Link to home
Start Free TrialLog in
Avatar of janhoedt
janhoedt

asked on

Powershell: hashtable in hashtable?

Hi,

I have some registry event messages in a Powershell Object named $regevents.
The regevents.message contains what I actually need to have in a powershell object.

$regmatches[0].message has output below (string):
---
Registry value set:
RuleName: Suspicious,ImageBeginWithBackslash
EventType: SetValue
UtcTime: 2021-11-22 19:41:20.113
ProcessGuid: {8a7d3eea-e785-619b-0904-000000009301}
ProcessId: 11124
Image: C:\WINDOWS\regedit.exe
TargetObject: HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2684371750-4012540082-1282350125-1002\\Device\HarddiskVolum
e4\Windows\regedit.exe
Details: Binary Data
User: LOC\John
Registry value set:
RuleName: Suspicious,ImageBeginWithBackslash
---

I can get the string into an hashtable (splitting the text by line)
$Reglines = $($item.message -split "`n"), but I can't get that hashtable into another hashtable for the full overview.

$FullRegOverview = @{}
foreach ($item in $regmatches){

$Reglines = $($item.message -split "`n")
$RegOverview = @{}
foreach ($regline in $reglines){
    $pos = $Regline.IndexOf(":") #splitting on : to have the valeus
    $VariableName = $($Regline.Substring(0, $pos)).trim()
    $VariableValue = $($Regline.Substring($pos+1)).trim()
    $RegOverview.add($VariableName,$VariableValue) 

#This is fine, but how to I get the $RegOverview to $FullRegOverview?

#This code generates error "Exception calling "Add" with "2" argument(s)"

#And only 1 item is shown, whereas there should be multiple (which is logical, #becauseit is overwritten instead of added
}
 #$FullRegOverview.add($RegOverview)

}


Avatar of Qlemo
Qlemo
Flag of Germany image
For a hashtable in a hashtable, you need to add the regOverviewas a new property/hash value:
$FullRegOverview.add('Overview', $RegOverview)

Open in new window

But I'm certain that is not what you are after. You want to create an array of hastables (simplified):
$FullRegOverview = @()
foreach ($item in $regmatches){
  $RegOverview = @{}
  foreach ($regline in $item.message -split "`n"){
    $actVal = $regline -split ':'
    $RegOverview.add($actVal[0].Trim(),$actVal[1].Trim())
  }
  $FullRegOverview += $RegOverview
}

Open in new window


Avatar of Michael B. Smith
Michael B. Smith
Flag of United States of America image
export it to clixml and import it so that we can fully evaluate what you want.
Avatar of janhoedt
janhoedt

ASKER

Thanks Qlemo, I'll check right away.
Michael, please clarify. No clue what I should do with this info. Export eventviewer to clixml? Then how and then evaluate how/using what syntax?
Avatar of janhoedt
janhoedt

ASKER

Qlemo, the $RegOverview.add($actVal[0].Trim(),$actVal[1].Trim()
does not work fully. Had that approach to but sometime in a log there is c:\program files or other and then it's messed up.

That's why I had the other approach:
    $pos = $Regline.IndexOf(":") #splitting on : to have the values
    $VariableName = $($Regline.Substring(0, $pos)).trim()
    $VariableValue = $($Regline.Substring($pos+1)).trim()
Avatar of janhoedt
janhoedt

ASKER

Qlemo, looks great, thanks! Do one more thing, I'd like to select only some properties and that seems not to work. Missing something. Please see screenshot for clarification.
User generated image
ASKER CERTIFIED SOLUTION
Avatar of Qlemo
Qlemo
Flag of Germany image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Michael B. Smith
Michael B. Smith
Flag of United States of America image
I suggested exporting the specific $item you were looking at so that we can see the exact properties on the object.

But it looks like qlemo got you sorted.
Avatar of janhoedt
janhoedt

ASKER

@Qlemo, not sure  if I get it right. I do indeed want to make customobject so I can search for f.e. notepadplusplus in image or path in targetfileobject etc.

$RegOverview  | % { [PsCustomObject] $_ } makes it indeed into a customobject, great :-)
So I changed the code to see if I could make that work but the $FullRegOverviewSetValuePSCustomObject  is empty :-(

$FullRegOverviewSetValue = @()
$FullRegOverviewSetValuePSCustomObject = @()

foreach ($item in $RegEventsSetValue){
$Reglines = $($item.message -split "`n")
$RegOverview = @{}
foreach ($regline in $reglines){
    $pos = $Regline.IndexOf(":") #splitting on : to have the valeus
    $VariableName = $($Regline.Substring(0, $pos)).trim()
    $VariableValue = $($Regline.Substring($pos+1)).trim()
    $RegOverview.add($VariableName,$VariableValue)
 $FullRegOverviewSetValuePSCustomObject += $RegOverview  | % { [PsCustomObject] $_ }
 $FullRegOverviewSetValue += $RegOverview
}
}
Avatar of Qlemo
Qlemo
Flag of Germany image
You have to build the individual RegOverview hashtable first (in the inner loop), then make the result a custom object to add to an array:
$FullRegOverviewSetValue = @()
$FullRegOverviewSetValuePSCustomObject = @()

foreach ($item in $RegEventsSetValue){
  $Reglines = $item.message -split "`n"
  $RegOverview = @{}
  foreach ($regline in $reglines){
    $pos = $Regline.IndexOf(":") #splitting on : to have the valeus
    $VariableName  = $Regline.Substring(0, $pos).trim()
    $VariableValue = $Regline.Substring($pos+1 ).trim()
    $RegOverview.add($VariableName,$VariableValue)
  }
  $FullRegOverviewSetValuePSCustomObject += [PsCustomObject] $RegOverview
  $FullRegOverviewSetValue += $RegOverview
}

Open in new window