Frank Block

Hi, just changed the files accordingly but recognized afterwards that, at least for me with `es-dsl`, escaping the `New Value` whitespace in `New_Value: winlog.event_data.New\ Value` doesn't work. So I would...

Or maybe putting the value in quotes (if in some cases the white space is a problem for some yaml parsers): `New_Value: 'winlog.event_data.New Value'` ?

hm, so is there a quick fix for the `es-dsl` backend, or is the solution to start with a `winlogbeat-esl.yml` with a higher order number?

Hi, DSL had no problems with unescaped spaces. So using any of the following mappings produces the expected results for the rule `windows/builtin/windefend/win_defender_exclusions.yml` with the `es-dsl` backend, and the mappings...

Hi, yes you are right, with this fix you would do the test for the valid bit twice, and no, your suggested change won't work, because you are checking the...

i think [here](https://github.com/volatilityfoundation/volatility3/blob/44d8c0d93139f37f0b0725d72942f0703a7e4dc8/volatility3/framework/layers/intel.py#L343) is a line missing similar to [this one](https://github.com/volatilityfoundation/volatility3/blob/44d8c0d93139f37f0b0725d72942f0703a7e4dc8/volatility3/framework/layers/intel.py#L172)

the `unknown_bit` should probably be removed. it is part of the protection field, so checking for it means you only handle pages with a certain protection: https://github.com/volatilityfoundation/volatility3/blob/44d8c0d93139f37f0b0725d72942f0703a7e4dc8/volatility3/framework/layers/intel.py#L324 https://github.com/volatilityfoundation/volatility3/blob/44d8c0d93139f37f0b0725d72942f0703a7e4dc8/volatility3/framework/layers/intel.py#L347

furhtermore, i think there is a bug in the translation process. with a previous version of vol3 i get this for a swapped page: ``` proc_layer.translate(0x26eb0dde000) (48635904, 'swap_layers0') ``` using...

Forgot to add this: I recognized that Windows changed the `_MMPTE_SOFTWARE` struct (amongst others) during the last Windows versions, leading at least to an incorrect parsing of the pagefile index...

Hi, thanks for the efforts @paulkermann, but it doesn't quite solve the problems. To reproduce the following commands, you can use this dump: https://fx.ernw.de/portal-seefx/~public/YzMxMzkxZDAtY2I0My00M2Q5LWIzZjMtNGIwYTcyNjIwMTgz?download When trying e.g., to resolve a...