none
Event Log XML Query with Special Characters RRS feed

  • Question

  • I'm looking for help on searching Windows PowerShell logs (PowerShell:800) with specific filter out conditions. I'm having issues because this event code doesn't contain field names for the EventData section along with single and double quotes in my strings that I'm searching for. 

    Here are a few known sample commands: 

    echo hi
    icm {echo 'hello single'}
    icm {echo "hello double"}
    $CustomDate = Get-Date -format "yyyyMMdd"


    I'm able to find all samples with the following query: 

    <QueryList>
      <Query Id="0" Path="Windows PowerShell">
        <Select Path="Windows PowerShell">(*[System[(EventID=800)]]) and (*[EventData[(Data = 'echo hi')]])</Select>
        <Select Path="Windows PowerShell">(*[System[(EventID=800)]]) and (*[EventData[(Data = "icm {echo 'hi'}")]])</Select>
        <Select Path="Windows PowerShell">(*[System[(EventID=800)]]) and (*[EventData[(Data = 'icm {echo "hi"}')]])</Select>
        <Select Path="Windows PowerShell">(*[System[(EventID=800)]]) and (*[EventData[(Data = '$CustomDate = Get-Date -format "yyyyMMdd"')]])</Select>
      </Query>
    </QueryList>

    The issue I'm having is that the last sample when ran in a script file tends to have padding in the front and a new line at the end of the command when viewed in the event logs. I converted these characters to hex but still can't seem to find results when the log contains a new line in one of the data fields. Sample search with trailing new line: 

    <Select Path="Windows PowerShell">(*[System[(EventID=800)]]) and (*[EventData[(Data = '    $CustomDate = Get-Date -Format "yyyyMMdd"&#10;')]])</Select>

    I've found a few articles about this new line issue but none of my tests have been able to find the data so far so thought I'd reach out and see if anyone would be able to help. I'm unsure if this event code PowerShell:800 has some specific issues where searching data is near impossible. 

    Thanks,

    • Moved by Bill_Stewart Friday, January 26, 2018 3:13 PM Unanswerable drive-by question
    Tuesday, December 5, 2017 4:04 PM

All replies