Clean up Process Created windows events

For some reason windows eventlog events contain newlines and are difficult to parse. I was interested in process creation events so I created a short powershell script to cleanup the mess and allow me to view each event on a single, greppable line:

$x=Get-WinEvent -LogName Security |  Where-Object {$_.ID -eq "4688"} | convertto-csv
$x=$x.replace("`r`n","\r\n")
$x=$x -replace("A new process has been created.*?Process Command Line","Process Command Line")
$x=$x -replace("Token Elevation Type.*?choose to start the program using Run as administrator.","")
$x=$x.replace("\r\n","`r`n")
$x | out-file -encoding ascii outfile.csv

I use some non-greedy regex matching here (the .*?) and in order for that to work across carriage returns and linefeeds I replace CRLFs and with a placeholder and then put them back when I am done. Not the most elegant solution but it seems to work well enough. Ideally I could just match across lines directly but that does not seem to work.

Advertisements
This entry was posted in Powershell. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s