read one event log from your own machineYes (free, built in)Overkill
Read .evtx file copied from another machineRequires file rename + UAC + adminYes - open any .evtx file directly
Correlate failed logon events across timestamps for forensic timelineManual XPath query, hours of workOne-click Have I Been Hacked 5-phase analysis
Export filtered events to PDF / CSV for legal evidenceManual export per query, no chain of custodyForensic Edition: court-ready PDF with SHA-256 hashing
Detect credential dumping patterns across event timelineRead manually, recognize Event IDs by memoryAutomated detection rules for Event ID 4672 + 4648 anomalies
Detect lateral movement via Event ID 4624 / 4648 chainRead manually, correlate by handAutomated detection rules across the lateral movement signature set
Kerberos ticket abuse detection (golden / silver ticket)Read manually, recognize Event ID 4768 / 4769 / 4770 / 4771 anomaliesAutomated detection rules for Kerberos ticket anomalies

Windows Event Viewer is built into Windows and free. For an admin checking why one service crashed on their own workstation, Event Viewer is the right tool. For a forensic responder reading event logs from a compromised endpoint, looking for lateral movement signals, credential dumping indicators or Kerberos ticket abuse across thousands of events, the manual workflow in Event Viewer takes hours per investigation. Sherlock UEV applies forensic-IR detection rules to the same EVTX files and surfaces the patterns in the timeline view. The Forensic Edition exports the findings to a court-ready PDF with SHA-256 hashing per event.

Compare

Windows Event Viewer vs Sherlock

CapabilityWindows Event ViewerSherlock UEV
Plain-English explanationsNoYes, every event
One-click triage buttonsNo16 buttons, 6 categories
Cross-channel USB correlationNoSecurity + Partition + WPD-MTP
Auto-decode base64 PowerShellNoYes, inline
Filters noise from logon eventsNoPattern grouping + hide
Defender severity classificationNoHigh/Medium/Low by registry path
Branded PDF reportNoForensic Edition
CSV/JSON/Markdown exportNoForensic Edition
Linux/macOS supportNoSprint 2+
CostIncluded with WindowsFree (Forensic Edition $97)

Pricing

One-Time Payment. Yours Forever.

Forensic Edition

$97 USD
One-time payment. No subscription. Suite license unlocks every Sherlock Pro tool.
  • All free features included
  • Export starred events to CSV
  • Export to JSON for SIEM ingestion
  • Export to Markdown
  • Branded PDF report with cover page and executive summary
  • Reveal-in-Explorer jump to exported file
  • Suite license for all Sherlock Pro tools
  • Try the free version before you buy

5+ machines? Contact us for volume pricing.

Who It's For

Built for Every Skill Level

For IR Responders

The first 30 minutes of an incident matter more than the next 30 hours. Stop scrolling through 400,000 lines. Click Have-I-Been-Hacked, get the five-phase summary, then drill in.

For Sysadmins

You do not do forensics every day. When something weird happens, you should not need to. One click. "Your audit log was cleared at 3:47am" beats reading XML.

For Consultants

Branded PDF reports with your client's name on the cover. Narrative on the left, raw evidence on the right, every event. Defensible in court, parseable by Excel, ready to email.

For Curious Users

Worried your laptop got popped? Run Have-I-Been-Hacked. Free. No signup. Tells you in English.

Guide

How to Analyze Windows Event Logs

  1. Download Sherlock Forensics Universal Events ViewerDownload the free viewer from this page. No installation barriers. Launch and go.
  2. Load Your Event LogsOpen any .evtx file from disk or click Auto-Discover to load every event log on the current system automatically.
  3. Run One-Click TriageClick "Have I Been Hacked?" for a five-phase incident summary. Use any of the 16 triage buttons across logon activity, USB devices, Defender events, scheduled tasks and persistence.
  4. Read Plain-English NarrativesEvery event is translated into a readable sentence alongside the raw JSON. No more memorizing Event IDs.
  5. Export Your FindingsForensic Edition users export starred events to CSV, JSON, Markdown or branded PDF reports with narrative and raw evidence paired on every page.

Release Notes

What Changed

v0.1.2 (2026-06-11)

SHA-256 source-file hashing added to every export. PDF, Markdown and JSON export headers now carry the source-bytes SHA-256 of the input event log. The hash is the load-bearing anchor for chain-of-custody verification across the export. EV code-signed binary (Sherlock Forensics Ltd, SSL.com EV intermediate). SHA-256: f8f2fbe6a01fd525670089b3359df065f6b22494ef02b18722a0923af76bcdc0. Commit reference 17c30f4.

  • SHA-256 source-file hashing in PDF export header
  • SHA-256 source-file hashing in Markdown export front-matter
  • SHA-256 source-file hashing in JSON export top-level field
  • Export-format consistency. The same SHA-256 string appears in all three export formats so cross-format verification is trivial

v0.1.1 (2026-06-06)

Detection-accuracy fix to the log-clear tamper rule. v0.1.0 matched genuine "System log cleared" events on Event ID alone, which produced false positives on the WudfUsbccidDriver smartcard-reader driver since it logs Event ID 104 on every system boot. The rule now also requires provider = Microsoft-Windows-Eventlog, which is the only provider that emits a real log-clear event. Security log clears (Event ID 1102) gated the same way. Two regression tests added covering the WudfUsbccidDriver case and a genuine Microsoft-Windows-Eventlog clear event. 114 tests passing total.

SHA-256: eb4750ff0645829e637561d268ae685f6616a504d08cdee449182f10afa6991a

Questions

Events Viewer FAQ

What is the Sherlock Forensics Universal Events Viewer?
Sherlock Forensics Universal Events Viewer is a free Windows desktop tool that reads .evtx event log files and translates every event into a plain-English narrative. It provides 16 one-click triage buttons across logon activity, USB devices, Defender state, scheduled tasks and persistence mechanisms. The Forensic Edition at $97 USD adds export to PDF, CSV, JSON and Markdown.
How do I check if my Windows computer has been hacked?
Open Sherlock Forensics Universal Events Viewer and click the "Have I Been Hacked?" button. The tool runs a five-phase incident triage across your Windows event logs and presents a plain-English summary of logon anomalies, audit log clearing, Defender disablement, suspicious services and persistence mechanisms. Free to use, no signup required.
What does Event ID 4624 mean?
Event ID 4624 is a Windows Security log entry that records a successful logon. It includes the logon type (interactive, network, remote desktop, service), the account name and the source IP address. Sherlock Forensics Universal Events Viewer translates 4624 events into plain-English sentences so you do not need to memorize the raw fields.
Can I export Windows event logs to PDF?
Yes. The Forensic Edition ($97 USD) exports starred events to branded PDF reports with a cover page, executive summary, per-event narrative alongside the raw event metadata grid and full event blob. Each export includes both the plain-English explanation and the raw evidence.
What is forensic event log analysis?
Forensic event log analysis is the systematic examination of Windows event logs (.evtx files) to reconstruct what happened on a computer. Examiners look for logon patterns, privilege escalation, service installations, scheduled task creation, Defender configuration changes and audit log clearing. Sherlock Forensics Universal Events Viewer automates this process with one-click triage and plain-English narratives.
Is the $97 price a subscription?
No. The $97 USD Forensic Edition is a one-time payment. No subscriptions, no recurring charges. The suite license also unlocks every other Sherlock Pro tool.
Do you offer volume licensing?
Yes. For 5 or more machines, contact Sherlock Forensics at 888.883.4550 or info@sherlockforensics.com for volume pricing.
What is an EVTX viewer?
An EVTX viewer is a tool that reads Windows event log files in the EVTX format introduced with Windows Vista and Server 2008. The Sherlock EVTX viewer is standalone, reads .evtx files from any Windows source without requiring Microsoft Event Viewer, the Windows SDK or admin permissions. Free for ad-hoc reads; the Forensic Edition adds forensic-grade event log analysis with court-ready PDF export.
Can I open .evtx files without installing Windows Event Viewer?
Yes. Sherlock Forensics Universal Events Viewer is an EVTX parser that reads .evtx files without Microsoft Event Viewer, the Windows SDK or admin permissions. Open any .evtx file copied from another machine, extracted from a disk image or produced by Sysmon. The standalone EVTX viewer surface handles modern Windows 10/11 and legacy Server 2008 EVTX files identically.
How do I detect lateral movement in Windows event logs?
Lateral movement detection in Windows event logs centers on Event ID 4624 (successful logon) and Event ID 4648 (explicit credential use) chains across multiple workstations. The Kerberos ticket events (Event ID 4768 / 4769 / 4770 / 4771) carry signals for golden ticket and silver ticket abuse. Sherlock Forensics Universal Events Viewer automates the lateral movement detection rules and surfaces the patterns in the timeline view rather than requiring manual XPath queries.
What Event IDs indicate credential dumping?
Credential dumping indicators in the Windows security log include Event ID 4672 (special privileges assigned to new logon, common for SYSTEM-level credential dumping tooling like Mimikatz) and Event ID 4648 (logon attempted with explicit credentials, common when an attacker uses dumped credentials for lateral movement). Sherlock Forensics Universal Events Viewer flags Event ID 4672 anomalies on non-service accounts and Event ID 4648 anomalies as credential dumping compromise indicators.
How do I analyze logon failures in Windows security event logs?
Logon failures appear as Event ID 4625 in the Windows security log. A single Event ID 4625 is unremarkable. A cluster of Event ID 4625 events with the same source workstation, varied account names and minute-scale timestamps is a brute-force or password-spray signature. Sherlock Forensics Universal Events Viewer correlates Event ID 4625 events across the timeline, flags the cluster patterns and identifies the affected account names. The companion Event ID 4624 successful-logon record is correlated alongside so the responder sees when a brute force actually succeeded.
Can Sherlock Forensics UEV detect Kerberos golden ticket attacks?
Yes. Golden ticket attacks issue a forged Kerberos ticket-granting ticket from a stolen krbtgt account hash. The subsequent lateral movement shows up as Event ID 4769 service ticket requests from anomalous source workstations. Silver ticket attacks forge service-specific Kerberos tickets and show up as Event ID 4769 service ticket requests with anomalous service names. Sherlock Forensics UEV's forensic-IR detection rules surface the Kerberos ticket anomalies in the timeline view alongside the lateral movement signature set.
What is the difference between EVTX and EVT file formats?
EVT is the legacy Windows event log format used in Windows XP and Server 2003. EVTX is the modern format introduced with Windows Vista and Server 2008 that adds XML-structured event data, channel separation and better forensic metadata. Sherlock Forensics Universal Events Viewer reads both EVTX and EVT files. Most forensic-IR work is on EVTX since the target endpoints are typically Windows 7 or later; EVT support is for legacy investigations.
How do I export Windows event logs as a court-ready forensic report?
The Sherlock Forensics Universal Events Viewer Forensic Edition ($97) exports starred events to a branded forensic PDF with cover page, executive summary, per-event plain-English narrative, raw event metadata grid, full event blob and SHA-256 hashing per event. The forensic export preserves chain of custody from EVTX file to PDF report. Additional structured exports (CSV, JSON, Markdown) feed SIEM platforms and case-management tools. See the recover deleted emails PST guide for the parallel email-forensics workflow.

Get Started

Download Sherlock Forensics Universal Events Viewer

Free for viewing, filtering and triage. Forensic Edition at $97 USD for export and branded PDF reports. Built by CISSP, ISSAP and ISSMP certified examiners with 20 years of courtroom experience. See our full forensic tool suite and expert witness services.

Since 2006CISSP, ISSAP, ISSMP certified888.883.4550
bdf961cf95f2e4cae0d164e101c402e88c515a5f0f47c1b7e74fcc8d0820666b

How to verify:
1. Open PowerShell (right-click Start menu, click Terminal)
2. Run: Get-FileHash .\sherlock-universal-events-viewer.exe
3. Compare the output with the hash above. If they match, the file has not been tampered with.

Sherlock Forensics Universal Events Viewer is provided for lawful use. Terms of Service

Download

Enter your details to download. We will send you update notifications for new versions.

Checkout - Events Viewer Forensic Edition

$97.00 USD. One-time payment. License key delivered to your email.

Secure via Stripe One-time purchase No subscription