Powershell, XML

XML: Selectnode XPath query independend from namespace

Leave a comment

Hi,

i got the following xml structure and want to select just the the “Data” node with the attribute “CommandLine” without defining a namespace object first.

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" /> 
  <EventID>1</EventID> 
  <Version>5</Version> 
  <Level>4</Level> 
  <Task>1</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8000000000000000</Keywords> 
  <TimeCreated SystemTime="2023-09-25 22:22:32.601" /> 
  <EventRecordID>124756</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="4168" ThreadID="5480" /> 
  <Channel>Microsoft-Windows-Sysmon/Operational</Channel> 
  <Computer>myCOmputer.myDomain.org</Computer> 
  <Security UserID="S-1-5-18" /> 
  </System>
- <EventData>
  <Data Name="RuleName">-</Data> 
  <Data Name="UtcTime">2023-09-25 22:22:32.601</Data> 
  <Data Name="ProcessGuid">{e8ff26e2-7b88-6511-dbe6-010000003e00}</Data> 
  <Data Name="ProcessId">7240</Data> 
  <Data Name="Image">C:\Windows\System32\conhost.exe</Data> 
  <Data Name="FileVersion">10.0.19041.3393 (WinBuild.160101.0800)</Data> 
  <Data Name="Description">Console Window Host</Data> 
  <Data Name="Product">Microsoft® Windows® Operating System</Data> 
  <Data Name="Company">Microsoft Corporation</Data> 
  <Data Name="OriginalFileName">CONHOST.EXE</Data> 
  <Data Name="CommandLine">\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1</Data> 
  <Data Name="CurrentDirectory">C:\Windows</Data> 
  <Data Name="User">myUser</Data> 
  <Data Name="LogonGuid">{e8ff26e2-3dbf-6511-eec4-160000000000}</Data> 
  <Data Name="LogonId">0x16c4ee</Data> 
  <Data Name="TerminalSessionId">0</Data> 
  <Data Name="IntegrityLevel">High</Data> 
  <Data Name="Hashes">SHA1=805D59ABED301A4A8219531544EDC1742207F8AD,MD5=7366FBEFE66BA0F1F5304F7D6FEF09FE,SHA256=5C7AA6C7D6CC9B7BF66B39BFBA334DE236EEFDD5E790545CED4C2E42600F8794,IMPHASH=0F64302D3280DE299F4C51A78746F606</Data> 
  <Data Name="ParentProcessGuid">{e8ff26e2-7b88-6511-dae6-010000003e00}</Data> 
  <Data Name="ParentProcessId">12168</Data> 
  <Data Name="ParentImage">cmd.exe</Data> 
  <Data Name="ParentCommandLine">dmc.exe 6384</Data> 
  <Data Name="ParentUser">myUser</Data> 
  </EventData>
</Event>

This can be done by XPATH and the local-name() function. Environment is Powershell/.NET. .NET only supports XPATH 1.0 queries.

In this example the XML Object is in the variable $XML. The local-name()=’Data’ sets a filter for all nodes with Name Data and @Name filters the attribute where Name=CommandLine.

PS D:\> $XML.Event.EventData.SelectNodes("*[local-name()='Data' and @Name='CommandLine']")
Name        #text
----        -----
CommandLine \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

I know in this example Name=CommandLine would be sufficient 🙂

Michael

Advertisment to support michlstechblog.info

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.