From e719501f6bbc47db91412deb8b5c48b42c822db4 Mon Sep 17 00:00:00 2001
From: Ohad Ravid <ohad.rv@gmail.com>
Date: Wed, 1 Mar 2017 19:38:21 +0200
Subject: [PATCH 1/3] Fix handling of empty strings in UTF16BytesToString.

---
 winlogbeat/sys/strings.go      |  2 +-
 winlogbeat/sys/strings_test.go | 19 +++++++++++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/winlogbeat/sys/strings.go b/winlogbeat/sys/strings.go
index ce9d4db99f4..01009f00d7a 100644
--- a/winlogbeat/sys/strings.go
+++ b/winlogbeat/sys/strings.go
@@ -76,7 +76,7 @@ func UTF16BytesToString(b []byte) (string, int, error) {
 	offset := -1
 
 	// Find the null terminator if it exists and re-slice the b.
-	if nullIndex := indexNullTerminator(b); nullIndex > 0 {
+	if nullIndex := indexNullTerminator(b); nullIndex > -1 {
 		if len(b) > nullIndex+2 {
 			offset = nullIndex + 2
 		}
diff --git a/winlogbeat/sys/strings_test.go b/winlogbeat/sys/strings_test.go
index f7e3443e49d..969d91ba03c 100644
--- a/winlogbeat/sys/strings_test.go
+++ b/winlogbeat/sys/strings_test.go
@@ -54,6 +54,25 @@ func TestUTF16BytesToStringOffset(t *testing.T) {
 	assert.Equal(t, -1, offset)
 }
 
+func TestUTF16BytesToStringOffsetWithEmptyString(t *testing.T) {
+	in := bytes.Join([][]byte{toUTF16Bytes(""), toUTF16Bytes("two"), }, []byte{0, 0})
+
+	output, offset, err := UTF16BytesToString(in)
+	if err != nil {
+		t.Fatal(err)
+	}
+	assert.Equal(t, "", output)
+	assert.Equal(t, 2, offset)
+
+	in = in[offset:]
+	output, offset, err = UTF16BytesToString(in)
+	if err != nil {
+		t.Fatal(err)
+	}
+	assert.Equal(t, "two", output)
+	assert.Equal(t, -1, offset)
+}
+
 func BenchmarkUTF16BytesToString(b *testing.B) {
 	utf16Bytes := toUTF16Bytes("A logon was attempted using explicit credentials.")
 

From 98d202bd3905f06088e1b297c9c31c8c345b0ae9 Mon Sep 17 00:00:00 2001
From: Ohad Ravid <ohad.rv@gmail.com>
Date: Wed, 1 Mar 2017 21:10:12 +0200
Subject: [PATCH 2/3] Added CHANGELOG entry.

---
 CHANGELOG.asciidoc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc
index 8442d80c01d..cb056a98e67 100644
--- a/CHANGELOG.asciidoc
+++ b/CHANGELOG.asciidoc
@@ -60,6 +60,7 @@ https://github.com/elastic/beats/compare/v5.1.1...master[Check the HEAD diff]
 
 *Winlogbeat*
 
+- Fix handling of empty strings in event_data. {pull}3705[3705]
 
 ==== Added
 

From 27ae6bad7084bced1de3f430781120e81c857819 Mon Sep 17 00:00:00 2001
From: Ohad Ravid <ohad.rv@gmail.com>
Date: Thu, 2 Mar 2017 09:18:22 +0200
Subject: [PATCH 3/3] Run go fmt on tests

---
 winlogbeat/sys/strings_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/winlogbeat/sys/strings_test.go b/winlogbeat/sys/strings_test.go
index 969d91ba03c..145c0e6660e 100644
--- a/winlogbeat/sys/strings_test.go
+++ b/winlogbeat/sys/strings_test.go
@@ -55,7 +55,7 @@ func TestUTF16BytesToStringOffset(t *testing.T) {
 }
 
 func TestUTF16BytesToStringOffsetWithEmptyString(t *testing.T) {
-	in := bytes.Join([][]byte{toUTF16Bytes(""), toUTF16Bytes("two"), }, []byte{0, 0})
+	in := bytes.Join([][]byte{toUTF16Bytes(""), toUTF16Bytes("two")}, []byte{0, 0})
 
 	output, offset, err := UTF16BytesToString(in)
 	if err != nil {