~3× faster JSON/XML rendering compared to 0.9.0, powered by the new IR + streaming renderers.
On samples/security.evtx (single-threaded): JSONL 45.4ms → 16.5ms (~2.76×), XML 33.2ms → 11.3ms (~2.95×).
WEVT_TEMPLATE support (optional wevt_templates feature): extract templates from provider binaries and use an offline cache as a fallback when EVTX embedded templates are missing/corrupt.
EVTX Web: a WebAssembly-powered viewer (see PR #252).
Breaking changes (API + behavior)
Removed the token-tree output API:
BinXmlOutput, XmlOutput, JsonOutput, and EvtxRecord::into_output(..) were removed.
Use EvtxRecord::into_xml(), EvtxRecord::into_json(), or EvtxRecord::into_json_value() instead.
If you need structured access, use the new IR types under .
evtx::model::ir
EvtxRecord is now IR-based:
EvtxRecord::tokens (and evtx::model::{deserialized, raw, xml}) were removed/replaced.
Records now carry tree: evtx::model::ir::IrTree (plus binxml_offset/binxml_size).
EvtxRecordHeader::record_data_size() now returns Result<u32> and can error on corrupted data_size values.
EvtxChunk no longer exposes the old TemplateCache (template_table); chunk parsing/rendering is now driven by the IR + template instantiation cache.
Timestamps switched from chrono::DateTime<Utc> to jiff::Timestamp in EvtxRecord, EvtxRecordHeader, and SerializedEvtxRecord.
Error type changes (affects match statements):
EvtxError::FailedToParseChunk now carries Box<ChunkError>.
DeserializationError IO variants were renamed (UnexpectedIoError → IoWithContext, RemoveMe → Io) and new WEVT/IO truncation errors were added.
ChunkError::FailedToBuildTemplateCache was removed.
JSON indentation behavior changed:
ParserSettings::indent(..) is still used for XML, but JSON output is now always compact in the streaming renderer. If you need pretty JSON, reformat the returned value/string yourself.
Added
Streaming JSON renderer + new parsing architecture (PR #267).
New intermediate representation (IR) for BinXML (PR #278).