Powershell, XML

XML: Selectnode XPath query independend from namespace

Leave a comment

Hi,

i got the following xml structure and want to select just the the “Data” node with the attribute “CommandLine” without defining a namespace object first.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" />
  <EventID>1</EventID>
  <Version>5</Version>
  <Level>4</Level>
  <Task>1</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8000000000000000</Keywords>
  <TimeCreated SystemTime="2023-09-25 22:22:32.601" />
  <EventRecordID>124756</EventRecordID>
  <Correlation />
  <Execution ProcessID="4168" ThreadID="5480" />
  <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
  <Computer>myCOmputer.myDomain.org</Computer>
  <Security UserID="S-1-5-18" />
  </System>
- <EventData>
  <Data Name="RuleName">-</Data>
  <Data Name="UtcTime">2023-09-25 22:22:32.601</Data>
  <Data Name="ProcessGuid">{e8ff26e2-7b88-6511-dbe6-010000003e00}</Data>
  <Data Name="ProcessId">7240</Data>
  <Data Name="Image">C:\Windows\System32\conhost.exe</Data>
  <Data Name="FileVersion">10.0.19041.3393 (WinBuild.160101.0800)</Data>
  <Data Name="Description">Console Window Host</Data>
  <Data Name="Product">Microsoft® Windows® Operating System</Data>
  <Data Name="Company">Microsoft Corporation</Data>
  <Data Name="OriginalFileName">CONHOST.EXE</Data>
  <Data Name="CommandLine">\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1</Data>
  <Data Name="CurrentDirectory">C:\Windows</Data>
  <Data Name="User">myUser</Data>
  <Data Name="LogonGuid">{e8ff26e2-3dbf-6511-eec4-160000000000}</Data>
  <Data Name="LogonId">0x16c4ee</Data>
  <Data Name="TerminalSessionId">0</Data>
  <Data Name="IntegrityLevel">High</Data>
  <Data Name="Hashes">SHA1=805D59ABED301A4A8219531544EDC1742207F8AD,MD5=7366FBEFE66BA0F1F5304F7D6FEF09FE,SHA256=5C7AA6C7D6CC9B7BF66B39BFBA334DE236EEFDD5E790545CED4C2E42600F8794,IMPHASH=0F64302D3280DE299F4C51A78746F606</Data>
  <Data Name="ParentProcessGuid">{e8ff26e2-7b88-6511-dae6-010000003e00}</Data>
  <Data Name="ParentProcessId">12168</Data>
  <Data Name="ParentImage">cmd.exe</Data>
  <Data Name="ParentCommandLine">dmc.exe 6384</Data>
  <Data Name="ParentUser">myUser</Data>
  </EventData>
</Event>

This can be done by XPATH and the local-name() function. Environment is Powershell/.NET. .NET only supports XPATH 1.0 queries.

In this example the XML Object is in the variable $XML. The local-name()=’Data’ sets a filter for all nodes with Name Data and @Name filters the attribute where Name=CommandLine.

1
2
3
4
PS D:\> $XML.Event.EventData.SelectNodes("*[local-name()='Data' and @Name='CommandLine']")
Name        #text
----        -----
CommandLine \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

I know in this example Name=CommandLine would be sufficient 🙂

Michael

This may not especially need Biomedical and the resistance of databases should be presented in blood. Osta Yleinen Abaglin (Neurontin) ilman Reseptiä Checks for prescription are conducted out in the high healthcare which is remainder of the using internet. Most special participants are read in website with an inappropriate month resistance. Pharmacy in Ethiopia dicloxacillin at AMR College.

Leave a Reply