Forum Discussion
RomanWuert
May 25, 2023Copper Contributor
New-WinEvent eventPayload String parameters must not exceed 8
Hi
so i want to create some custom ETW events with Powershell for testing purposes.
I am using the cmdlet New-WinEvent and its working fine except when i want to create events that have more than 8 string values. When i try so i get the following error:
New-WinEvent : The number of String parameters must not exceed 8.
Parameter name: eventPayload
Is there a reason to limit the amount of string parameters?
If i replace some of the parameters with numbers its working except the numbers are parsed as empty fields and i want so simulate a complete event.
Error:
$Payload = @('Test1 RuleName', 'Test2 UtcTime', [System.Guid]'e0a70393-abfc-493d-baf8-495ccdd3a138', [UInt32]69420, 'Test3 Image', 'Test4 FileVersion', 'Test5 Description', 'Test6 Product', 'Test7 Company', 'Test8 OriginalFileName', 'Test9 CommandLine', 'Test10 CurrentDirectory', 'Test11 User', [System.Guid]'e0a70393-abfc-493d-baf8-495ccdd3a138', [int64]'0x0123', [UInt32]1, 'Test12 IntegrityLevel', 'Test13 Hashes', [System.Guid]'e0a70393-abfc-493d-baf8-495ccdd3a138', [UInt32]69420, 'Test14 ParentImage', 'Test15 ParentCommandLine', 'Test16 ParentUser')
Working partly:
$Payload = @('Test1 RuleName', 'Test2 UtcTime', [System.Guid]'e0a70393-abfc-493d-baf8-495ccdd3a138', [UInt32]69420, 'Test3 Image', 'Test4 FileVersion', 'Test5 Description', 'Test6 Product', 'Test7 Company', 'Test8 OriginalFileName', 8, 7, 6, [System.Guid]'e0a70393-abfc-493d-baf8-495ccdd3a138', [int64]'0x0123', [UInt32]1, 5, 4, [System.Guid]'e0a70393-abfc-493d-baf8-495ccdd3a138', [UInt32]69420, 3, 2, 1)
cmdlet:
New-WinEvent -ProviderName Microsoft-Windows-Sysmon -Id 1 -Payload $Payload
does someone know if i can get this to work?
If not i have to think of something else (::
No RepliesBe the first to reply