I am looking for someone who can do PowerShell scripting.
I need a script creating that analyses the Windows Security Event Log for the Event ID 4688 (Process Creation). From that Event I need to extract the "New Process Name" filed which could be be such as below C:\Windows\System32\mmc.exe.
I then need just the process e.g. [url removed, login to view] filtering out, and then a list of all the processes from the Event ID's 4688 exported into a list which is Semi-Colon separated e.g. [url removed, login to view];[url removed, login to view];[url removed, login to view];[url removed, login to view];msiexec.exe.
An example Event ID 4688 is shown below:
A new process has been created.
Security ID: AD\administrator
Account Name: administrator
Account Domain: AD
Logon ID: 0x34DE81
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
New Process ID: 0xbac
New Process Name: C:\Windows\System32\[url removed, login to view]
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\High Mandatory Level
Creator Process ID: 0x118c
Creator Process Name: C:\Windows\[url removed, login to view]
Process Command Line: