Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Bug in EventSave

Bug in EventSave

by Nikola Strahija on November 2nd, 2002 Software: EventSave prior to version 5.3 EventSave+ prior to version 5.3


Vendor: Frank Heyne Software
http://www.heysoft.de/

Impact: Loss of events

Max Risk: Critical

HTML version: http://www.heysoft.de/nt/eventlog/hsb01e.htm

--------------------------------------------------------------------

Introduction:
=============
EventSave is a popular Freeware program. It moves all events from the
current Windows NT (all versions) event logs into backup files.
Independant of how often the software is run, it moves all events from
the same month and type from a machine into the same destination file.
Actually, moving the events is done by a copy, followed by cleaning
the current logs.

EventSave+ is part of the Shareware "Report Event", a suite of 9 tools
for managing Windows NT event logs. It works as EventSave, but does
allow to move only the events of certain types of logs.


The bug:
========
When the program is not run for the first time in a month, it appends
events to the (already existing) target file. But as long as the target
file is opened by Microsoft's Event Viewer, no other program can write
into this file. EventSave(+) did miss to check whether it successfully
could append the events or not. There was no error returned, and the
current log was cleaned. Events which should have been moved into the
evt file opened by Microsoft's Event Viewer got lost.


Mitigating Factors:
===================
Using a non blocking Event Viewer, like Elwiz from www.heysoft.de, for
viewing evt files does allow EventSave(+) to write to the file which
is currently opened by this viewer. (Actually, because we prefer Elwiz
over Event Viewer, we did not find this bug earlier.)


Patch Availability:
===================
Version 5.3 of the Freeware program EventSave is available from
http://www.heysoft.de/nt/eventlog/ep-es.htm
This version will give a hint if the target file is not writable,
and it will write the events to a spare file in such a case.
One could use MER, which is also part of the "Report Event" suite,
to merge the events from the spare file into the correct target file
later. Information about "Report Event" is available from
http://www.heysoft.de/nt/eventlog/ep-re.htm

Version 5.3 of EventSave+ is available for all registered users of
"Report Event". Customers with a valid Support Pack already received
an information where to download the new version. Customers without
a valid Support Pack should contact [email protected] and provide
their registration number to receive the update.


Acknowledgment:
===============
The person who reported the bug said:
"I am not looking for publicity..."
Anyway, you know who you are, thanks for bringing the problem to my
attention.


Final remark:
=============
I am sorry for the bug beeing there for so long. I don't know whether
there was a loss of events anywhere (except for the customer who
informed me about the bug). But because I am a firm believer in the
idea of full disclosure, I think it is necessary to make the bug public.
There seems to be a piece of truth in the saying that a software without
a bug will never exist. Now you know why the documentation of my
programs always tells you "Use this program on your own risk."

Frank Heyne


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »