I need to parse Windows Defender event log. With this command
Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" | Where-Object { $_.LevelDisplayName -ne "Information" } | Select-Object -ExpandProperty Message
I get this output:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/TFTPD32&threatid=12892&enterprise=0
Name: Trojan:Win32/TFTPD32
ID: 12892
Severity: Severe
Category: Trojan
Path: file:_\\server\share\path\file1.exe::$DATA; file:_\\server\share\path\file2.exe::$DATA; file:_\\server\share\path\file3.exe::$DATA;
Detection Origin: Network share
Detection Type: Concrete
Detection Source: Real-Time Protection
User: DOMAIN\user
Process Name: C:\Windows\SMSProxy\Microsoft.StorageMigration.Proxy.Service.exe
Signature Version: AV: 1.335.1263.0, AS: 1.335.1263.0, NIS: 1.335.1263.0
Engine Version: AM: 1.1.18000.5, NIS: 1.1.18000.5
When there are multiple files and the line starting with Path: is very long, it is truncated. Not the message property, but only the line.
When I see the record using Event Log viewer, the line is complete.
Is there a way to get full length of the line?
I need to get lines with Name: and Path: from the Message property (multi-line string) only.
How can I get it using e.g. RegEx ^\s+(Name|Path): ?
Update:
I mishmatched event log records, even in Event Log the line Path is truncated.
The second part of the question remains: How to get only some lines from multiline property?
I want to use Powershell to create a Db2 System DSN. This code does create the data source
Add-OdbcDsn -Name "FromPowershell" -DriverName "IBM DB2 ODBC DRIVER - DB2COPY1" -DsnType "System" -Platform "32-bit" -SetPropertyValue #("DateTimeStringFormat=EUR","DbAlias=SYST")
But, only the DbAlias is set as property, not the DatetimeStringFormat. It is valid for the Db2 driver as seen below.
I did also believe that if I could create it manually and then use Powershell to extract the parameters afterwards I could solve it by "reverse engineering", but no - I have not been able to find how to use get-odbcdsn to show all parameters either.
Version info
Windows
Major Minor Build Revision
----- ----- ----- --------
10 0 14393 0
Powershell
Major Minor Build Revision
----- ----- ----- --------
5 1 14393 3383
Db2
IBM Db2 Server Data Client 11.5
Product name: "DB2 Connect Unlimited Edition for zSeries"
Version information: "11.5"
Where properties are kept
While deleting the datasource you will be prompted with "Will you delete properties as well in db2cli.ini and db2dsdriver.cfg
C:\ProgramData\IBM\DB2\DB2COPY1\cfg\db2cli.ini
there I found
[FromPowershell]
DBALIAS=SYST
DateTimeStringFormat=EUR
which does not answer my question, but at least I did learn that it is not stored in registry.
I am trying to retrieve information for a Music Video. For instance let's take:
$ youtube-dl -f 'bestvideo[ext=mp4]+bestaudio[ext=m4a]/bestvideo+bestaudio' --merge-output-format mp4 https://youtu.be/GhNuAXnhADI
If I start kodi, and try to search based on the filename I get no result, so I tried to simplify and enter in the text box, simply: "Come on home":
I still get no result:
21:43:38.887 T:140736808257280 DEBUG: Thread VideoInfoDownloader start, auto delete: false
21:43:38.888 T:140736808257280 DEBUG: FindMovie: Searching for 'Come on Home' using TheAudioDb.com for Music Videos scraper (path: '/home/mathieu/.kodi/addons/metadata.musicvideos.theaudiodb.com', content: 'musicvideos', version: '1.3.3')
21:43:38.888 T:140736808257280 DEBUG: scraper: CreateSearchUrl returned <url>http://www.theaudiodb.com/api/v1/json/18626d636d76696473706d/searchtrack.php?s=Come%20on%20Home&t=</url>
21:43:38.888 T:140736808257280 DEBUG: CurlFile::Open(0x55555c3ba0f0) http://www.theaudiodb.com/api/v1/json/18626d636d76696473706d/searchtrack.php?s=Come%20on%20Home&t=
21:43:39.009 T:140736808257280 DEBUG: Get: Using content of "http://www.theaudiodb.com/api/v1/json/18626d636d76696473706d/searchtrack.php?s=Come%20on%20Home&t=" as binary or text with "UTF-8" charset
21:43:39.009 T:140736808257280 DEBUG: scraper: GetSearchResults returned <results sorted="yes"></results>
21:43:39.010 T:140736808257280 DEBUG: FindMovie: Searching for 'Come on Home' using TheAudioDb.com for Music Videos scraper (path: '/home/mathieu/.kodi/addons/metadata.musicvideos.theaudiodb.com', content: 'musicvideos', version: '1.3.3')
21:43:39.011 T:140736808257280 DEBUG: scraper: CreateSearchUrl returned <url>http://www.theaudiodb.com/api/v1/json/18626d636d76696473706d/searchtrack.php?s=Come%20on%20Home&t=</url>
21:43:39.011 T:140736808257280 DEBUG: CurlFile::Open(0x55555c3ba0f0) http://www.theaudiodb.com/api/v1/json/18626d636d76696473706d/searchtrack.php?s=Come%20on%20Home&t=
21:43:39.073 T:140736808257280 DEBUG: Get: Using content of "http://www.theaudiodb.com/api/v1/json/18626d636d76696473706d/searchtrack.php?s=Come%20on%20Home&t=" as binary or text with "UTF-8" charset
21:43:39.073 T:140736808257280 DEBUG: scraper: GetSearchResults returned <results sorted="yes"></results>
Which seems to be consistent with a command line GET query:
$ curl "http://www.theaudiodb.com/api/v1/json/18626d636d76696473706d/searchtrack.php?s=Come%20on%20Home&t="
{"track":null}%
However if I now go online, I can find a hit:
http://www.theaudiodb.com/track/32777980
What did I do wrong ?
Reading the API query URL I figured I needed to tweak a bit the title + artist line.
Pay attention that spaces before/after the dash are important.
So eventually I get something to work:
21:52:33.568 T:140736062281472 DEBUG: CurlFile::Open(0x55555c3c9130) http://www.theaudiodb.com/api/v1/json/18626d636d76696473706d/searchtrack.php?s=Franz%20Ferdinand&t=Come%20on%20home
21:52:33.568 T:140736062281472 INFO: easy_acquire - Created session to http://www.theaudiodb.com
21:52:33.829 T:140736062281472 DEBUG: Get: Using content of "http://www.theaudiodb.com/api/v1/json/18626d636d76696473706d/searchtrack.php?s=Franz%20Ferdinand&t=Come%20on%20home" as binary or text with "UTF-8" charset
21:52:33.830 T:140736062281472 DEBUG: scraper: GetSearchResults returned <results sorted="yes"><entity><title>Franz Ferdinand - Come On Home [Franz Ferdinand]</title><url cache="tadb-32777980.json">http://www.theaudiodb.com/api/v1/json/18626d636d76696473706d/track.php?h=32777980</url></entity></results>
21:52:33.830 T:140736062281472 DEBUG: Thread VideoInfoDownloader 140736062281472 terminating
So I need to use ${ARTIST NAME} - ${SONG NAME} to get eventually something.
Is there a way I could make msiexec return the error/success message instead of the default exit code? for instance:
msiexec /i "D:/path/installer.msi"
might return 1603, and referencing the lookup table explains that
A fatal error occurred during installation.
I would like the message, or even the error code ERROR_INSTALL_FAILURE to be returned instead of the exit code 1603.
Note: Not sure if the effort poured into this answer serves a real-world purpose, but it may be of interest for demonstrating various advanced PowerShell techniques: Advanced regex matching using the automatic $matches variable, scraping a web page via Invoke-WebRequest, and calling the Windows API via Add-Type.
Find function friendlyMsiExec below, which
scrapes the MSDN page to get the official table of defined MSI error codes (exit codes)
if that fails - scraping is not the most robust technique (page structures and URLs change) - the function issues a warning and uses a hard-coded table instead.
Invokes msiexec synchronously, looks up the exit code in the scraped/built-in table and outputs the error message corresponding to the exit code.
Once defined, you can invoke it as follows:
> friendlyMsiExec /i "D:/path/installer.msi" # assume the exit code is 1603
A fatal error occurred during installation. (1603)
Note:
The exit code will be available as $LASTEXITCODE after the function returns.
Scraping is not only not the most robust, but the page download and parsing takes a few seconds, although in the context of an MSI installation that probably won't matter much.
An exit code may also be a regular Windows API error code ("any error in Winerror.h"), so, as a fallback, the FormatMessage Windows API function is consulted, courtesy of an adaptation of this helpful C# answer.
function friendlyMsiExec {
# Try to scrape the MSDN page for the complete list of error codes (exit codes).
# Note: This is not the most robust approach as web pages aren't designed for
# programmatic data extraction, and the format of the page may change over time.
$htErrors = #{}
# Table is in a <table> element with attritubte 'summary="table"'.
$tbl = (Invoke-WebRequest 'https://msdn.microsoft.com/en-us/library/windows/desktop/aa376931(v=vs.85).aspx').ParsedHtml.getElementsByTagName('table') | ? { $_.getAttribute('summary') -eq 'table' }
# Parse the text representation (.InnerText) using regular expressions.
$tbl.InnerText -split '\r?\n' | % { if ($_ -match "^(ERROR_.+?)(\d+)(.+)$") { $htErrors.Add([int] $matches[2], #( $matches[1], $matches[3] )) } }
if ($htErrors.Count -eq 0) { # Scraping failed, use hard-coded table (current as of 2 Nov 2016).
Write-Warning "Scraping the MSDN page for error codes failed, falling back to hard-coded table."
$htErrors = #{
0 = 'ERROR_SUCCESS', 'The action completed successfully.'
13 = 'ERROR_INVALID_DATA', 'The data is invalid.'
87 = 'ERROR_INVALID_PARAMETER', 'One of the parameters was invalid.'
120 = 'ERROR_CALL_NOT_IMPLEMENTED', 'This value is returned when a custom action attempts to call a function that cannot be called from custom actions. The function returns the value ERROR_CALL_NOT_IMPLEMENTED. Available beginning with Windows Installer version 3.0.'
1259 = 'ERROR_APPHELP_BLOCK', 'If Windows Installer determines a product may be incompatible with the current operating system, it displays a dialog box informing the user and asking whether to try to install anyway. This error code is returned if the user chooses not to try the installation.'
1601 = 'ERROR_INSTALL_SERVICE_FAILURE', 'The Windows Installer service could not be accessed. Contact your support personnel to verify that the Windows Installer service is properly registered.'
1602 = 'ERROR_INSTALL_USEREXIT', 'The user cancels installation.'
1603 = 'ERROR_INSTALL_FAILURE', 'A fatal error occurred during installation.'
1604 = 'ERROR_INSTALL_SUSPEND', 'Installation suspended, incomplete.'
1605 = 'ERROR_UNKNOWN_PRODUCT', 'This action is only valid for products that are currently installed.'
1606 = 'ERROR_UNKNOWN_FEATURE', 'The feature identifier is not registered.'
1607 = 'ERROR_UNKNOWN_COMPONENT', 'The component identifier is not registered.'
1608 = 'ERROR_UNKNOWN_PROPERTY', 'This is an unknown property.'
1609 = 'ERROR_INVALID_HANDLE_STATE', 'The handle is in an invalid state.'
1610 = 'ERROR_BAD_CONFIGURATION', 'The configuration data for this product is corrupt. Contact your support personnel.'
1611 = 'ERROR_INDEX_ABSENT', 'The component qualifier not present.'
1612 = 'ERROR_INSTALL_SOURCE_ABSENT', 'The installation source for this product is not available. Verify that the source exists and that you can access it.'
1613 = 'ERROR_INSTALL_PACKAGE_VERSION', 'This installation package cannot be installed by the Windows Installer service. You must install a Windows service pack that contains a newer version of the Windows Installer service.'
1614 = 'ERROR_PRODUCT_UNINSTALLED', 'The product is uninstalled.'
1615 = 'ERROR_BAD_QUERY_SYNTAX', 'The SQL query syntax is invalid or unsupported.'
1616 = 'ERROR_INVALID_FIELD', 'The record field does not exist.'
1618 = 'ERROR_INSTALL_ALREADY_RUNNING', 'Another installation is already in progress. Complete that installation before proceeding with this install.'
1619 = 'ERROR_INSTALL_PACKAGE_OPEN_FAILED', 'This installation package could not be opened. Verify that the package exists and is accessible, or contact the application vendor to verify that this is a valid Windows Installer package.'
1620 = 'ERROR_INSTALL_PACKAGE_INVALID', 'This installation package could not be opened. Contact the application vendor to verify that this is a valid Windows Installer package.'
1621 = 'ERROR_INSTALL_UI_FAILURE', 'There was an error starting the Windows Installer service user interface. Contact your support personnel.'
1622 = 'ERROR_INSTALL_LOG_FAILURE', 'There was an error opening installation log file. Verify that the specified log file location exists and is writable.'
1623 = 'ERROR_INSTALL_LANGUAGE_UNSUPPORTED', 'This language of this installation package is not supported by your system.'
1624 = 'ERROR_INSTALL_TRANSFORM_FAILURE', 'There was an error applying transforms. Verify that the specified transform paths are valid.'
1625 = 'ERROR_INSTALL_PACKAGE_REJECTED', 'This installation is forbidden by system policy. Contact your system administrator.'
1626 = 'ERROR_FUNCTION_NOT_CALLED', 'The function could not be executed.'
1627 = 'ERROR_FUNCTION_FAILED', 'The function failed during execution.'
1628 = 'ERROR_INVALID_TABLE', 'An invalid or unknown table was specified.'
1629 = 'ERROR_DATATYPE_MISMATCH', 'The data supplied is the wrong type.'
1630 = 'ERROR_UNSUPPORTED_TYPE', 'Data of this type is not supported.'
1631 = 'ERROR_CREATE_FAILED', 'The Windows Installer service failed to start. Contact your support personnel.'
1632 = 'ERROR_INSTALL_TEMP_UNWRITABLE', 'The Temp folder is either full or inaccessible. Verify that the Temp folder exists and that you can write to it.'
1633 = 'ERROR_INSTALL_PLATFORM_UNSUPPORTED', 'This installation package is not supported on this platform. Contact your application vendor.'
1634 = 'ERROR_INSTALL_NOTUSED', 'Component is not used on this machine.'
1635 = 'ERROR_PATCH_PACKAGE_OPEN_FAILED', 'This patch package could not be opened. Verify that the patch package exists and is accessible, or contact the application vendor to verify that this is a valid Windows Installer patch package.'
1636 = 'ERROR_PATCH_PACKAGE_INVALID', 'This patch package could not be opened. Contact the application vendor to verify that this is a valid Windows Installer patch package.'
1637 = 'ERROR_PATCH_PACKAGE_UNSUPPORTED', 'This patch package cannot be processed by the Windows Installer service. You must install a Windows service pack that contains a newer version of the Windows Installer service.'
1638 = 'ERROR_PRODUCT_VERSION', 'Another version of this product is already installed. Installation of this version cannot continue. To configure or remove the existing version of this product, use Add/Remove Programs in Control Panel.'
1639 = 'ERROR_INVALID_COMMAND_LINE', 'Invalid command line argument. Consult the Windows Installer SDK for detailed command-line help.'
1640 = 'ERROR_INSTALL_REMOTE_DISALLOWED', 'The current user is not permitted to perform installations from a client session of a server running the Terminal Server role service.'
1641 = 'ERROR_SUCCESS_REBOOT_INITIATED', 'The installer has initiated a restart. This message is indicative of a success.'
1642 = 'ERROR_PATCH_TARGET_NOT_FOUND', 'The installer cannot install the upgrade patch because the program being upgraded may be missing or the upgrade patch updates a different version of the program. Verify that the program to be upgraded exists on your computer and that you have the correct upgrade patch.'
1643 = 'ERROR_PATCH_PACKAGE_REJECTED', 'The patch package is not permitted by system policy.'
1644 = 'ERROR_INSTALL_TRANSFORM_REJECTED', 'One or more customizations are not permitted by system policy.'
1645 = 'ERROR_INSTALL_REMOTE_PROHIBITED', 'Windows Installer does not permit installation from a Remote Desktop Connection.'
1646 = 'ERROR_PATCH_REMOVAL_UNSUPPORTED', 'The patch package is not a removable patch package. Available beginning with Windows Installer version 3.0.'
1647 = 'ERROR_UNKNOWN_PATCH', 'The patch is not applied to this product. Available beginning with Windows Installer version 3.0.'
1648 = 'ERROR_PATCH_NO_SEQUENCE', 'No valid sequence could be found for the set of patches. Available beginning with Windows Installer version 3.0.'
1649 = 'ERROR_PATCH_REMOVAL_DISALLOWED', 'Patch removal was disallowed by policy. Available beginning with Windows Installer version 3.0.'
1650 = 'ERROR_INVALID_PATCH_XML', 'The XML patch data is invalid. Available beginning with Windows Installer version 3.0.'
1651 = 'ERROR_PATCH_MANAGED_ADVERTISED_PRODUCT', 'Administrative user failed to apply patch for a per-user managed or a per-machine application that is in advertise state. Available beginning with Windows Installer version 3.0.'
1652 = 'ERROR_INSTALL_SERVICE_SAFEBOOT', 'Windows Installer is not accessible when the computer is in Safe Mode. Exit Safe Mode and try again or try using System Restore to return your computer to a previous state. Available beginning with Windows Installer version 4.0.'
1653 = 'ERROR_ROLLBACK_DISABLED', 'Could not perform a multiple-package transaction because rollback has been disabled. Multiple-Package Installations cannot run if rollback is disabled. Available beginning with Windows Installer version 4.5.'
1654 = 'ERROR_INSTALL_REJECTED', 'The app that you are trying to run is not supported on this version of Windows. A Windows Installer package, patch, or transform that has not been signed by Microsoft cannot be installed on an ARM computer.'
3010 = 'ERROR_SUCCESS_REBOOT_REQUIRED', 'A restart is required to complete the install. This message is indicative of a success. This does not include installs where the ForceReboot action is run. '
}
}
# Execute msiexec synchronously.
$psInfo = Start-Process -PassThru -NoNewWindow -Wait msiexec -ArgumentList $Args
# Get the exit code.
$ec = $psInfo.ExitCode
# Look up the exit code returned in the hashtable and extract the error *message*.
if ($htErrors[$ec]) {
# Use subscript [0] to extract the *symbolic name* instead.
$errMsg = $htErrors[$ec][1] # -replace '\r'
} else { # not found in table
# See if it's a Windows (system) error code.
# Helper type for getting Windows (system) error messages by error code.
# Returns $null if no message is found.
# Example:
# [net.same2u.pshelper.WinErrMsg]::Get(2) # -> "The system cannot find the file specified."
Add-Type -TypeDefinition #'
using System;
using System.Runtime.InteropServices;
using System.Text;
namespace net.same2u.pshelper {
public static class WinErrMsg {
[DllImport("kernel32.dll")]
static extern int FormatMessage(int dwFlags, IntPtr lpSource, int dwMessageId, int dwLanguageId, System.Text.StringBuilder lpBuffer, int nSize, IntPtr Arguments);
public static string Get(int errCode) {
const int CAPACITY = 512;
const int FORMAT_MESSAGE_FROM_SYSTEM = 0x00001000;
StringBuilder sb = new StringBuilder(CAPACITY);
FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, IntPtr.Zero, errCode, 0, sb, sb.Capacity, IntPtr.Zero);
// Remove trailing CRLF
int i = sb.Length;
if (i>0 && sb[i - 1] == 10) i--;
if (i>0 && sb[i - 1] == 13) i--;
sb.Length = i;
return sb.Length > 0 ? sb.ToString() : null;
}
}
}
'#
$errMsg = [net.same2u.pshelper.WinErrMsg]::Get($ec)
# Determine fallback message, if no match was found.
if (-not $errMsg) { $errMsg = "An unknown exit code was reported."}
}
# Set $LASTEXITCODE, so that the caller can inspect the exit code later.
Set-Variable -Scope 1 LASTEXITCODE $ec
# Output the message, suffixed with the exit code.
"$errMsg ($ec)"
}
No, the msi can't replace the Error Code with the message itself.
Like Ansgar Wiechers said the msi was meant to create an log file on each machine you execute it, on the same folder ( e.g. C:\Windows\Temp). With the /l parameters you can modify the output in that file. If you need an comprehensive log you should start with voicewarmupx.
Well an MSI install doesn't always return 1603. The primary reason for a 1603 is a failing custom action where Windows Installer doesn't know why the custom action code failed, and that custom action code was not robust enough to handle its own errors and provide a message before causing the install to fail (and probably roll back). The verbose log should tell you why it failed.
So if it's your MSI you have the opportunity to correct it, otherwise you are at the mercy of the quality of development of the MSI.
Also, your question contains a contradiction: you say you would like the error code ERROR_INSTALL_FAILURE to be returned instead of the exit code, but the 1603 exit code is ERROR_INSTALL_FAILURE.
I need to edit one line in /etc/mongodb.conf
auth = true
Augeas has a mongo lens, however it only works on augeas > 1.0
I am completely stuck on augeas 0.9 because it is the latest version in the epel repo, and I can not compile augeas from github.
As a work around, I'm trying to write my own augeas lens that will work on augeas 0.9
What I have so far is this
module Spencer =
autoload xfm
let entry = key /[a-z]+/ . del /[ \t]*=[ \t]*/ "=" . store /[a-z]+/
let lns = [ entry . del "\n" "\n" ] *
test lns get "auth = false\nfoo = bar\n" = ?
let filter = incl "/etc/mongodb.conf"
let xfm = transform lns filter
When I try and use the puppet type to apply the lens to /etc/mongodb.conf, I get an error "Iterated lens matched less than it should".
puppet apply augmongo.pp --debug --verbose --summarize
Info: Applying configuration version '1385024927'
Debug: Augeas[auth-mongo](provider=augeas): Opening augeas with root /, lens path , flags 64
Debug: Augeas[auth-mongo](provider=augeas): Augeas version 0.9.0 is installed
Test result: /usr/share/augeas/lenses/dist/spencer.aug:8.0-.44:
{ "auth" = "false" }
{ "foo" = "bar" }
Debug: Augeas[auth-mongo](provider=augeas): Will attempt to save and only run if files changed
Debug: Augeas[auth-mongo](provider=augeas): sending command 'set' with params ["/files/etc/mongodb.conf/auth", "true"]
Debug: Augeas[auth-mongo](provider=augeas): Put failed on one or more files, output from /augeas//error:
Debug: Augeas[auth-mongo](provider=augeas): /augeas/files/etc/mongodb.conf/error = put_failed
Debug: Augeas[auth-mongo](provider=augeas): /augeas/files/etc/mongodb.conf/error/pos = 1
Debug: Augeas[auth-mongo](provider=augeas): /augeas/files/etc/mongodb.conf/error/lens = /usr/share/augeas/lenses/dist/spencer.aug:6.10-.37:
Debug: Augeas[auth-mongo](provider=augeas): /augeas/files/etc/mongodb.conf/error/message = Iterated lens matched less than it should
Debug: Augeas[auth-mongo](provider=augeas): Closed the augeas connection
Error: /Stage[main]/Augmongo/Augeas[auth-mongo]: Could not evaluate: Save failed with return code false, see debug
Debug: Finishing transaction 69857417180740
Debug: Storing state
Debug: Stored state in 0.13 seconds
What is wrong with the lens?
How can I test a lens from the command line and take puppet out of the equation?
RHEL 6.4 just upgraded to Augeas 1.0. See https://rhn.redhat.com/errata/RHSA-2013-1537.html.
You should be able to rebuild the packages, or wait for CentOS to do that for you.
I have had similar issues with augeas & puppet. Applying changes seemed to end with the error Could not evaluate: Save failed with return code false every time. This turned out to be an syntax issue. I had:
set spec[user = '%somegroup']/host_group/command/tag NOPASSWD
(notice two empty space between tag and NOPASSWD).
When I tried the same command with one empty space, the issue was solved.
Looking into the template/lens (spencer.aug, line 6.10-.37) might offer some clue at what went wrong.