locked
Require help with my script RRS feed

  • Question

  • Hi Expert,

    I encounter some issue with my script statement with the filtering. As per below my variable hash_f statement for line 4 will capture both SHA1 and PESHA1 value. example CEHF3543636AFSG  PESHA!:  CSGIBJKEAGASK42514. I tried to take away the wild card Where-Object {$_ -like '*SHA1:'}, only end out getting an error because the SHA1RAW.txt is empty.

    if($result -eq 0){$md5raw = Get-Content -Path c:\temp\result.txt |  Where-Object {$_ -like '*MD5:*'} | out-file c:\temp\MD5RAW.txt
    $Hash_f = (Get-Content -Path c:\temp\MD5RAW.txt).Trim().TrimStart("MD5: ").Trim()}
    elseif ($result -eq 1){$sha1raw = Get-Content -Path c:\temp\result.txt |  Where-Object {$_ -like '*SHA1:*'} | out-file c:\temp\SHA1RAW.txt
    $Hash_f = (Get-Content -Path c:\temp\SHA1RAW.txt).Trim().TrimStart("SHA1: ").Trim()} 
    elseif ($result -eq 2){$pesha1raw = Get-Content -Path c:\temp\result.txt |  Where-Object {$_ -like '*PESHA1:*'} | out-file c:\temp\PESHA1RAW.txt
    $Hash_f = (Get-Content -Path c:\temp\PESHA1RAW.txt).Trim().TrimStart("PESHA1: ").Trim()}
    elseif ($result -eq 3){$PESha256raw = Get-Content -Path c:\temp\result.txt |  Where-Object {$_ -like '*PESHA256:*'} | out-file c:\temp\SHA256RAW.txt
    $Hash_f = (Get-Content -Path c:\temp\SHA256RAW.txt).Trim().TrimStart("SHA256: ").Trim()}
    elseif ($result -eq 4){$Sha256raw = Get-Content -Path c:\temp\result.txt |  Where-Object {$_ -like '*SHA256:*'} | out-file c:\temp\SHA256RAW.txt
    $Hash_f = (Get-Content -Path c:\temp\SHA256RAW.txt).Trim().TrimStart("SHA256: ").Trim()}
    elseif ($result -eq 5){$impraw = Get-Content -Path c:\temp\result.txt |  Where-Object {$_ -like '*IMP:*'} | out-file c:\temp\IMPRAW.txt
    $Hash_f = (Get-Content -Path c:\temp\IMPRAW.txt).Trim().TrimStart("IMP: ").Trim()}

    Please advise how to restrict/filter the get-content with only SHA: ZXZXGXSYDUU3265GV.

    The result.txt contain the above hash function with  something like this

    C:\windows\system32\monster.exe:
     Verified: Signed
     Signing date: 1:38 PM 11/4/2016
     Publisher: Microsoft Corporation
     Company: Sysinternals - www.sysinternals.com
     Description: File version and signature viewer
     Product: Sysinternals Sigcheck
     Prod version: 2.51
     File version: 2.51
     MachineType: 32-bit
     MD5: 1ED14BA81029B42A7DDA9E2717692245
     SHA1: 1FF88F7B01F4F9F47760452AA712E7A07135C1EE
     PESHA1: 7074658E2451126B428413FC0875D79791A806FA
     PE256: CAB2DBBB2FE7EB2CC46148F6ECCB7DC1EF207D402DDB9ED559D60E3AA2CB0975
     SHA256: 745BE4CEC4365A403D4C05357DAC6EE77C297B1FF391EB125076414FBAC2017C
     IMP: 51228FBF98F4A7152E39C8E83A17099C

    Wednesday, June 1, 2016 6:40 AM

Answers

  • Very easy:

    PS D:\scripts> cat results.txt|?{$_ -match '\sSHA1:'}
      SHA1: 1FF88F7B01F4F9F47760452AA712E7A07135C1EE
    PS D:\scripts>

    You need to specify that there is a space character before the "SHA1:" string using "\s"


    \_(ツ)_/

    • Marked as answer by Noobpie Thursday, June 2, 2016 1:43 AM
    Thursday, June 2, 2016 12:31 AM

All replies

  • Get-Content does not work like that.  It only returns the contents of a file.

    What are you trying to do?


    \_(ツ)_/

    Wednesday, June 1, 2016 8:34 AM
  • Your post is hard to follow. Can you please elaborate what is to be done ?

    Do you want only the value for SHA1 and SHA256 ? 

    (Get-Content -Path c:\temp\result.txt |  Where-Object {($_ -match '^ SHA1:.*') -OR ($_ -match '^ SHA256:.*')}).TrimStart()|
    Out-File c:\temp\SHA1RAW.txt

    Wednesday, June 1, 2016 8:43 AM
  • Yes i want it to return the specific content of a file.
    Thursday, June 2, 2016 12:19 AM
  • Nope just SHA1, ignore the SHA256. Currently the SHA1 is picking up SHA1 value and PESHA1 value too.
    Thursday, June 2, 2016 12:20 AM
  • Very easy:

    PS D:\scripts> cat results.txt|?{$_ -match '\sSHA1:'}
      SHA1: 1FF88F7B01F4F9F47760452AA712E7A07135C1EE
    PS D:\scripts>

    You need to specify that there is a space character before the "SHA1:" string using "\s"


    \_(ツ)_/

    • Marked as answer by Noobpie Thursday, June 2, 2016 1:43 AM
    Thursday, June 2, 2016 12:31 AM
  • It works as intended now. 

    \s means space? 

    Thanks

    Thursday, June 2, 2016 1:45 AM
  • Sort of.  Non=printing character is closer.  It also matches a tab and other separator symbols.

    \_(ツ)_/

    Thursday, June 2, 2016 1:57 AM
  • Nope just SHA1, ignore the SHA256. Currently the SHA1 is picking up SHA1 value and PESHA1 value too.

    This would also work. Just removed the OR from my previous post.

    Get-Content -Path c:\temp\result.txt |  Where-Object {($_ -match '^ SHA1:.*')}

    Thursday, June 2, 2016 2:31 AM
  • Only if SHA is the beginning of the line which is not guaranteed. "\s| works in all cases.


    \_(ツ)_/

    Thursday, June 2, 2016 3:33 AM