Extract event providers from offline Windows images

[jschick04]

Summary

Adds fully-offline event-provider extraction from a foreign Windows image to eventdbtool. Given a mounted volume, an extracted image folder, or a .wim/.esd file, eventdbtool create <db> --offline-image <path> [--image-kind wim --wim-index N] reads the image's own SOFTWARE/SYSTEM registry hives and builds a provider database without touching the host registry or host files. Stacked on #619.

How it works

• OfflineImageProviderSource / OfflineImageRoot: resolve the image layout from the image root or its Windows directory and validate both hives are present.
• OfflineRegistryHive: stage SOFTWARE/SYSTEM to a writable temp and load via RegLoadAppKey, with a RegLoadKey fallback that recovers dirty hives.
• OfflineWimImage / WimNativeApi: list the images in a .wim/.esd and apply the selected index via WIMGAPI.
• OfflineImagePathMapper / OfflineRootGuard: re-root every registry message-file path under the image, mapping %SystemRoot% / %SystemDrive% / %ProgramFiles%-family tokens against the image (never the host) and rejecting any path that escapes the root (reparse-resolved, fail-closed).
• OfflinePublisherCatalog / OfflineLegacyMessageFileResolver: enumerate modern (WEVT_TEMPLATE) and legacy providers, reading every value with DoNotExpandEnvironmentNames.

Testing

• Unit and integration coverage across containment, hive load and dirty-hive recovery, the WIM state machine, the publisher catalog, and legacy resolution.
• Validated end-to-end against a real Windows Server 2019 install.wim: lists all images, extracts a full provider database, and resolves %ProgramFiles%-based providers (e.g. Windows Defender) to match the live path.

[Copilot]

Pull request overview

Adds a fully-offline provider-extraction mode to eventdbtool create so a provider DB can be built from a foreign Windows image (mounted/extracted directory or .wim/.esd) using the image’s own SOFTWARE/SYSTEM hives and re-rooted message-file paths, without consulting host registry/files.

Changes:

• Introduces offline image provider extraction pipeline (hive staging + load/recovery, catalog + legacy enumeration, containment/path re-rooting, and per-row source OS provenance).
• Adds WIM/ESD support via WIMGAPI (index listing + extract-to-temp lifecycle) and wires offline-image options into CLI and create-db operation validation/selection.
• Adds broad unit/integration coverage for offline image handling, WIM orchestration, containment, dirty-hive recovery, and IPC round-tripping of offline-image request fields.

Reviewed changes

Copilot reviewed 54 out of 54 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
tests/Unit/EventLogExpert.Runtime.Tests/DatabaseTools/Elevation/IpcRequestRoundTripTests.cs	Adds round-trip test to ensure offline-image fields survive IPC serialization.
tests/Unit/EventLogExpert.Eventing.Tests/PublisherMetadata/OfflineImageProviderSourceTests.cs	Unit tests for offline provider enumeration semantics (dedupe/filter/provenance).
tests/Unit/EventLogExpert.Eventing.Tests/PublisherMetadata/Offline/OfflineWimImageTests.cs	Tests WIM index-list and extract state machine via a fake native API.
tests/Unit/EventLogExpert.Eventing.Tests/PublisherMetadata/Offline/OfflineTestImage.cs	Test fixture that scaffolds synthetic offline image layout + hives.
tests/Unit/EventLogExpert.Eventing.Tests/PublisherMetadata/Offline/OfflineRegistryHiveTests.cs	Tests basic offline hive load and value reads from a standalone hive.
tests/Unit/EventLogExpert.Eventing.Tests/PublisherMetadata/Offline/OfflineRegistryHiveFallbackTests.cs	Tests dirty-hive recovery branches via a fake hive native API.
tests/Unit/EventLogExpert.Eventing.Tests/PublisherMetadata/Offline/OfflinePublisherCatalogTests.cs	Tests offline WINEVT publisher catalog reading and path re-rooting behavior.
tests/Unit/EventLogExpert.Eventing.Tests/PublisherMetadata/Offline/OfflineLegacyMessageFileResolverTests.cs	Tests offline legacy message/parameter file resolution from SYSTEM hive.
tests/Unit/EventLogExpert.Eventing.Tests/PublisherMetadata/Offline/OfflineImageProviderExtractorTests.cs	Tests extractor wiring (provenance, catalog, legacy enumeration/build).
tests/Unit/EventLogExpert.Eventing.Tests/PublisherMetadata/Offline/Containment/OfflineRootGuardTests.cs	Tests root-escape prevention (host path + junction escape).
tests/Unit/EventLogExpert.Eventing.Tests/PublisherMetadata/Offline/Containment/OfflineImageRootTests.cs	Tests image-root layout resolution and containment checks.
tests/Unit/EventLogExpert.Eventing.Tests/PublisherMetadata/Offline/Containment/OfflineImagePathResolverTests.cs	Tests map+guard seam drops hostile reparse-point escapes.
tests/Unit/EventLogExpert.Eventing.Tests/PublisherMetadata/Offline/Containment/OfflineImagePathMapperTests.cs	Tests offline path mapping, token handling, and fail-closed dropping rules.
tests/Unit/EventLogExpert.Eventing.Tests/PublisherMetadata/Offline/BackupRestorePrivilegeScopeTests.cs	Tests privilege enabling/marshalling behavior used by recovery path.
tests/Unit/EventLogExpert.DatabaseTools.Tests/CreateDatabase/CreateDatabaseWimValidationTests.cs	Tests kind-aware CLI request validation for offline images and WIMs.
tests/Unit/EventLogExpert.DatabaseTools.Tests/CreateDatabase/CreateDatabaseSelectModeTests.cs	Tests request mode selection logic (local vs source vs offline image).
tests/Integration/EventLogExpert.Eventing.IntegrationTests/PublisherMetadata/Wevt/OfflineWevtProviderParityTests.cs	Updates integration parity tests for new legacy-resolver parameter.
tests/Integration/EventLogExpert.Eventing.IntegrationTests/PublisherMetadata/SourceOsProvenanceTests.cs	Renames and updates provenance tests to new SourceOsProvenance.
tests/Integration/EventLogExpert.DatabaseTools.IntegrationTests/Operations/CreateDatabaseOperationTests.cs	Adds integration coverage for offline-image validation failure cases.
src/EventLogExpert.Eventing/PublisherMetadata/Wevt/OfflineWevtProviderReader.cs	Injects legacy-message lookup via ILegacyMessageFileResolver (host-free offline builds).
src/EventLogExpert.Eventing/PublisherMetadata/SourceOsProvenance.cs	New shared provenance record for host or offline-image OS stamping.
src/EventLogExpert.Eventing/PublisherMetadata/RegistryProvider.cs	Implements ILegacyMessageFileResolver for live (host) legacy lookups.
src/EventLogExpert.Eventing/PublisherMetadata/OfflineImageProviderSource.cs	Public facade to load providers from an offline Windows image.
src/EventLogExpert.Eventing/PublisherMetadata/Offline/WimNativeApi.cs	Production WIMGAPI wrapper (index list + apply/extract, elevation check).
src/EventLogExpert.Eventing/PublisherMetadata/Offline/WimImageList.cs	Defines WIM image list model/status used for listing indices.
src/EventLogExpert.Eventing/PublisherMetadata/Offline/OfflineWimImage.cs	Orchestrates extract-to-temp WIM handling and robust cleanup semantics.
src/EventLogExpert.Eventing/PublisherMetadata/Offline/OfflineWimExtractStatus.cs	Extraction outcome enum for WIM extraction orchestration.
src/EventLogExpert.Eventing/PublisherMetadata/Offline/OfflineRegistryHive.cs	Stages and loads offline hives, including dirty-hive recovery via RegLoadKey.
src/EventLogExpert.Eventing/PublisherMetadata/Offline/OfflinePublisherCatalog.cs	Reads modern publisher registrations from offline SOFTWARE hive.
src/EventLogExpert.Eventing/PublisherMetadata/Offline/OfflineLegacyProviderBuilder.cs	Builds pure-legacy providers from offline legacy message sources.
src/EventLogExpert.Eventing/PublisherMetadata/Offline/OfflineLegacyMessageFileResolver.cs	Resolves legacy message/category/parameter files from offline SYSTEM hive.
src/EventLogExpert.Eventing/PublisherMetadata/Offline/OfflineImageProviderExtractor.cs	Wires together hive load + catalog + legacy + wevt readers for offline extraction.
src/EventLogExpert.Eventing/PublisherMetadata/Offline/OfflineHiveNativeApi.cs	Production native-registry seam implementation for offline hive loading/recovery.
src/EventLogExpert.Eventing/PublisherMetadata/Offline/OfflineHiveLoadStatus.cs	Status enum for offline hive load outcomes.
src/EventLogExpert.Eventing/PublisherMetadata/Offline/IWimNativeApi.cs	Test seam interface for WIM native operations.
src/EventLogExpert.Eventing/PublisherMetadata/Offline/IOfflineImageProviderExtractor.cs	Test seam interface for offline provider extractor orchestration.
src/EventLogExpert.Eventing/PublisherMetadata/Offline/IOfflineHiveNativeApi.cs	Test seam interface for registry hive native operations.
src/EventLogExpert.Eventing/PublisherMetadata/Offline/Containment/OfflineRootGuard.cs	Guard to prevent any resolved file path from escaping the image root.
src/EventLogExpert.Eventing/PublisherMetadata/Offline/Containment/OfflineImageRoot.cs	Resolves offline image layout and provides containment + reparse canonicalization.
src/EventLogExpert.Eventing/PublisherMetadata/Offline/Containment/OfflineImagePathResolver.cs	Central map-then-guard seam for safe path resolution from offline hives.
src/EventLogExpert.Eventing/PublisherMetadata/Offline/Containment/OfflineImagePathMapper.cs	Maps registry-stored paths/tokens onto the image root without host expansion.
src/EventLogExpert.Eventing/PublisherMetadata/Offline/BackupRestorePrivilegeScope.cs	Enables/reverts SeBackup/SeRestore privileges around recovery load/unload.
src/EventLogExpert.Eventing/PublisherMetadata/ILegacyMessageFileResolver.cs	Introduces abstraction for legacy message-file resolution (host vs offline).
src/EventLogExpert.Eventing/PublisherMetadata/HostOsProvenance.cs	Removes old host-only provenance type in favor of unified SourceOsProvenance.
src/EventLogExpert.Eventing/Interop/Win32ErrorCodes.cs	Expands Win32 error constants used by new offline/WIM flows.
src/EventLogExpert.Eventing/Interop/WimImageSafeHandle.cs	SafeHandle wrapper for loaded WIM image handles.
src/EventLogExpert.Eventing/Interop/WimFileSafeHandle.cs	SafeHandle wrapper for WIM file handles.
src/EventLogExpert.Eventing/Interop/NativeMethods.Wim.cs	Adds WIMGAPI P/Invokes and constants.
src/EventLogExpert.Eventing/Interop/NativeMethods.Registry.cs	Adds registry + token privilege P/Invokes and structs for recovery.
src/EventLogExpert.EventDbTool/Commands/CreateDatabaseCommand.cs	Adds --offline-image, --image-kind, --wim-index CLI options and parsing.
src/EventLogExpert.DatabaseTools/CreateDatabase/OfflineImageKind.cs	Adds offline-image kind enum (directory/wim/iso placeholder).
src/EventLogExpert.DatabaseTools/CreateDatabase/CreateDatabaseRequest.cs	Extends request record with offline-image fields.
src/EventLogExpert.DatabaseTools/CreateDatabase/CreateDatabaseOperation.cs	Wires offline mode selection/validation + WIM extraction into create operation.
src/EventLogExpert.DatabaseTools/Common/Operations/OperationBase.cs	Adds async iterator wrapper for offline image provider streaming.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 54 out of 54 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 54 out of 54 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 54 out of 54 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 54 out of 54 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 54 out of 54 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 54 out of 54 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 54 out of 54 changed files in this pull request and generated no new comments.