File.hash.sha256 encoded as UTF‑16LE

dynamicint · September 24, 2025, 10:47am

The following field:
file.hash.sha256

Which is (now) the same as:
winlog.user_data.FileHash

Has an encoding problem in Elastic 9.1.4. It's encoded with UTF‑16LE, which means that the first bytes with the proper sha256 length is the correct 32 characters, but some metadata is also encoded:

file.hash.sha256:
E2D3CCE4F637F53F0267D049E3B3246AF53B043B1F9517B2DD53F8B85FF0693F4F003D004D004F005A0049004C004C004100200043004F00520050004F0052004100540049004F004E002C0020004C003D004D004F0055004E005400410049004E00200056004900450057002C00200053003D00430041004C00490046004F0052004E00490041002C00200043003D00550053005C005C005C0030002E0030002E0030002E003000300000005200500043003A005C00570049004E0044004F00570053005C00540065006D0070005C006E007300640042003000340043002E0074006D0070005C00530079007300740065006D002E0064006C006C0000002A00

Decoded from UTF‑16LE we get:
E2D3CCE4F637F53F0267D049E3B3246AF53B043B1F9517B2DD53F8B85FF0693F4F = M O Z I L L A CORRPORTATION, L=MOUNT AIN VIEW, S=CALIFORNIA, C=US\0.0.0.00 R:PC:\WINDOWS\Temp\nsdB04C.tmp\System.dll*

Why is this the case, is it intended, or a bug?

Topic		Replies	Views
Content encoding issues Elasticsearch	4	1311	July 6, 2017
Issues with encoding Beats	29	3706	July 5, 2017
What kind of encoding does the ES support? Elasticsearch	4	20577	July 6, 2017
Data sent by Filebeat looks garbled Beats filebeat	10	5504	July 5, 2017
"Incompatible encoding" when using Logstash to ship JSON files to Elasticsearch Elasticsearch	6	1004	July 6, 2017

File.hash.sha256 encoded as UTF‑16LE

Related topics