# Triage Windows event logs, locally

> EVTX Explorer parses Windows Event Log (.evtx) files entirely in your browser via a Rust-to-WebAssembly engine, then adds the DFIR layer the free viewers don't: a SIGMA-lite matcher plus curated detection heuristics that flag suspicious events, logon-session reconstruction (4624/4634/4647), a built-in Event ID knowledge base with MITRE ATT&CK mapping, and faceted filtering by level, provider, channel, and Event ID. Records show in a list up top with full detail below. Nothing is uploaded — the log, which often contains internal hostnames, usernames, and indicators, never leaves your device.

Live tool: https://lofttools.com/tools/security-tools/evtx-explorer

Category: Security & Privacy


## What it does

- Parse Windows .evtx logs in-browser via a Rust→WASM engine (the MIT omerbenamram/evtx core)
- Records list on top, full per-record detail (System + EventData + raw) below
- SIGMA-lite matcher + curated heuristics: bundled rules flag suspicious events; paste your own single-selection SIGMA YAML
- Logon-session reconstruction from 4624/4634/4647 with logon type + account
- Built-in Event ID knowledge base (4624/4625/4672/4688/7045/1102 and more) with MITRE ATT&CK mapping
- Faceted filtering by level, provider, channel and Event ID, plus full-text search
- Export all events, filtered events, or detections to JSON
- Runs 100% in your browser — the event log never leaves your device

## Tips

- **Start with Security.evtx** — Logon activity (4624/4625), privilege use (4672), and process creation (4688) live in the Security log — the richest source for triage.
- **Let SIGMA surface the noise** — Run the bundled detections first to jump straight to log clears, suspicious service installs, and failed-logon bursts, then pivot from there.
- **Everything stays local** — The Rust→WASM parser runs on your device. Open DevTools → Network and watch your event log never upload.

## EVTX Explorer vs. the alternatives

|  | Loft EVTX Explorer | Event Viewer | SIEM (Splunk/Sentinel) | Free EVTX viewers |
| --- | --- | --- | --- | --- |
| Runs locally (no upload) | Yes | Yes (Windows only) | No — ingests to cloud | Yes |
| SIGMA detections | Yes | No | Yes | No |
| Logon-session + Event ID KB | Yes | Partial | Build-it-yourself | No |
| Cross-platform (any browser) | Yes | Windows only | Web | Varies |
| Cost | Free | Built-in | Per-GB | Free |

_Triage, not an EDR: SIGMA over an exported log finds known patterns; it is not real-time detection or response. A browser tab parses a log you already have — pair it with a SIEM/EDR for live monitoring. Built on the MIT omerbenamram/evtx parser; credit + thanks to that project._

## Privacy — what we do not do

This tool runs entirely in the browser via WebAssembly. Your file never reaches a Loft Tools server. Specifically:

- **No upload.** The file bytes load into the browser tab's memory and process on your own CPU. Open DevTools → Network and observe zero outbound requests carrying file data while Triage Windows event logs, locally runs.
- **No AI training on your file.** Loft does not train models. We could not train on a file we cannot see.
- **No content scanning.** No virus, copyright, or content-moderation pass against your file. The bytes are not accessible to us.
- **No server-side log of file contents, filenames, or EXIF metadata.** Cloudflare edge captures URL and truncated IP for abuse defense (standard CDN behaviour). Cloudflare Web Analytics records anonymous page hits, no cookies, no PII. Nothing about your file content reaches any log.
- **No retention.** Close the tab and the file leaves browser memory. No backups exist on our side because no copy ever existed on our side.
- **No account.** No email, no signup, no auth, no telemetry tied to you.
- **Offline-capable after first visit** (PWA). Once you've loaded a tool, it caches; later sessions work without internet. For high-sensitivity files, run the tool once online to warm the cache, then disconnect before processing.

Compare with upload-based services: each transmits your file to a processing server. Even over HTTPS, each has logs, retention windows, and subpoena exposure. Loft has none of these because the server architecture does not include your file.

## More

- All tools: https://lofttools.com/tools
- Category: https://lofttools.com/tools/security-tools
- LLM index: https://lofttools.com/llms.txt