I cannot find a way to pull out the "faulting process ID" from the application log using Powershell or WMI. The following returns the error, but for some further code, I need the actual PID, not the application name. Can this be done?
Get-EventLog application 1000 -entrytype error -newest 5 | Select-Object timegenerated,message,@{name='Executable';expression={$_.ReplacementStrings[0]}}
This should give you a start with RegEx (named capture group)
$log = Get-EventLog application 1000 -entrytype error -newest 5 |
Select-Object timegenerated,message,@{name='Executable';expression={$_.ReplacementStrings[0]}}
$log | %{
if ($_.message -match '(?smi)Faulting process id: (?<PID>0x[0-9a-f]+)'){
$_.Executable,$matches.PID
}
}
I'd put that into a table / noteproperty, for me it's to late today.