A fast, privacy-first Windows Event Log analyzer that runs entirely in your browser.
→ Try it now — no install, no upload.
EVTX Inspector lets incident responders and forensic analysts investigate Windows .evtx files and CSV event log exports without installing anything and without uploading data anywhere. All parsing, filtering, and flagging happens locally in Web Workers.
Eric Zimmerman's EvtxECmd + Timeline Explorer is the gold standard for Windows Event Log triage — but it's Windows-only. Analysts on macOS and Linux have no equivalent investigation UI. The options today are:
- Spin up a Windows VM just to open an EVTX file in a usable GUI.
- Pipe the file through CLI tools (Hayabusa, Chainsaw) — powerful, but headless: they produce output files, not interactive triage environments.
- Open CSV exports in Excel — no per-column filtering, no row flagging, no forensics-aware features.
- Use omerbenamram.github.io/evtx — excellent parsing, but no CSV support and no investigation workflow (flags, per-column filtering, multi-file).
EVTX Inspector closes that gap: a zero-install, browser-based investigation surface with the column filtering, row flagging, and CSV-export support analysts actually use during triage — running on any OS, with no data ever leaving the machine.
| Category | Capability |
|---|---|
| File support | Native .evtx files and CSV exports (EvtxECmd, Get-WinEvent, any header-row CSV) |
| Performance | Virtual scroll handles hundreds of thousands of events without pagination |
| Multi-file | Open multiple logs simultaneously; switch between them in the sidebar |
| Filtering | Per-column text filters with OR logic (4624, 4625), global search, time range picker |
| Context filter | Right-click any cell value → Add to filter (OR-appends to existing filter) |
| Column management | Show/hide columns, resize by dragging handles, reorder by dragging headers |
| Row detail pane | Single-click any row to open a slide-up detail pane; navigate rows with ↑ ↓ arrow keys |
| Detail search | Search box inside the detail pane filters and highlights fields in real time |
| Field pinning | Bookmark (pin) individual fields in the detail pane to keep them anchored at the top |
| Row flagging | Right-click or batch-select to mark rows Suspicious / Reviewed / Noteworthy |
| Scrollbar markers | Coloured tick marks on the scroll track show where flagged rows sit in the timeline |
| Batch operations | Checkbox-select multiple rows → bulk flag or clear in one action |
| Flag navigation | Toolbar chips jump between flagged rows of each type |
| Copy anywhere | Copy individual field values, or the full row as CSV or JSON, from the detail pane or right-click menu |
| Export | Download events as CSV — choose rows (all / filtered view / flagged only) and select which columns to include |
| Themes | Dark and light mode; respects system preference, persists to localStorage |
| Privacy | Zero telemetry, zero uploads, zero cookies — localStorage only (theme + flags + pinned fields) |
Requirements: Node.js 18+ · npm 9+
git clone https://github.com/Apurvashelar/EVTX-Inspector.git
cd EVTX-Inspector
npm install
npm run dev # → http://localhost:5173npm run build # production build → dist/
npm run preview # preview the production build locallyDrag-and-drop an .evtx or .csv file onto the app, or click the Browse Files button in the left sidebar (or in the drop-zone when no file is loaded). Multiple files can be loaded at once; click any file in the sidebar to switch.
The app starts with a sample dataset of realistic Windows Security and System events so you can explore the interface without loading a real file.
| Method | How to use |
|---|---|
| Global search | Search bar in the toolbar — matches any column |
| Column filter | Text input below each column header |
| OR values | Comma-separate terms in any column filter: 4624, 4625 |
| Right-click filter | Right-click a cell → Add "[value]" — appends to that column's filter with OR |
| Time range | Set From / To timestamps in the toolbar, then click OK |
| Clear all | "Clear all" button in toolbar removes every active filter at once |
Single-click any row to open the slide-up detail pane at the bottom of the screen. While the pane is open:
| Action | How |
|---|---|
| Navigate rows | Press ↑ / ↓ to move to the previous / next row; the table auto-scrolls |
| Search fields | Type in the search box in the pane header to filter and highlight matching fields |
| Pin a field | Hover over a field row and click the bookmark icon to pin it to the top of the pane — persists across sessions |
| Copy a field | Hover over a field row and click Copy |
| Copy full row | CSV and JSON buttons in the pane header copy the entire row |
| Resize pane | Drag the handle at the top of the pane; drag to ~44 px to collapse it to just the header |
| Close pane | Click × in the pane header, or press Escape (first Escape clears the search if active) |
Pinned fields always appear at the top of the detail pane and are highlighted in blue. Pins are stored in localStorage and restored on next visit.
- Single-click a row to select it and open the detail pane.
- Right-click any row or cell to flag it as Suspicious, Reviewed, or Noteworthy, or to copy cell / row data.
- Checkbox rows (or use the header checkbox for "select all") then use the batch action bar to flag multiple rows at once.
- Toolbar chips (coloured counts) let you jump to the next flagged row of each type.
- Scrollbar markers — coloured tick marks appear on the vertical scrollbar track showing where flagged rows sit relative to the full log timeline.
- Toggle Flagged only in the toolbar to hide unflagged rows.
Flags are stored in localStorage keyed by a hash of the file (name + size + content sample), so reopening the same file in the same browser restores all previous flags.
Note on flag persistence: If you rename the file, modify its content, or clear your browser's localStorage, flags will be lost. There is currently no export/import path for flag data.
Click Export… in the toolbar to open the export dialog. Options:
| Setting | Choices |
|---|---|
| Rows | All rows · Current filtered view · Flagged rows only |
| Columns | Tick any subset; All / None shortcuts; optionally append a FlagType column |
The downloaded file is named <original-filename>_<all|filtered|flagged>.csv.
| Action | How |
|---|---|
| Resize | Drag the right edge of any column header (min 40 px, max 1200 px) |
| Reorder | Drag a column header left or right; a blue indicator shows the drop position |
| Show / hide | Columns button in the toolbar → toggle individual columns |
| Reset layout | Columns → Reset restores default widths and visibility |
Native Windows Event Log binary format. Parsed in a Web Worker using @ts-evtx/core. Extracts System fields (EventID, TimeCreated, Level, Channel, Computer, Provider, UserID, Keywords, Task, Opcode) plus all <EventData> name/value pairs concatenated into a single column.
Any CSV with a header row. Column names from common tools are auto-recognized:
| Tool | Key columns detected |
|---|---|
| EvtxECmd | EventRecordID, TimeCreated, EventID, LevelName, Channel, Computer, Provider, MapDescription, PayloadData1–6 |
| Get-WinEvent | TimeCreated, Id, Message |
| Generic | Any column names; timestamp columns detected by name heuristic |
| Layer | Library | Version |
|---|---|---|
| Framework | React | 19 |
| Build | Vite | 8 |
| Styling | Tailwind CSS | 4 |
| Table engine | TanStack Table | v8 |
| Virtualization | TanStack Virtual | v3 |
| State | Zustand | 5 |
| EVTX parsing | @ts-evtx/core | 1.1 |
| CSV parsing | PapaParse | 5 |
| Language | TypeScript | 6 |
All processing runs in your browser. Nothing is transmitted to any server. The only data written to localStorage is:
- Your theme preference (
evtx-theme) - Row flags (
evtx-inspector-flags) — keyed by file hash, not file content - Pinned detail-pane fields (
evtx-inspector-pinned-fields)
No analytics, no error reporting, no external requests of any kind.
Modern Chromium browsers (Chrome 90+, Edge 90+) and Firefox 90+. Safari is supported but less tested. Requires ES modules and Blob + URL.createObjectURL for CSV export.
MIT