Im trying to get process id from my Get-Eventlog. I can not parse the process id from the message. How ı can get it from there ? I tried With Select string -Pattern but it did not worked. My powershell code :

$directory = E:\BpLnfgDsc2.txt
$message = Get-EventLog -log Security -InstanceId 4663 -Newest 1 | Where {$_.message -match "Object Name:\s*$directory"}  | foreach {$_.Message}

And here is my output:

PS C:\WINDOWS\system32> $message
An attempt was made to access an object.

Subject:
        Security ID:            Some-id
        Account Name:           tester
        Account Domain:         DESKTOP
        Logon ID:               Some-Id

Object:
        Object Server:          Security
        Object Type:            File
        Object Name:            E:\BpLnfgDsc2.txt
        Handle ID:              Some-Id
        Resource Attributes:    S:AI

Process Information:
        Process ID:             0xd34
        Process Name:           C:\Windows\explorer.exe

Access Request Information:
        Accesses:               %D23

        Access Mask:            0x80

My expected output:

0xd34

CodePudding user response：

You can extend your regex matching pattern a bit more to also capture the process ID and output it with the automatically populated variable $matches.

I've chosen a capture group name for clarity, you could also just use number captured groups. I also added (?s) at the beginning of the pattern to treat the multiline message string as a single line

$message = Get-EventLog -log Security -InstanceId 4663 -Newest 1 |
    Where-Object {$_.message -match "(?s)Object Name:\s*$directory. Process ID:\s (?<ProcessID>\S )"}  |
        ForEach-Object {$matches.ProcessID}