The windows_events table 'data' column should represent the unmodified source xml, but it is coerced to json (with some loss) to conform w/ the output format. I am wondering if it would make sense to have a config flag that related to the preferred format of any blob type returned by a table -- json/base64/... base64 being the lossless choice. This would lend itself to a design where these conversions can be standardized and pulled out into a reusable utility where the flag controls how blobs are encoded. Not sure Nicholas' username to tag here.

I made you https://github.com/osquery/osquery/issues/6083