Clean up Process Created windows events

For some reason windows eventlog events contain newlines and are difficult to parse. I was interested in process creation events so I created a short powershell script to cleanup the mess and allow me to view each event on a single, greppable line:

$x=Get-WinEvent -LogName Security |  Where-Object {$_.ID -eq "4688"} | convertto-csv
$x=$x -replace("A new process has been created.*?Process Command Line","Process Command Line")
$x=$x -replace("Token Elevation Type.*?choose to start the program using Run as administrator.","")
$x | out-file -encoding ascii outfile.csv

I use some non-greedy regex matching here (the .*?) and in order for that to work across carriage returns and linefeeds I replace CRLFs and with a placeholder and then put them back when I am done. Not the most elegant solution but it seems to work well enough. Ideally I could just match across lines directly but that does not seem to work.

This entry was posted in Powershell. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s