Windows Internals
intermediateStart Here Step 6Open lab →

EVTX file format

64 KB chunks, binary XML, templates, and the durable storage layout behind Event Viewer.

Related labs

Hands-on exercises for this area — in the browser or on a Windows machine.

EVTX Lab

Load and explore Windows Event Log files in the browser with Rust WASM parsing.

Open lab
View all labs

Official Microsoft docs

Closest official references related to this topic on Microsoft Learn.

Microsoft Learn

Windows Event Log

learn.microsoft.com

Microsoft Learn

Defining channels

learn.microsoft.com

Microsoft Learn

Writing an instrumentation manifest

learn.microsoft.com

Why it matters

Understanding the file format explains why parsing is possible client-side and why the viewer can reconstruct structured events from a binary log file.

Mental model

An EVTX file is a sequence of chunks containing structured records encoded with reusable templates and binary XML data.

Windows building blocks

Names and paths you can look for in Task Manager, Explorer, or documentation.

  • File*.evtx

    %SystemRoot%\System32\winevt\Logs

    Binary event log files

Go one level deeper

Extra detail for readers who want more precision before opening a child topic.

  • Chunks contain string tables and event records; corrupted headers break sequential parsing.
  • Forwarded events and subscriptions copy records across machines.

How it works

  1. 1Each EVTX file starts with file metadata and then a set of chunks.
  2. 2Chunks carry event records and template information for efficient storage.
  3. 3Records are reconstructed into XML or JSON by combining binary data and templates.

Key terms

Chunk
A fixed-size EVTX storage unit that groups records and metadata.
BXML
Binary XML used to encode event structure compactly.
Template
A reusable event shape that helps render structured records.

Why EVTX files are fast to scan incrementally

Because the file is chunked, tools can load portions of the log instead of rendering the whole thing at once.

Common misconception

The final user-facing message is not fully stored inside the EVTX record itself; rendering often needs external message metadata.

Guided exercise

Use this topic to move from theory into practice.

Open lab
  • 1Load an EVTX file and inspect chunk counts and record counts.
  • 2Move between chunk pages to see that the file is explored incrementally.
  • 3Open a record and identify the System section, Event ID, channel, and provider.

You should read next

Ranked from your current topic, related links, branch depth, and any active guided path.

beginner

Providers & channels

Who emits events and where those records are routed inside Windows logging.

Related topic

intermediate

ETW tracing

Real-time sessions, controllers, and consumers for higher-volume tracing.

Related topic

beginner

Diagnostics & logging

Where Windows records what happened: Event Log, ETW, and crash-oriented clues.

Part of a guided learning path

Related topics

Providers & channels

Who emits events and where those records are routed inside Windows logging.

ETW tracing

Real-time sessions, controllers, and consumers for higher-volume tracing.

Previous

Windows Event Log

Providers publish structured events; the Event Log service stores them in durable channels.

Next

Security

Access tokens, privileges, integrity, and how Windows decides who can do what.