psobject format output

micha_anto · November 14, 2017, 6:28am

Hello all,
I’m writing a function to retrieve from a series of events (eventID 153) binary data in XML view.
My issue is with the output, which seems to be stored in hashtable.

Function Get-StorPortXMLEvents {
    #Local path to evtx file.
    $GenEvtPath = 'C:\tmp\diskErrors.evtx'

    #Setting to xml
    $EventData = ([xml[]](Get-WinEvent -FilterHashtable @{Path = $GenEvtPath} -MaxEvents 5).toxml())

    #Enumerating objects with foreach
    foreach ($diskEvt in $EventData) {
    
	#Which info I want to pull
        $EvtProperties = @{
            Data        = $EventData.event.eventdata.data
            Binary      = $EventData.event.eventdata.binary
            TimeCreated = $EventData.event.system.timecreated.systemtime
        }
        #Creating my object
	$MyObj = New-Object -TypeName psobject -Property $EvtProperties
        Write-Output $MyObj
        
    }
}

The output:

[13:19 PM C:\]>  Get-StorPortXMLEvents | fl


TimeCreated : {2017-11-02T13:30:54.386394300Z, 2017-11-02T13:30:51.872859400Z, 2017-11-02T13:30:51.575979800Z,
              2017-10-27T05:49:39.077479800Z...}
Data        : {\Device\Harddisk3\DR3, 0x890f1a8, 3, \Device\MPIODisk0...}
Binary      : {0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000928,
              0F01040004002C0000000000990004800000000000000000000000000000000000000000000000000000092A,
              0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000988,
              0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000928...}

TimeCreated : {2017-11-02T13:30:54.386394300Z, 2017-11-02T13:30:51.872859400Z, 2017-11-02T13:30:51.575979800Z,
              2017-10-27T05:49:39.077479800Z...}
Data        : {\Device\Harddisk3\DR3, 0x890f1a8, 3, \Device\MPIODisk0...}
Binary      : {0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000928,
              0F01040004002C0000000000990004800000000000000000000000000000000000000000000000000000092A,
              0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000988,
              0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000928...}

TimeCreated : {2017-11-02T13:30:54.386394300Z, 2017-11-02T13:30:51.872859400Z, 2017-11-02T13:30:51.575979800Z,
              2017-10-27T05:49:39.077479800Z...}
Data        : {\Device\Harddisk3\DR3, 0x890f1a8, 3, \Device\MPIODisk0...}
Binary      : {0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000928,
              0F01040004002C0000000000990004800000000000000000000000000000000000000000000000000000092A,
              0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000988,
              0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000928...}

TimeCreated : {2017-11-02T13:30:54.386394300Z, 2017-11-02T13:30:51.872859400Z, 2017-11-02T13:30:51.575979800Z,
              2017-10-27T05:49:39.077479800Z...}
Data        : {\Device\Harddisk3\DR3, 0x890f1a8, 3, \Device\MPIODisk0...}
Binary      : {0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000928,
              0F01040004002C0000000000990004800000000000000000000000000000000000000000000000000000092A,
              0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000988,
              0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000928...}

TimeCreated : {2017-11-02T13:30:54.386394300Z, 2017-11-02T13:30:51.872859400Z, 2017-11-02T13:30:51.575979800Z,
              2017-10-27T05:49:39.077479800Z...}
Data        : {\Device\Harddisk3\DR3, 0x890f1a8, 3, \Device\MPIODisk0...}
Binary      : {0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000928,
              0F01040004002C0000000000990004800000000000000000000000000000000000000000000000000000092A,
              0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000988,
              0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000928...}

My goal is to match each event (data) with each time (timecreated) and its binary code.
I would appreciate your input folks.

richard-siddaway · November 14, 2017, 10:34am

I think you have an error in your code

   $EvtProperties = @{
        Data        = $EventData.event.eventdata.data
        Binary      = $EventData.event.eventdata.binary
        TimeCreated = $EventData.event.system.timecreated.systemtime
    }

should be

   $EvtProperties = @{
        Data        = $$diskEvt.event.eventdata.data
        Binary      = $$diskEvt.event.eventdata.binary
        TimeCreated = $$diskEvt.event.system.timecreated.systemtime
    }

or something similar. You’re currently creating the output using the collection of events rather than each individual event which is what I presume you’re after

micha_anto · November 14, 2017, 2:30pm

Thanks a lot Richard! Yes I was looking for each individual event.

Topic		Replies	Views
PsObject in a String PowerShell Help	3	103	July 19, 2014
Unable to get the Output of Hashtable in Table format PowerShell Help	1	195	December 19, 2022
Custom PSobject HTML output PowerShell Help	1	127	September 17, 2018
PSCustomObject - Cycle through hashtable? PowerShell Help	7	143	August 7, 2018
Parse output of console (file) put in a hash table and convert JSON PowerShell Help	3	156	June 21, 2017

psobject format output

Related Topics