none
Help with trimming resulting text RRS feed

  • Question

  • Hello to all,

    I need help with the following task. I interact with an application server name BigFix. In my environment this server is used for patch management tasks. This server creates these custom tasks or baselines to deploy patches. From these baselines I was able to extract the partial code below by using Powershell Select-String and a regex expression targeting the sha1 name. The regex for the sha1 is as follow "sha1:\b[0-9a-f]{5,40}\b" and the select-string I am using is the following: "Select-String -Path .\Customtaskfilename.txt -Pattern "sha1:\b[0-9a-f]{5,40}\b" -allmatches. As results I get hundred of lines of code similar to the sample below. I am interested in only two items the Sha1 value and the Windows KB file name but I cannot find a way to prune the code to obtain only those two items. I tried targeting multiple patterns by using array regex expressions but no luck. I alway land to a similar code as the sample below. My ultimate goal is to match the Microsoft KB filename with its respective sha1 value. Can that be done using PowerShell? 

    Any help is much appreciated, please feel free to ask more information if my description of the problem is not as accurate I think it is.

    Very Respectfully,

    Alex 

    Sample Code --------------------------------------------------------------------------------------------------------------------------

    ActionScript MIMEType="application/x-Fixlet-Windows-Shell"><![CDATA[prefetch Windows6.1-KB2978742-x86.msu sha1:ad7b31025c839af6b6cc2da26cca3478e069bfc2 size:424414 http://download.microsoft.com/download/C/F/8/CF82AF63-21D4-4F6D-A5D5-A41720FF1B53/Windows6.1-KB2978742-x86.msu sha256:10e9726f2d39b442406714fcf3d2854693f554e0b124cab110829b2a2027feb0
    -------------------------------------------------------------------------------------------------------------------------------------------


    Alex Alas

    Monday, January 11, 2016 10:46 PM

Answers

  • Slight update to the regex.


    Select-String 'prefetch\s+(.+)\s+sha1:([a-z\d]+)\s' .\Customtaskfilename.txt | ForEach-Object {
      New-Object PSObject -Property @{
        "KB"   = $_.Matches[0].Groups[1].Value
        "SHA1" = $_.Matches[0].Groups[2].Value
      } | Select-Object KB,SHA1
    }
    


    -- Bill Stewart [Bill_Stewart]

    • Proposed as answer by Bill_StewartModerator Wednesday, January 13, 2016 4:54 PM
    • Marked as answer by Alex_Alas Wednesday, January 13, 2016 6:05 PM
    • Unmarked as answer by Alex_Alas Wednesday, January 13, 2016 6:05 PM
    • Marked as answer by Alex_Alas Wednesday, January 13, 2016 6:10 PM
    Tuesday, January 12, 2016 8:17 PM
    Moderator

All replies

  • Please post a sample of the content of the .\Customtaskfilename.txt file.

    -- Bill Stewart [Bill_Stewart]

    Monday, January 11, 2016 11:06 PM
    Moderator
  • Bill,

    Thanks for your fast response. I work for a Government Agency and any information coming out of any server have to be sanitized before releasing. I also have to request permission from my boss to release the file before start any sanitation tasks. 

    Thanks again for your help,

    V/R,

    Alex Alas 


    Alex Alas

    Tuesday, January 12, 2016 5:50 AM
  • If we can't see the input text, we can't help you write a regular expression then; sorry.

    -- Bill Stewart [Bill_Stewart]

    Tuesday, January 12, 2016 3:09 PM
    Moderator
  • Hi Alex,

    assuming you store a single resulting line in the variable $s ...

    # Get KB:
    $s | Select-String 'KB[0-9]+' | select -expand Matches | select -expand Value
    
    # Get sha1
    ($s | Select-String 'sha1:[0-9a-f]+' | select -expand Matches | select -expand Value) -replace 'sha1:',''

    Cheers,
    Fred


    There's no place like 127.0.0.1

    Tuesday, January 12, 2016 3:26 PM
  • Bill, 

    I had to request authorization to upload the file and I just did. After my supervisor's reviewing, I was authorized to upload the file. The file's coding is big and I would like to upload it but I cannot find the option. I only see the option to insert code. Below, you can see a sample of it per your request, hopefully is enough!

    Thanks again for your help,

    V/R,

    Alex 

    <XXX xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="XXX.xsd">
    	<Baseline>
    		<Title>MS_Updates_4_Aug_2014</Title>
    		<Description><![CDATA[&lt;enter a description of the baseline here&gt; ]]></Description>
    		<Grouppropproglang JoinByIntersection="false">
    			<SearchComponentPropertyReference PropertyName="OS" Comparison="Contains">
    				<SearchText>Win7</SearchText>
    				<propproglang>exists (operating system) whose (it as string as lowercase contains "Win7" as lowercase)</propproglang>
    			</SearchComponentPropertyReference>
    			<SearchComponentPropertyReference PropertyName="OS" Comparison="Contains">
    				<SearchText>Win2008R2</SearchText>
    				<propproglang>exists (operating system) whose (it as string as lowercase contains "Win2008R2" as lowercase)</propproglang>
    			</SearchComponentPropertyReference>
    		</Grouppropproglang>
    		<Category></Category>
    		<Source></Source>
    		<SourceID></SourceID>
    		<SourceSeverity></SourceSeverity>
    		<CVENames></CVENames>
    		<SANSID></SANSID>
    		<MIMEField>
    			<Name>x-fixlet-modification-time</Name>
    			<Value>Tue, 15 Dec 2015 22:38:21 +0000</Value>
    		</MIMEField>
    		<Domain>PTCH</Domain>
    		<BaselineComponentCollection>
    			<BaselineComponentGroup>
    				<BaselineComponent Name="MS14-036: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution - Office 2010 SP1 / SP2 - KB2881071" IncludeInpropproglang="true" SourceSiteURL="http://sync.SubDir3.com/cgi-bin/bfgather/XXXsecurity" SourceID="1403679" ActionName="Action1">
    					<ActionScript MIMEType="application/x-Fixlet-Windows-Shell">prefetch usp102010-kb2881071-fullfile-x86-glb.exe sha1:0cb5acbf836a09bca5ac2dd4278e45bd37c94322 size:1634088 http://download.microsoft.com/download/9/0/C/90C4B6BE-DCDE-4808-A9FC-E85C12A40DD7/usp102010-kb2881071-fullfile-x86-glb.exe sha256:aeaa358fc1dd0382533f6b3e4648180164edbf6709e466c4038697fd4aa4aa70
    
    waithidden __Download\usp102010-kb2881071-fullfile-x86-glb.exe /quiet /norestart
    
    action may require restart "0cb5acbf836a09bca5ac2dd4278e45bd37c94322"
    </ActionScript>
    					<SuccessCriteria Option="Originalpropproglang"></SuccessCriteria>
    					<propproglang>((((if( name of operating system starts with "Win" ) then platform id of operating system != 3 else false) AND (if exists property "in proxy agent context" then ( not in proxy agent context ) else true )) AND ((language of version block of file "kernel32.dll" of system folder contains "English") OR (exists key "HKLM\System\CurrentControlSet\Control\Nls\MUILanguages" whose (exists value of it) of registry))) AND (not ia64 of operating system)) AND (((exists key whose ((name of it equals "00004109C10000000000000000F01FEC" OR name of it equals "00004119510000000000000000F01FEC" OR name of it equals "00004109510000000000000000F01FEC" OR name of it equals "00004109660000000000000000F01FEC" OR name of it equals "00004119310000000000000000F01FEC" OR name of it equals "00004119610000000000000000F01FEC" OR name of it equals "00004109610000000000000000F01FEC" OR name of it equals "00004119AB0000000000000000F01FEC" OR name of it equals "00004109AB0000000000000000F01FEC" OR name of it equals "00004119440000000000000000F01FEC" OR name of it equals "00004109440000000000000000F01FEC" OR name of it equals "000041191A0000000000000000F01FEC" OR name of it equals "000041091A0000000000000000F01FEC" OR name of it equals "00004119A10000000000000000F01FEC" OR name of it equals "00004109A10000000000000000F01FEC" OR name of it equals "00004119330000000000000000F01FEC" OR name of it equals "00004119810000000000000000F01FEC" OR name of it equals "00004109810000000000000000F01FEC" OR name of it equals "00004119B30000000000000000F01FEC" OR name of it equals "00004109B30000000000000000F01FEC" OR name of it equals "00004119A30000000000000000F01FEC" OR name of it equals "00004109A30000000000000000F01FEC" OR name of it equals "00004119110000000000000000F01FEC" OR name of it equals "00004119D11000000000000000F01FEC" OR name of it equals "00004109110000000000000000F01FEC" OR name of it equals "00004119410000000000000000F01FEC" OR name of it equals "00004119910000000000000000F01FEC" OR name of it equals "00004109910000000000000000F01FEC" OR name of it equals "00004109710000000000000000F01FEC" OR name of it equals "00004109D30000000000000000F01FEC" OR name of it equals "00004119B80000000000000000F01FEC" OR name of it equals "00004109B80000000000000000F01FEC" OR name of it equals "00004119210000000000000000F01FEC" OR name of it equals "00004109210000000000000000F01FEC" OR name of it equals "00004119750000000000000000F01FEC" OR name of it equals "00004109750000000000000000F01FEC" OR name of it equals "00004119B10000000000000000F01FEC" OR name of it equals "00004109B10000000000000000F01FEC" OR name of it equals "00004109260000000000000000F01FEC" OR name of it equals "00004109160000000000000000F01FEC" OR name of it equals "00004159FA0010400000000000F01FEC" OR name of it equals "00004159FA0020400000000000F01FEC" OR name of it equals "00004159FA0050400000000000F01FEC" OR name of it equals "00004159FA0060400000000000F01FEC" OR name of it equals "00004159FA0070400000000000F01FEC" OR name of it equals "00004159FA0080400000000000F01FEC" OR name of it equals "00004159FA0090400000000000F01FEC" OR name of it equals "00004159FA00A0C00000000000F01FEC" OR name of it equals "00004159FA0052400000000000F01FEC" OR name of it equals "00004159FA00B0400000000000F01FEC" OR name of it equals "00004159FA00C0400000000000F01FEC" OR name of it equals "00004159FA00D0400000000000F01FEC" OR name of it equals "00004159FA0093400000000000F01FEC" OR name of it equals "00004159FA00A1400000000000F01FEC" OR name of it equals "00004159FA00E0400000000000F01FEC" OR name of it equals "00004159FA0001400000000000F01FEC" OR name of it equals "00004159FA0011400000000000F01FEC" OR name of it equals "00004159FA00F3400000000000F01FEC" OR name of it equals "00004159FA0021400000000000F01FEC" OR name of it equals "00004159FA0072400000000000F01FEC" OR name of it equals "00004159FA0062400000000000F01FEC" OR name of it equals "00004159FA0041400000000000F01FEC" OR name of it equals "00004159FA0031400000000000F01FEC" OR name of it equals "00004159FA0051400000000000F01FEC" OR name of it equals "00004159FA0061400000000000F01FEC" OR name of it equals "00004159FA0061800000000000F01FEC" OR name of it equals "00004159FA0081400000000000F01FEC" OR name of it equals "00004159FA0091400000000000F01FEC" OR name of it equals "00004159FA00B1400000000000F01FEC" OR name of it equals "00004159FA0042400000000000F01FEC" OR name of it equals "00004159FA00A1800000000000F01FEC" OR name of it equals "00004159FA00D1400000000000F01FEC" OR name of it equals "00004159FA00E1400000000000F01FEC" OR name of it equals "00004159FA00F1400000000000F01FEC" OR name of it equals "00004159FA0022400000000000F01FEC" OR name of it equals "00004159FA0040800000000000F01FEC" OR name of it equals "00004159FA0040400000000000F01FEC") AND (exists key whose (name of it equals "InstallProperties" AND value "DisplayVersion" of it as string as version = "14.0.6029.1000") of it) AND (not exists key whose (name of it equals "0F075CB02537A3A42B2AAC65DA7A73F5") of key "Patches" of it)) of it) OR (exists key whose ((name of it equals "00004109C10000000000000000F01FEC" OR name of it equals "00004119510000000000000000F01FEC" OR name of it equals "00004109510000000000000000F01FEC" OR name of it equals "00004109660000000000000000F01FEC" OR name of it equals "00004119310000000000000000F01FEC" OR name of it equals "00004119610000000000000000F01FEC" OR name of it equals "00004109610000000000000000F01FEC" OR name of it equals "00004119AB0000000000000000F01FEC" OR name of it equals "00004109AB0000000000000000F01FEC" OR name of it equals "00004119440000000000000000F01FEC" OR name of it equals "00004109440000000000000000F01FEC" OR name of it equals "000041191A0000000000000000F01FEC" OR name of it equals "000041091A0000000000000000F01FEC" OR name of it equals "00004119A10000000000000000F01FEC" OR name of it equals "00004109A10000000000000000F01FEC" OR name of it equals "00004119330000000000000000F01FEC" OR name of it equals "00004119810000000000000000F01FEC" OR name of it equals "00004109810000000000000000F01FEC" OR name of it equals "00004119B30000000000000000F01FEC" OR name of it equals "00004109B30000000000000000F01FEC" OR name of it equals "00004119A30000000000000000F01FEC" OR name of it equals "00004109A30000000000000000F01FEC" OR name of it equals "00004119110000000000000000F01FEC" OR name of it equals "00004119D11000000000000000F01FEC" OR name of it equals "00004109110000000000000000F01FEC" OR name of it equals "00004119410000000000000000F01FEC" OR name of it equals "00004119910000000000000000F01FEC" OR name of it equals "00004109910000000000000000F01FEC" OR name of it equals "00004109710000000000000000F01FEC" OR name of it equals "00004109D30000000000000000F01FEC" OR name of it equals "00004119B80000000000000000F01FEC" OR name of it equals "00004109B80000000000000000F01FEC" OR name of it equals "00004119210000000000000000F01FEC" OR name of it equals "00004109210000000000000000F01FEC" OR name of it equals "00004119750000000000000000F01FEC" OR name of it equals "00004109750000000000000000F01FEC" OR name of it equals "00004119B10000000000000000F01FEC" OR name of it equals "00004109B10000000000000000F01FEC" OR name of it equals "00004109260000000000000000F01FEC" OR name of it equals "00004109160000000000000000F01FEC" OR name of it equals "00004159FA0010400000000000F01FEC" OR name of it equals "00004159FA0020400000000000F01FEC" OR name of it equals "00004159FA0050400000000000F01FEC" OR name of it equals "00004159FA0060400000000000F01FEC" OR name of it equals "00004159FA0070400000000000F01FEC" OR name of it equals "00004159FA0080400000000000F01FEC" OR name of it equals "00004159FA0090400000000000F01FEC" OR name of it equals "00004159FA00A0C00000000000F01FEC" OR name of it equals "00004159FA0052400000000000F01FEC" OR name of it equals "00004159FA00B0400000000000F01FEC" OR name of it equals "00004159FA00C0400000000000F01FEC" OR name of it equals "00004159FA00D0400000000000F01FEC" OR name of it equals "00004159FA0093400000000000F01FEC" OR name of it equals "00004159FA00A1400000000000F01FEC" OR name of it equals "00004159FA00E0400000000000F01FEC" OR name of it equals "00004159FA0001400000000000F01FEC" OR name of it equals "00004159FA0011400000000000F01FEC" OR name of it equals "00004159FA00F3400000000000F01FEC" OR name of it equals "00004159FA0021400000000000F01FEC" OR name of it equals "00004159FA0072400000000000F01FEC" OR name of it equals "00004159FA0062400000000000F01FEC" OR name of it equals "00004159FA0041400000000000F01FEC" OR name of it equals "00004159FA0031400000000000F01FEC" OR name of it equals "00004159FA0051400000000000F01FEC" OR name of it equals "00004159FA0061400000000000F01FEC" OR name of it equals "00004159FA0061800000000000F01FEC" OR name of it equals "00004159FA0081400000000000F01FEC" OR name of it equals "00004159FA0091400000000000F01FEC" OR name of it equals "00004159FA00B1400000000000F01FEC" OR name of it equals "00004159FA0042400000000000F01FEC" OR name of it equals "00004159FA00A1800000000000F01FEC" OR name of it equals "00004159FA00D1400000000000F01FEC" OR name of it equals "00004159FA00E1400000000000F01FEC" OR name of it equals "00004159FA00F1400000000000F01FEC" OR name of it equals "00004159FA0022400000000000F01FEC" OR name of it equals "00004159FA0040800000000000F01FEC" OR name of it equals "00004159FA0040400000000000F01FEC") AND (exists key whose (name of it equals "InstallProperties" AND value "DisplayVersion" of it as string as version = "14.0.7015.1000") of it) AND (not exists key whose (name of it equals "0F075CB02537A3A42B2AAC65DA7A73F5") of key "Patches" of it)) of it) OR (exists key whose ((name of it equals "00004119D11000000000000000F01FEC") AND (exists key whose (name of it equals "InstallProperties" AND value "DisplayVersion" of it as string as version = "14.0.4763.1000") of it) AND (not exists key whose (name of it equals "0F075CB02537A3A42B2AAC65DA7A73F5") of key "Patches" of it)) of it)) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\" of native registry)</propproglang>
    				</BaselineComponent>
    				<BaselineComponent Name="MS14-043: Vulnerability in Windows Media Center Could Allow Remote Code Execution - Windows 7 SP1 - KB2978742" IncludeInpropproglang="true" SourceSiteURL="http://sync.SubDir3.com/cgi-bin/bfgather/XXXsecurity" SourceID="1404315" ActionName="Action1">
    					<ActionScript MIMEType="application/x-Fixlet-Windows-Shell"><![CDATA[prefetch Windows6.1-KB2978742-x86.msu sha1:ad7b31025c839af6b6cc2da26cca3478e069bfc2 size:424414 http://download.microsoft.com/download/C/F/8/CF82AF63-21D4-4F6D-A5D5-A41720FF1B53/Windows6.1-KB2978742-x86.msu sha256:10e9726f2d39b442406714fcf3d2854693f554e0b124cab110829b2a2027feb0
    
    // Is Windows Update service running?
    continue if {exists running service "wuauserv" OR NOT exists service "wuauserv" whose (start type of it = "disabled")}
    
    waithidden "{pathname of system folder & "\wusa.exe"}" "{pathname of client folder of current site & "\__Download\Windows6.1-KB2978742-x86.msu"}" /quiet /norestart
    
    action requires restart "ad7b31025c839af6b6cc2da26cca3478e069bfc2"  
    ]]></ActionScript>
    					<SuccessCriteria Option="Originalpropproglang"></SuccessCriteria>
    					<propproglang><![CDATA[((((((if( name of operating system starts with "Win" ) then platform id of operating system != 3 else false) AND (if exists property "in proxy agent context" then ( not in proxy agent context ) else true )) AND ((language of version block of file "kernel32.dll" of system folder contains "English") OR (exists value of key "HKLM\System\CurrentControlSet\Control\Nls\MUILanguages" of registry))) AND (not (x64 of it OR ia64 of it) of operating system)) AND (((name of it = "Win7") AND service pack major version of it = 1) of operating system)) AND ((((exists key "Microsoft-Windows-MediaCenter-Package~31bf3856ad364e35~x86~~6.1.7601.17514" of it) of item 0 of it AND (exists key "x86_microsoft-windows-ehome-mcplayer_31bf3856ad364e35_none_5f9fa2851edcb198" whose (exists key (if (exists default value of it) then default value of it as string else "6.1") whose ((it >= "6.1.7601.20000" AND it < "6.1.7601.22733" OR it >= "6.1.7601.10000" AND it < "6.1.7601.18523") of (default value of it as string as version)) of it) of it) of item 1 of it) OR ((exists key "WinEmb-MediaCenter~31bf3856ad364e35~x86~~6.1.7601.17514" of it) of item 0 of it AND (exists key "x86_microsoft-windows-ehome-mcplayer_31bf3856ad364e35_none_5f9fa2851edcb198" whose (exists key (if (exists default value of it) then default value of it as string else "6.1") whose ((it >= "6.1.7601.20000" AND it < "6.1.7601.22733" OR it >= "6.1.7601.10000" AND it < "6.1.7601.18523") of (default value of it as string as version)) of it) of it) of item 1 of it)) of (key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\" of it, key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\" of it) of native registry)) AND (not pending restart "ad7b31025c839af6b6cc2da26cca3478e069bfc2")]]></propproglang>
    				</BaselineComponent>
    				<BaselineComponent Name="MS14-044: Vulnerabilities in SQL Server Could Allow Elevation of Privilege - SQL Server 2008 SP3 - GDR Branch - KB2977321 (Superseded)" IncludeInpropproglang="true" SourceSiteURL="http://sync.SubDir3.com/cgi-bin/bfgather/XXXsecurity" SourceID="1404409" ActionName="Action1">
    					<ActionScript MIMEType="application/x-Fixlet-Windows-Shell">prefetch SQLServer2008-KB2977321-x86.exe sha1:7ab5d45dbb3ceaf9971e450bb184a4c93a6ee2c0 size:54186144 http://download.microsoft.com/download/0/9/9/0999D674-E345-4253-BD5B-8AA780D93461/SQLServer2008-KB2977321-x86.exe sha256:e923ff44d9bf0dd00fbf69a05edafec21c92ffbb3ad6f8b2fa7024f6103774ac
    
    waithidden __Download\SQLServer2008-KB2977321-x86.exe /quiet /allinstances
    
    action may require restart "7ab5d45dbb3ceaf9971e450bb184a4c93a6ee2c0"
    </ActionScript>
    					<SuccessCriteria Option="Originalpropproglang"></SuccessCriteria>
    					<propproglang><![CDATA[(((((if( name of operating system starts with "Win" ) then platform id of operating system != 3 else false) AND (if exists property "in proxy agent context" then ( not in proxy agent context ) else true )) AND (FALSE)) AND (FALSE)) AND ((exists keys whose (exists value "CurrentVersion" whose ((it = "10.00" AND it >= "10.00.5500.00") of (it as string as version)) of key "MSSQLServer\CurrentVersion" of it AND exists value "PatchLevel" whose ((it >= "10.3.5500" AND it < "10.3.5750") of (it as string as version)) of key "Setup" of it) of (keys "HKLM\SOFTWARE\Microsoft\Microsoft SQL Server" of it) of (x32 registry) AND exists ((((if exists match (regex "\((.*)\)") of it then parenthesized part 1 of first match (regex "\((.*)\)") of it else it) of (if it contains "$" then following text of first "$" of it else it)) of display name of it) of services whose (exists file (first match (case insensitive regex "[^%22]*sqlservr.exe") of (image path of it)) whose ((it = "10.00" AND it >= "10.00.5500.00") of product version of it)) , names of values of keys "HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL" of (x32 registry)) whose (item 0 of it = item 1 of it)))) AND (((exists keys ((if (exists key "CB0A4B1FD09164E4F8AFF92D2B6016A1" of it) then (names of values of key "CB0A4B1FD09164E4F8AFF92D2B6016A1" of it) else ("NOT EXISTS UPGRADE CODE")) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes" of native registry) whose((exists key whose (name of it equals "InstallProperties" AND value "DisplayVersion" of it as string as version = "10.3.5500.0") of it) AND (not exists key whose (name of it equals "2F55EDF4AF0CB5A4A87D6D1EEE5E1307") of key "Patches" of it)) of it) OR (exists keys ((if (exists key "E7847B7DBF1CD9F4582A5A2687465E5A" of it) then (names of values of key "E7847B7DBF1CD9F4582A5A2687465E5A" of it) else ("NOT EXISTS UPGRADE CODE")) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes" of native registry) whose((exists key whose (name of it equals "InstallProperties" AND value "DisplayVersion" of it as string as version = "10.3.5500.0") of it) AND (not exists key whose (name of it equals "FE9915D216F6AC446AD0BCBA0881081F") of key "Patches" of it)) of it) OR (exists keys ((if (exists key "EDB1B27BD143E544798F7EDE86A27775" of it) then (names of values of key "EDB1B27BD143E544798F7EDE86A27775" of it) else ("NOT EXISTS UPGRADE CODE")) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes" of native registry) whose((exists key whose (name of it equals "InstallProperties" AND value "DisplayVersion" of it as string as version = "10.3.5500.0") of it) AND (not exists key whose (name of it equals "A0CBBA38AC2C44D4F8DC383A2CB64E3A") of key "Patches" of it)) of it) OR (exists keys ((if (exists key "B93AA99BB7DD2E846BF811B2D4CE5612" of it) then (names of values of key "B93AA99BB7DD2E846BF811B2D4CE5612" of it) else ("NOT EXISTS UPGRADE CODE")) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes" of native registry) whose((exists key whose (name of it equals "InstallProperties" AND value "DisplayVersion" of it as string as version = "10.3.5500.0") of it) AND (not exists key whose (name of it equals "AA0129F9E70E4294EB079433CDF3DBEF") of key "Patches" of it)) of it) OR (exists keys ((if (exists key "3DB169F1061974943848504B95590099" of it) then (names of values of key "3DB169F1061974943848504B95590099" of it) else ("NOT EXISTS UPGRADE CODE")) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes" of native registry) whose((exists key whose (name of it equals "InstallProperties" AND value "DisplayVersion" of it as string as version = "10.3.5500.0") of it) AND (not exists key whose (name of it equals "178FA9416741C3E4B931E4B9D79055A6") of key "Patches" of it)) of it) OR (exists keys ((if (exists key "6A544821D420A3543B3F0CE975896BAB" of it) then (names of values of key "6A544821D420A3543B3F0CE975896BAB" of it) else ("NOT EXISTS UPGRADE CODE")) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes" of native registry) whose((exists key whose (name of it equals "InstallProperties" AND value "DisplayVersion" of it as string as version = "10.3.5500.0") of it) AND (not exists key whose (name of it equals "3468AF59185FA8F44A02D40AA23EE871") of key "Patches" of it)) of it)) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\" of native registry)]]></propproglang>
    				</BaselineComponent>
    				<BaselineComponent Name="MS14-045: Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege - Windows 7 SP1 - KB2976897" IncludeInpropproglang="true" SourceSiteURL="http://sync.SubDir3.com/cgi-bin/bfgather/XXXsecurity" SourceID="1404517" ActionName="Action1">
    					<ActionScript MIMEType="application/x-Fixlet-Windows-Shell"><![CDATA[prefetch Windows6.1-KB2976897-x86.msu sha1:37eeb8238999cc31e715a0c9f46db3ca14136cbc size:664591 http://download.microsoft.com/download/5/9/4/594B9DD1-17F5-4D66-A708-B47E9BEB5D17/Windows6.1-KB2976897-x86.msu sha256:742c06b6371448f90171a4a8e66a8f75f6581700b2dbfc4359b3828ae9ab000b
    
    // Is Windows Update service running?
    continue if {exists running service "wuauserv" OR NOT exists service "wuauserv" whose (start type of it = "disabled")}
    
    waithidden "{pathname of system folder & "\wusa.exe"}" "{pathname of client folder of current site & "\__Download\Windows6.1-KB2976897-x86.msu"}" /quiet /norestart
    
    action requires restart "37eeb8238999cc31e715a0c9f46db3ca14136cbc"  


    Alex Alas


    • Edited by Alex_Alas Tuesday, January 12, 2016 5:20 PM
    Tuesday, January 12, 2016 5:18 PM
  • Each segment is delimited by ().  The KB - not a fixed pattern as KBs go.

    -match '(KB.*-.*)\S'

    -match 'sha1:(.*)\s'


    \_(ツ)_/

    Tuesday, January 12, 2016 5:26 PM
  • Fred,

    Thanks for your response, your suggestion worked great for the sha1 value but the kb is incomplete. It only retrieves the kb[number] and I need the whole name like "Windows6.1-KB2993651-x86.msu". I need a regular expression that can target not only the previous format "Windows6.1..." but also Office updates which have a different format name "usp102010-kb2881071-fullfille-x86-glb.exe". I did a Google search and a posting in "http://stackoverflow.com/questions/19516447/regex-to-match-kb-file-names" came back with this expression "(?!)^.+-kb[0-9]{6,}-(?:v[0-9]+-)?x[0-9]+\.exe", I tried to improve it by adding (e|m)(x|s)(e|u) at the end to cover both types of kb but it didn't work. I've always been intimidated by regular expressions and here I am... struggling!!!

    Thanks again for your response,

    V/R,

    Alex 


    Alex Alas

    Tuesday, January 12, 2016 5:41 PM
  • Extend and conquer:

    -match 'prefetch (.*KB.*-.*)\S'


    \_(ツ)_/

    Tuesday, January 12, 2016 5:56 PM
  • Hello Jrv,

    Thanks for your response, unfortunately, and I apologize for asking but I don't quite understand your response, Are you suggesting to use -match with select-string?

    Thanks again,

    Alex 


    Alex Alas

    Tuesday, January 12, 2016 6:24 PM
  • Something like this?


    Get-Content .\Customtaskfilename.txt | Select-String '\[prefetch\s+(.+)\s+sha1:([a-z\d]+)\s' | ForEach-Object {
      New-Object PSObject -Property @{
        "KB"   = $_.Matches[0].Groups[1].Value
        "SHA1" = $_.Matches[0].Groups[2].Value
      } | Select-Object KB,SHA1
    }
    


    -- Bill Stewart [Bill_Stewart]



    Tuesday, January 12, 2016 6:26 PM
    Moderator
  • Bill,

    Thanks for your response. I ran your statement and it works great but it only pick *.msu files, it doesn't find the other kind of microsoft KB's, like the office kb filenames (usp102010-kb2881071-fullfille-x86-glb.exe) as I mentioned in a previous posting. I also have a question and this is for informative purposes because I want to learn. When you are doing the select-string, I can see you have "[" but I don't see when it gets close "]". If I tried to run only the first part of your statement (Get-Content .\Customtaskfilename.txt | Select-String '\[prefetch\s+(.+)\s+sha1:([a-z\d]+)\s'), I get an error message, see below but if I run the whole thing, it doesn't error out, I am puzzled. Thanks again!

    Alex 

    At line:1 char:xx

    +Get-Content .\customtaskfilename.txt | Select-String '\[pref ...

    +

    An empty pipe element is not allow!!!


    Alex Alas







    • Edited by Alex_Alas Tuesday, January 12, 2016 7:33 PM
    Tuesday, January 12, 2016 7:22 PM
  • Try the updated copy of my post.

    Also, \[ means "literal [ character."


    -- Bill Stewart [Bill_Stewart]

    Tuesday, January 12, 2016 7:24 PM
    Moderator
  • To simplify the command:


    Select-String '\[prefetch\s+(.+)\s+sha1:([a-z\d]+)\s' .\Customtaskfilename.txt | ForEach-Object {
      New-Object PSObject -Property @{
        "KB"   = $_.Matches[0].Groups[1].Value
        "SHA1" = $_.Matches[0].Groups[2].Value
      } | Select-Object KB,SHA1
    }
    


    -- Bill Stewart [Bill_Stewart]

    Tuesday, January 12, 2016 7:29 PM
    Moderator
  • Bill,

    Thanks for the clarifications, I ran your updated command but same issue. The statement only pick *.msu files, the other kind of kb files are not selected. Maybe, I need to upload another lines of code where the other kind of files are more frequent. Please let me know if that would help. Below is the output result of the search query.

    
    KB                                                          SHA1
    --                                                          ----
    Windows6.1-KB2978742-x86.msu                                ad7b31025c839af6b6cc2da26cca3478e069bfc2
    Windows6.1-KB2976897-x86.msu                                37eeb8238999cc31e715a0c9f46db3ca14136cbc
    Windows6.1-KB2993651-x86.msu                                a3d4402e414cd9ee28244c8ffbed52bf8d10f40d
    Windows6.1-KB2937610-x86.msu                                d90a5d24f180953737b45d7883b16347b00874d0
    Windows6.1-KB2943357-x86.msu                                b4b1831a98ce4bf16dda9e2432cf2eb1fe598cb7
    Windows6.1-KB2978668-x86.msu                                48ea83e2df8ae6a25d75703a1f76db75c0617444
    Windows6.1-KB2918614-x86.msu                                1a06de2eb02190cc04be92c84be3f48a588fe6b1
    IE9-Windows6.1-KB2991509-x86.msu                            288d4c6d8aa411350755a323278a4577857480eb
    Windows6.1-KB2976897-x64.msu                                e73561cff97025c928b17b03aec67c2563e96c1b
    Windows6.1-KB2976897-x64.msu                                e73561cff97025c928b17b03aec67c2563e96c1b
    Windows6.1-KB2993651-x64.msu                                90920bd453d94aeccc958e709474c4d8c8d3b788
    Windows6.1-KB2993651-x64.msu                                90920bd453d94aeccc958e709474c4d8c8d3b788
    Windows6.1-KB2937610-x64.msu                                4eadbbde029e5d21eb46aaada7b2bd012f211f6f
    Windows6.1-KB2937610-x64.msu                                4eadbbde029e5d21eb46aaada7b2bd012f211f6f
    Windows6.1-KB2943357-x64.msu                                035199134a0e40f5eb6bf83b2781850db5c84d81
    Windows6.1-KB2978668-x64.msu                                2018ca655d4e8930a1b73b7d2bfd492228c58170
    Windows6.1-KB2978668-x64.msu                                2018ca655d4e8930a1b73b7d2bfd492228c58170
    Windows6.1-KB2918614-x64.msu                                8a78582d33bcd8e6776096b2685d779cc6363b34
    Windows6.1-KB2918614-x64.msu                                8a78582d33bcd8e6776096b2685d779cc6363b34
    IE11-Windows6.1-KB2991509-x86.msu                           83b338f6c348dc0f3d7625551daa263ca75bed77
    Windows6.1-KB2967567-x86.msu                                365bd9e537100bfc4fef509ca56fa2cd3737ca21
    Windows6.1-KB2967567-x64.msu                                c6e941c5195185d8aa20818bd85a19123b760e6f
    Windows6.1-KB2966583-x86.msu                                96a855f7ec1bbc6884b185f56578f4a2f0836cfe
    Windows6.1-KB2965351-x86.msu                                793b8979895c04e4bf1dd8b842e5b4cd831ffdaa
    Windows6.1-KB2965351-x64.msu                                876fadbbfd1dba8685dd2e893b11c00dd5d739ee


    Alex Alas




    • Edited by Alex_Alas Tuesday, January 12, 2016 8:01 PM
    Tuesday, January 12, 2016 7:55 PM
  • Bill 

    <ActionScript MIMEType="application/x-Fixlet-Windows-Shell">prefetch gfonts2010-kb2589386-fullfile-x86-glb.exe sha1:72070109cc2724035612c1a857684e889467483c size:1684272 http://download.microsoft.com/download/8/B/0/8B04E37D-B53E-4936-9C29-6F92F8EBC162/gfonts2010-kb2589386-fullfile-x86-glb.exe sha256:85514e7a91d8bd509978b454d5deb2b6b0e4f11da8ddea68ab97eaebb017392e
    
    waithidden __Download\gfonts2010-kb2589386-fullfile-x86-glb.exe /quiet /norestart
    
    action may require restart "72070109cc2724035612c1a857684e889467483c"
    </ActionScript>
    					<SuccessCriteria Option="OriginalRelevance"></SuccessCriteria>
    					<Relevance>((((if( name of operating system starts with "Win" ) then platform id of operating system != 3 else false) AND (if exists property "in proxy agent context" then ( not in proxy agent context ) else true )) AND ((language of version block of file "kernel32.dll" of system folder contains "English") OR (exists key "HKLM\System\CurrentControlSet\Control\Nls\MUILanguages" whose (exists value of it) of registry))) AND (not ia64 of operating system)) AND (((exists key whose ((name of it equals "00004109660000000000000000F01FEC" OR name of it equals "00004119310000000000000000F01FEC" OR name of it equals "00004119330000000000000000F01FEC" OR name of it equals "00004119810000000000000000F01FEC" OR name of it equals "00004109810000000000000000F01FEC" OR name of it equals "00004119110000000000000000F01FEC" OR name of it equals "00004119D11000000000000000F01FEC" OR name of it equals "00004109110000000000000000F01FEC" OR name of it equals "00004119410000000000000000F01FEC" OR name of it equals "00004119910000000000000000F01FEC" OR name of it equals "00004109910000000000000000F01FEC" OR name of it equals "00004109D30000000000000000F01FEC" OR name of it equals "00004119B80000000000000000F01FEC" OR name of it equals "00004109B80000000000000000F01FEC" OR name of it equals "00004119210000000000000000F01FEC" OR name of it equals "00004109210000000000000000F01FEC" OR name of it equals "00004119B10000000000000000F01FEC" OR name of it equals "00004109B10000000000000000F01FEC" OR name of it equals "00004109260000000000000000F01FEC" OR name of it equals "00004109160000000000000000F01FEC") AND (exists key whose (name of it equals "InstallProperties" AND value "DisplayVersion" of it as string as version = "14.0.7015.1000") of it) AND (not exists key whose (name of it equals "06D19F4AC4562984FB3DD014DA6A946B") of key "Patches" of it)) of it)) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\" of native registry)</Relevance>
    				</BaselineComponent>
    				<BaselineComponent Name="2687275: Update for Office 2010 - KB2687275 - Office 2010" IncludeInRelevance="true" SourceSiteURL="http://sync.bigfix.com/cgi-bin/bfgather/bessecurity" SourceID="268727501" ActionName="Action1">
    					<ActionScript MIMEType="application/x-Fixlet-Windows-Shell">prefetch graph2010-kb2687275-fullfile-x86-glb.exe sha1:02d7a777efde631fddc46b12737a462acb729f16 size:3087432 http://download.microsoft.com/download/2/1/D/21DD717E-51AD-45B1-8ACC-4D171AC32A4A/graph2010-kb2687275-fullfile-x86-glb.exe sha256:a274d6a2e8f2eba2ba4ba6cd36dfd2fe688898948630afb861218feb0d4f4f7e
    
    waithidden __Download\graph2010-kb2687275-fullfile-x86-glb.exe /quiet /norestart
    
    action may require restart "02d7a777efde631fddc46b12737a462acb729f16"
    </ActionScript>
    					<SuccessCriteria Option="OriginalRelevance"></SuccessCriteria>
    					<Relevance><![CDATA[(((((if( name of operating system starts with "Win" ) then platform id of operating system != 3 else false) AND (if exists property "in proxy agent context" then ( not in proxy agent context ) else true )) AND ((language of version block of file "kernel32.dll" of system folder contains "English") OR (exists key "HKLM\System\CurrentControlSet\Control\Nls\MUILanguages" whose (exists value of it) of registry))) AND (not ia64 of operating system)) AND ((exists file "GRAPH.EXE" whose ((version of it < "14.0.7135.5000")) of it) of (folder (value "ProgramFilesDir" of key "HKLM\Software\Microsoft\Windows\CurrentVersion" of registry as string & "\Microsoft Office\Office14")))) AND (((exists key whose ((name of it equals "00004109C10000000000000000F01FEC" OR name of it equals "00004119510000000000000000F01FEC" OR name of it equals "00004109510000000000000000F01FEC" OR name of it equals "00004109660000000000000000F01FEC" OR name of it equals "00004119310000000000000000F01FEC" OR name of it equals "00004119610000000000000000F01FEC" OR name of it equals "00004109610000000000000000F01FEC" OR name of it equals "00004119330000000000000000F01FEC" OR name of it equals "00004119810000000000000000F01FEC" OR name of it equals "00004109810000000000000000F01FEC" OR name of it equals "00004119110000000000000000F01FEC" OR name of it equals "00004119D11000000000000000F01FEC" OR name of it equals "00004109110000000000000000F01FEC" OR name of it equals "00004119410000000000000000F01FEC" OR name of it equals "00004109D30000000000000000F01FEC" OR name of it equals "00004119B80000000000000000F01FEC" OR name of it equals "00004109B80000000000000000F01FEC" OR name of it equals "00004119210000000000000000F01FEC" OR name of it equals "00004109210000000000000000F01FEC" OR name of it equals "00004119B10000000000000000F01FEC" OR name of it equals "00004109B10000000000000000F01FEC" OR name of it equals "00004109260000000000000000F01FEC" OR name of it equals "00004109160000000000000000F01FEC") AND (exists key whose (name of it equals "InstallProperties" AND value "DisplayVersion" of it as string as version = "14.0.7015.1000") of it) AND (not exists key whose (name of it equals "2D4477B0DDF134849978C71EB1973F07") of key "Patches" of it)) of it)) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\" of native registry)]]></Relevance>
    				</BaselineComponent>
    				<BaselineComponent Name="2553140: Update for Office 2010 - KB2553140 - Office 2010" IncludeInRelevance="true" SourceSiteURL="http://sync.bigfix.com/cgi-bin/bfgather/bessecurity" SourceID="255314001" ActionName="Action1">
    					<ActionScript MIMEType="application/x-Fixlet-Windows-Shell">prefetch mstore2010-kb2553140-fullfile-x86-glb.exe sha1:9ec14de3af7224297dd398b33bfd70a28fa7ceee size:3036432 http://download.microsoft.com/download/A/F/1/AF1033B5-1643-46BB-815A-67292A28A016/mstore2010-kb2553140-fullfile-x86-glb.exe sha256:3370560d43e6241b042882db32de6439c82b5c13c6176e16a950318823f96bdb
    
    waithidden __Download\mstore2010-kb2553140-fullfile-x86-glb.exe /quiet /norestart
    
    action may require restart "9ec14de3af7224297dd398b33bfd70a28fa7ceee"

    Another sample of the source text is shown below


    Alex Alas

    Tuesday, January 12, 2016 8:04 PM
  • Slight update to the regex.


    Select-String 'prefetch\s+(.+)\s+sha1:([a-z\d]+)\s' .\Customtaskfilename.txt | ForEach-Object {
      New-Object PSObject -Property @{
        "KB"   = $_.Matches[0].Groups[1].Value
        "SHA1" = $_.Matches[0].Groups[2].Value
      } | Select-Object KB,SHA1
    }
    


    -- Bill Stewart [Bill_Stewart]

    • Proposed as answer by Bill_StewartModerator Wednesday, January 13, 2016 4:54 PM
    • Marked as answer by Alex_Alas Wednesday, January 13, 2016 6:05 PM
    • Unmarked as answer by Alex_Alas Wednesday, January 13, 2016 6:05 PM
    • Marked as answer by Alex_Alas Wednesday, January 13, 2016 6:10 PM
    Tuesday, January 12, 2016 8:17 PM
    Moderator

  • Thanks all of you for the contributions and help, specially Bill. This is exactly what I needed. Now, my boss is asking me if there is a way to do a rename task from sha1 to KB filename. I'll try it on my own but if I struggle, I'll be back . 

    Thanks again!

    V/R,

    Alex 


    Alex Alas


    • Edited by Alex_Alas Wednesday, January 13, 2016 6:12 PM
    Wednesday, January 13, 2016 6:10 PM