如何在事件日志中打印进程 ıd?
[英]How to print process ıd in event log?
问题描述
Im trying to get process id from my Get-Eventlog.
我试图从我的 Get-Eventlog 中获取进程 ID。 I can not parse the process id from the message.我无法从消息中解析进程 ID。 How ı can get it from there?我怎么能从那里得到它? I tried With Select string -Pattern but it did not worked.我尝试使用 Select string -Pattern 但没有奏效。 My powershell code:我的 powershell 代码:
$directory = E:\BpLnfgDsc2.txt
$message = Get-EventLog -log Security -InstanceId 4663 -Newest 1 | Where {$_.message -match "Object Name:\s*$directory"} | foreach {$_.Message}
And here is my output:这是我的 output:
PS C:\WINDOWS\system32> $message
An attempt was made to access an object.
Subject:
Security ID: Some-id
Account Name: tester
Account Domain: DESKTOP
Logon ID: Some-Id
Object:
Object Server: Security
Object Type: File
Object Name: E:\BpLnfgDsc2.txt
Handle ID: Some-Id
Resource Attributes: S:AI
Process Information:
Process ID: 0xd34
Process Name: C:\Windows\explorer.exe
Access Request Information:
Accesses: %%4423
Access Mask: 0x80
My expected output:我预期的 output:
0xd34 0xd34
1 个解决方案
解决方案1
0 2022-08-06 14:36:49
You can extend your regex matching pattern a bit more to also capture the process ID and output it with the automatically populated variable $matches .您可以进一步扩展您的正则表达式匹配模式,以使用自动填充的变量$matches捕获进程 ID 和 output 它。
I've chosen a capture group name for clarity, you could also just use number captured groups.为了清楚起见,我选择了一个捕获组名称,您也可以只使用数字捕获组。 I also added (?s) at the beginning of the pattern to treat the multiline message string as a single line我还在模式的开头添加了(?s)以将多行消息字符串视为单行
$message = Get-EventLog -log Security -InstanceId 4663 -Newest 1 |
Where-Object {$_.message -match "(?s)Object Name:\s*$directory.+Process ID:\s+(?<ProcessID>\S+)"} |
ForEach-Object {$matches.ProcessID}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.