我正试图从GetEventlog中获取进程id。我无法解析消息中的进程id。如何从那里得到它?我尝试了"选择字符串模式",但没有成功。我的powershell代码:
$directory = E:BpLnfgDsc2.txt
$message = Get-EventLog -log Security -InstanceId 4663 -Newest 1 | Where {$_.message -match "Object Name:s*$directory"} | foreach {$_.Message}
这是我的输出:
PS C:WINDOWSsystem32> $message
An attempt was made to access an object.
Subject:
Security ID: Some-id
Account Name: tester
Account Domain: DESKTOP
Logon ID: Some-Id
Object:
Object Server: Security
Object Type: File
Object Name: E:BpLnfgDsc2.txt
Handle ID: Some-Id
Resource Attributes: S:AI
Process Information:
Process ID: 0xd34
Process Name: C:Windowsexplorer.exe
Access Request Information:
Accesses: %%4423
Access Mask: 0x80
我的预期输出:
0xd34
您可以进一步扩展regex匹配模式,以捕获进程ID并使用自动填充的变量$matches输出它。
为了清晰起见,我选择了一个捕获组的名称,您也可以只使用捕获组的编号。我还在模式的开头添加了(?s),以将多行消息字符串视为单行
$message = Get-EventLog -log Security -InstanceId 4663 -Newest 1 |
Where-Object {$_.message -match "(?s)Object Name:s*$directory.+Process ID:s+(?<ProcessID>S+)"} |
ForEach-Object {$matches.ProcessID}