Im trying to get process id from my Get-Eventlog. I can not parse the process id from the message. How ı can get it from there ? I tried With Select string -Pattern but it did not worked. My powershell code :
$directory = E:\BpLnfgDsc2.txt
$message = Get-EventLog -log Security -InstanceId 4663 -Newest 1 | Where {$_.message -match "Object Name:\s*$directory"} | foreach {$_.Message}
And here is my output:
PS C:\WINDOWS\system32> $message
An attempt was made to access an object.
Subject:
Security ID: Some-id
Account Name: tester
Account Domain: DESKTOP
Logon ID: Some-Id
Object:
Object Server: Security
Object Type: File
Object Name: E:\BpLnfgDsc2.txt
Handle ID: Some-Id
Resource Attributes: S:AI
Process Information:
Process ID: 0xd34
Process Name: C:\Windows\explorer.exe
Access Request Information:
Accesses: %%4423
Access Mask: 0x80
My expected output:
0xd34
You can extend your regex matching pattern a bit more to also capture the process ID and output it with the automatically populated variable $matches.
I've chosen a capture group name for clarity, you could also just use number captured groups. I also added (?s) at the beginning of the pattern to treat the multiline message string as a single line
$message = Get-EventLog -log Security -InstanceId 4663 -Newest 1 |
Where-Object {$_.message -match "(?s)Object Name:\s*$directory.+Process ID:\s+(?<ProcessID>\S+)"} |
ForEach-Object {$matches.ProcessID}