When I run the following powershell query;
get-eventlog -logname application | select EventID, TimeGenerated, Message | where {$_.EventID -eq 5051} | ConvertTo-Html | out-file C:\McAfee.html
I get the following output. BUT! I would like to take this a step further and rather than see the message in full I would just like to see all text after 'HarddiskVolume' but not after ' by' Basically extracting the path and filename of the object being scanned
EventID TimeGenerated Message
5051 16/02/2014 23:26:36 A thread in process C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mcshield.exe took longer than 30000 ms to complete a request. The process will be terminated. Thread id : 8552 (0x2168) Thread address : 0x0000000077EF0D1A Thread
message : Build VSCORE.14.1.0.524 / 5400.1158 Object being scanned = \Device\HarddiskVolume1\WINDOWS\system32\PSAPI.DLLby C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mfeann.exe 17018(110)(0) 17017(0)(1) 7007(0)(0) 5006(0)(0) 5004(0)(0) 5003(0)(0) 5002(0)(1) 15002(0)(0)
5051 02/02/2014 19:18:08 A thread in process C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mcshield.exe took longer than 30000 ms to complete a request. The process will be terminated. Thread id : 7936 (0x1f00) Thread address : 0x0000000077EF0A2A Thread
message : Build VSCORE.14.1.0.524 / 5400.1158 Object being scanned = \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\McAfee\Common Framework\AgentEvents\2014020219173893600000918.txmlby C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe 4(0)(0) 4(0)(0) 7200(0)(0) 7595(0)(0) 7005(0)(0) 7004(0)(0) 5006(0)(0) 5004(0)(0)
So in this example I would just see the following output;
\WINDOWS\system32\PSAPI.DLL
\Documents and Settings\All Users\Application Data\McAfee\Common Framework\AgentEvents\2014020219173893600000918.txml
www.facebook.com/RGF76
