use regex to clean log.txt Topic is solved

[joekingcool]

hello all, i have a regex question, if possible. i attached a portion of the log below. when this log finds a driver thats outdated it lists additional info like subject, issuer, date, thumbprint. i was wondering if regex could search for the word [Subject], then save the line above it to a text file, for each time it shows up.

Code: Select all

Driver Module
C:\Windows\system32\drivers\usbccgp.sys
Driver: 
Processing module: 
Module: 
Driver Module
C:\Windows\system32\drivers\RtsUer.sys
[Subject]
  CN=Microsoft Windows Hardware Compatibility Publisher, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

[Issuer]
  CN=Microsoft Windows Third Party Component CA 2012, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

[Serial Number]
  330000006D9DA53E87009D334900000000006D

[Not Before]
  9/20/2018 3:45:06 PM

[Not After]
  9/20/2019 3:45:06 PM

[Thumbprint]
  5FB840AB811BC4BAB5C3B996FB2CC426CCC99449

6
Result: 
Driver: 
Processing module: 
Module: 
6
Result: 
Driver: 
Processing module: 
Module: 
Driver Module
C:\Windows\system32\drivers\BTHUSB.SYS
Driver: 
Processing module: 
Module: 
Driver Module
C:\Windows\system32\drivers\bthport.sys
Driver: 
Processing module:

many thanks!

[boiler]

Code: Select all

RegExMatch(log, "\v+\K\V+(?=\v+\[Subject])", match)

Demo:

Code: Select all

log =
(
Driver Module
C:\Windows\system32\drivers\usbccgp.sys
Driver: 
Processing module: 
Module: 
Driver Module
C:\Windows\system32\drivers\RtsUer.sys
[Subject]
  CN=Microsoft Windows Hardware Compatibility Publisher, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

[Issuer]
  CN=Microsoft Windows Third Party Component CA 2012, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

[Serial Number]
  330000006D9DA53E87009D334900000000006D

[Not Before]
  9/20/2018 3:45:06 PM

[Not After]
  9/20/2019 3:45:06 PM

[Thumbprint]
  5FB840AB811BC4BAB5C3B996FB2CC426CCC99449

6
Result: 
Driver: 
Processing module: 
Module: 
6
Result: 
Driver: 
Processing module: 
Module: 
Driver Module
C:\Windows\system32\drivers\BTHUSB.SYS
Driver: 
Processing module: 
Module: 
Driver Module
C:\Windows\system32\drivers\bthport.sys
Driver: 
Processing module:
)

RegExMatch(log, "\v+\K\V+(?=\v+\[Subject])", match)
MsgBox, % Match

You have a different issue if you’re reading the log file in real time in that you need to capture an appropriate amount of text. You wouldn’t just read the lines one by one or something. If you red the lines individually, then you don’t even need RegEx. You would just assign the contents of the previous line to a different variable, and when the current line contains [Subject], then you would capture the contents of the other variable as the desired text.

[mikeyww]

Code: Select all

str =
(
Driver Module
C:\Windows\system32\drivers\usbccgp.sys
Driver: 
Processing module: 
Module: 
Driver Module
C:\Windows\system32\drivers\RtsUer.sys
[Subject]
CN=Microsoft Windows Hardware Compatibility Publisher, O=Microsoft Corporation
)
RegExMatch(str, "(\V+)\R\[Subject\]", previous), out := A_ScriptDir "\line.txt"
FileRecycle, %out%
FileAppend, %previous1%, %out%
Run, %out%

(Edit: I had not seen boiler's post.)

[joekingcool]

Thanks mike, great work as always! although it only finds 1 on the drivers, is there a way to loop it threw?

[flyingDman]

I would do it this way:

Code: Select all

var = 
(
Driver Module
C:\Windows\system32\drivers\usbccgp.sys
Driver: 
Processing module: 
Module: 
Driver Module
C:\Windows\system32\drivers\RtsUer.sys
[Subject]
  CN=Microsoft Windows Hardware Compatibility Publisher, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

[Issuer]
  CN=Microsoft Windows Third Party Component CA 2012, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

[Serial Number]
  330000006D9DA53E87009D334900000000006D

[Not Before]
  9/20/2018 3:45:06 PM

[Not After]
  9/20/2019 3:45:06 PM

[Thumbprint]
  5FB840AB811BC4BAB5C3B996FB2CC426CCC99449

6
Result: 
Driver: 
Processing module: 
Module: 
6
Result: 
Driver: 
Processing module: 
Module: 
Driver Module
C:\Windows\system32\drivers\BTHUSB.SYS
Driver: 
Processing module: 
Module: 
Driver Module
C:\Windows\system32\drivers\bthport.sys
Driver: 
Processing module:
C:\Windows\system32\drivers\xyz.sys
[Subject]
)

for x,y in z := strsplit(var,"`n","`r")
	lst .= y = "[Subject]" ? z[x-1] "`n" : ""
msgbox % lst

[joekingcool]

Thank you boiler, have same issue were it only gives me 1 result. the reason i dont change the orig script or code is because im make a tool to better visually see the stats of a powershell script that was already made. and the script is more than time deciphering time than i want to put into it just trying to make a tool for folks to visually see there security on windows pcs, what services are enables what protocols, and enable if possible. hopefully make windows core easier to troubleshoot.

[mikeyww]

Here is the regex, but it's slower than the array technique. Nonetheless, it provides the answer to, "i was wondering if regex could search for the word [Subject], then save the line above it to a text file, for each time it shows up."

Code: Select all

FileRead, str, d:\temp2\DeviceGuardCheckLog.txt
FileRecycle, % out := A_ScriptDir "\line.txt"
While pos := RegExMatch(str, "(\V+)\R\[Subject\]", previous, pos ? pos + StrLen(previous) : 1)
 FileAppend, %previous1%`n, %out%
Run, %out%

[joekingcool]

Bingo!!!!!!!!! Perfect!!!!!!! thanks!!!!!!!!!