Forum Discussion

RomanWuert's avatar
RomanWuert
Copper Contributor
May 25, 2023

New-WinEvent eventPayload String parameters must not exceed 8

Hi

 

so i want to create some custom ETW events with Powershell for testing purposes.

I am using the cmdlet New-WinEvent and its working fine except when i want to create events that have more than 8 string values. When i try so i get the following error:

 

New-WinEvent : The number of String parameters must not exceed 8.
Parameter name: eventPayload

 

Is there a reason to limit the amount of string parameters?

 

If i replace some of the parameters with numbers its working except the numbers are parsed as empty fields and i want so simulate a complete event.

 

Error:

$Payload = @('Test1 RuleName', 'Test2 UtcTime', [System.Guid]'e0a70393-abfc-493d-baf8-495ccdd3a138', [UInt32]69420, 'Test3 Image', 'Test4 FileVersion', 'Test5 Description', 'Test6 Product', 'Test7 Company', 'Test8 OriginalFileName', 'Test9 CommandLine', 'Test10 CurrentDirectory', 'Test11 User', [System.Guid]'e0a70393-abfc-493d-baf8-495ccdd3a138', [int64]'0x0123', [UInt32]1, 'Test12 IntegrityLevel', 'Test13 Hashes', [System.Guid]'e0a70393-abfc-493d-baf8-495ccdd3a138', [UInt32]69420, 'Test14 ParentImage', 'Test15 ParentCommandLine', 'Test16 ParentUser')

 

Working partly:

$Payload = @('Test1 RuleName', 'Test2 UtcTime', [System.Guid]'e0a70393-abfc-493d-baf8-495ccdd3a138', [UInt32]69420, 'Test3 Image', 'Test4 FileVersion', 'Test5 Description', 'Test6 Product', 'Test7 Company', 'Test8 OriginalFileName', 8, 7, 6, [System.Guid]'e0a70393-abfc-493d-baf8-495ccdd3a138', [int64]'0x0123', [UInt32]1, 5, 4, [System.Guid]'e0a70393-abfc-493d-baf8-495ccdd3a138', [UInt32]69420, 3, 2, 1)

 

cmdlet:

New-WinEvent -ProviderName Microsoft-Windows-Sysmon -Id 1 -Payload $Payload

 

does someone know if i can get this to work?

If not i have to think of something else (::

No RepliesBe the first to reply

Resources