Decode manifest value maps and unbox event-record properties

[jschick04]

Summary

Two resolver changes that improve description accuracy and cut per-event allocation, with byte-identical output verified against a golden corpus.

1. Decode manifest value maps and bit maps

Event descriptions now decode valueMap / bitMap parameters from the provider manifest, matching what Windows (Get-WinEvent / EvtFormatMessage) shows. Windows exposes no API for the map definitions and strips the map= attribute from rendered templates, so the maps are parsed directly from the provider's WEVT_TEMPLATE PE resource (new WevtTemplateReader). Raw values like Bus Type: 10 now resolve to Bus Type: SAS; bitmap flag sets and GUID braces are handled too.

2. Unbox event-record properties

EventRecord.Properties becomes an IReadOnlyList<EventProperty>, where EventProperty is a 16-byte readonly struct that eliminates the per-property boxing the previous IList<object> forced. Numeric, boolean and DateTime values pack into the struct behind a shared per-kind sentinel; reference values stay in the object slot. This cuts per-event resolution allocation by roughly 776 B/event on numeric-heavy logs (for example Ntfs/Operational), with no measurable change on string-heavy logs.

Resolution output is byte-for-byte identical before and after both changes, verified by a golden diff over 86,353 real events across four event logs.

Known limitation

Value-map decoding applies on the live-provider resolution path only. Providers resolved from a cached provider database (.db) fall back to raw values, because the database does not persist map definitions. This matches the existing DB-path behavior (it showed raw values before this change too). Adding database support is planned as a follow-up.

Testing

• Unit suites green: EventLogExpert.Eventing 300, EventLogExpert.Provider 58, EventLogExpert.Provider.Database 42.
• Release build: 0 warnings, 0 errors.
• Golden parity: byte-identical resolved descriptions over 86,353 events.

[Copilot]

Pull request overview

This PR improves event description rendering accuracy and reduces per-event allocations by (1) decoding provider manifest valueMap/bitMap definitions from the provider’s WEVT_TEMPLATE resource and applying them during formatting, and (2) replacing boxed object event properties with an unboxed EventProperty struct.

Changes:

• Parse WEVT_TEMPLATE to recover value/bit maps, resolve their entry strings via EvtFormatMessage, and inject map= attributes back into templates for analysis/formatting.
• Unbox event record properties into IReadOnlyList<EventProperty> and update formatting logic to use kind-tagged packed values.
• Add unit tests covering map extraction/decoding, template analysis, property packing, and resolver formatting output.

Reviewed changes

Copilot reviewed 20 out of 20 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
tests/Unit/EventLogExpert.Provider.Tests/Resolution/ValueMapDefinitionTests.cs	Adds coverage for valueMap/bitMap decoding behavior.
tests/Unit/EventLogExpert.Eventing.Tests/Resolvers/TemplateAnalyzerTests.cs	Tests extraction of map= attributes and visible/all alignment.
tests/Unit/EventLogExpert.Eventing.Tests/Resolvers/EventResolverBaseTests.cs	Adds resolver regression tests for map decoding and unboxed property formatting.
tests/Unit/EventLogExpert.Eventing.Tests/Readers/EventPropertyTests.cs	Validates EventProperty kind tagging, equality, and unsigned-bit extraction.
tests/Unit/EventLogExpert.Eventing.Tests/PublisherMetadata/WevtTemplateReaderTests.cs	Tests parsing WEVT_TEMPLATE binaries and map recovery.
tests/Unit/EventLogExpert.Eventing.Tests/PublisherMetadata/EventMessageProviderTests.cs	Tests map= injection behavior into templates.
tests/Shared/EventLogExpert.Eventing.TestUtils/EventUtils.cs	Updates test helper to accept EventProperty lists.
src/EventLogExpert.Provider/Resolution/ValueMapDefinition.cs	Introduces map definition/entry types and decoding logic.
src/EventLogExpert.Provider/Resolution/ProviderDetails.cs	Adds Maps to provider details for runtime decoding.
src/EventLogExpert.Provider.Database/Context/ProviderDbContext.cs	Excludes Maps from EF persistence (runtime-only).
src/EventLogExpert.Eventing/Resolvers/TemplateMetadata.cs	Extends template metadata to include per-<data> map names.
src/EventLogExpert.Eventing/Resolvers/TemplateAnalyzer.cs	Extracts map= attributes alongside outType= and tracks visible/all arrays.
src/EventLogExpert.Eventing/Resolvers/DescriptionFormatter.cs	Uses EventProperty + template maps to format/decode values and bit flags.
src/EventLogExpert.Eventing/Readers/EventRecord.cs	Switches Properties to IReadOnlyList<EventProperty>.
src/EventLogExpert.Eventing/Readers/EventProperty.cs	Adds 16-byte readonly struct for unboxed event properties.
src/EventLogExpert.Eventing/PublisherMetadata/WevtTemplateReader.cs	Implements WEVT_TEMPLATE parsing and runtime map extraction.
src/EventLogExpert.Eventing/PublisherMetadata/ProviderMetadata.cs	Exposes publisher GUID/resource path and message-by-id formatting helper.
src/EventLogExpert.Eventing/PublisherMetadata/EventMessageProvider.cs	Populates maps from WEVT_TEMPLATE and injects map= attributes into templates.
src/EventLogExpert.Eventing/Interop/NativeMethods.Evt.cs	Adds ConvertVariantToProperty and updates property rendering to unboxed list.
src/EventLogExpert.Eventing/Interop/NativeMethods.cs	Adds FindResourceW interop for string-typed resource lookup.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 20 out of 20 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 20 out of 20 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 22 out of 22 changed files in this pull request and generated no new comments.