0

Im trying to get process id from my Get-Eventlog. I can not parse the process id from the message. How ı can get it from there ? I tried With Select string -Pattern but it did not worked. My powershell code :

$directory = E:\BpLnfgDsc2.txt
$message = Get-EventLog -log Security -InstanceId 4663 -Newest 1 | Where {$_.message -match "Object Name:\s*$directory"}  | foreach {$_.Message}

And here is my output:

PS C:\WINDOWS\system32> $message
An attempt was made to access an object.

Subject:
        Security ID:            Some-id
        Account Name:           tester
        Account Domain:         DESKTOP
        Logon ID:               Some-Id

Object:
        Object Server:          Security
        Object Type:            File
        Object Name:            E:\BpLnfgDsc2.txt
        Handle ID:              Some-Id
        Resource Attributes:    S:AI

Process Information:
        Process ID:             0xd34
        Process Name:           C:\Windows\explorer.exe

Access Request Information:
        Accesses:               %%4423

        Access Mask:            0x80

My expected output:

0xd34

Improve this question

1 Answer 1

Reset to default
1

You can extend your regex matching pattern a bit more to also capture the process ID and output it with the automatically populated variable $matches.

I've chosen a capture group name for clarity, you could also just use number captured groups. I also added (?s) at the beginning of the pattern to treat the multiline message string as a single line

$message = Get-EventLog -log Security -InstanceId 4663 -Newest 1 |
    Where-Object {$_.message -match "(?s)Object Name:\s*$directory.+Process ID:\s+(?<ProcessID>\S+)"}  |
        ForEach-Object {$matches.ProcessID}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.