-1

I'm trying to match a pattern out of text which repeats with in the text. when i try match pattern it matches whatever in between. though I achieved the desired result but i might want any optimization in my regex pattern if possible. please suggest.

this is the text content... 

$text = @"

Microsoft (R) Windows Debugger Version 6.3.9600.17336 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available


************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*DownstreamStore*https://msdl.microsoft.com/download/symbols

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*DownstreamStore*https://msdl.microsoft.com/download/symbols
Symbol search path is: srv*DownstreamStore*https://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 7 Kernel Version 7600 UP Free x64
Product: LanManNt, suite: SmallBusiness TerminalServer SmallBusinessRestricted SingleUserTS
Built by: 7600.16385.amd64fre.win7_rtm.090713-1255
Machine Name:
Kernel base = 0xfffff800`01658000 PsLoadedModuleList = 0xfffff800`01895e50
Debug session time: Tue Apr 16 04:27:05.412 2019 (UTC - 7:00)
System Uptime: 7 days 1:02:26.286
Loading Kernel Symbols
...............................................................
..............................................Page eb21d not present in the dump file. Type ".hh dbgerr004" for details
..................
.........
Loading User Symbols
PEB is paged out (Peb.Ldr = 000007ff`fffdb018).  Type ".hh dbgerr001" for details
Loading unloaded module list
....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {fffff8a0032dd010, 2, 0, fffff8800567d530}

*** ERROR: Module load completed but symbols could not be loaded for myfault.sys
Page eb21d not present in the dump file. Type ".hh dbgerr004" for details
Probably caused by : myfault.sys ( myfault+1530 )

Followup: MachineOwner
---------

----- 64 bit Kernel Summary Dump Analysis

DUMP_HEADER64:
MajorVersion        0000000f
MinorVersion        00001db0
KdSecondaryVersion  00000000
DirectoryTableBase  00000000`cadb0000
PfnDataBase         fffffa80`00000000
PsLoadedModuleList  fffff800`01895e50
PsActiveProcessHead fffff800`01877b30
MachineImageType    00008664
NumberProcessors    00000001
BugCheckCode        000000d1
BugCheckParameter1  fffff8a0`032dd010
BugCheckParameter2  00000000`00000002
BugCheckParameter3  00000000`00000000
BugCheckParameter4  fffff880`0567d530
KdDebuggerDataBlock fffff800`01841070
SecondaryDataState  00000000
ProductType         00000002
SuiteMask           00000131

SUMMARY_DUMP64:
DumpOptions         504d4453
HeaderSize          00024000
BitmapSize          00108000
Pages               00013cb0
Bitmap.SizeOfBitMap 00108000

KiProcessorBlock at fffff800`01900900
  1 KiProcessorBlock entries:
  fffff800`01842e80


Windows 7 Kernel Version 7600 UP Free x64
Product: LanManNt, suite: SmallBusiness TerminalServer SmallBusinessRestricted SingleUserTS
Built by: 7600.16385.amd64fre.win7_rtm.090713-1255
Machine Name:
Kernel base = 0xfffff800`01658000 PsLoadedModuleList = 0xfffff800`01895e50
Debug session time: Tue Apr 16 04:27:05.412 2019 (UTC - 7:00)
System Uptime: 7 days 1:02:26.286
start             end                 module name
fffff800`0142c000 fffff800`01436000   kdcom     Mon Jul 13 18:31:07 2009 (4A5BDFDB)
fffff800`0160f000 fffff800`01658000   hal       Mon Jul 13 18:27:36 2009 (4A5BDF08)
fffff800`01658000 fffff800`01c35000   nt        Mon Jul 13 16:40:48 2009 (4A5BC600)
fffff880`00c00000 fffff880`00c3c000   vmbus     Mon Jul 13 16:42:54 2009 (4A5BC67E)
###

some similar text just to save characters

###
fffff960`00050000 fffff960`0035f000   win32k    Mon Jul 13 16:40:16 2009 (4A5BC5E0)
Page eb21d not present in the dump file. Type ".hh dbgerr004" for details
fffff960`004c0000 fffff960`004de000   dxg       Mon Jul 13 16:38:28 2009 (4A5BC574)
fffff960`00620000 fffff960`0062a000   TSDDD     Mon Jul 13 17:16:34 2009 (4A5BCE62)
fffff960`008c0000 fffff960`008cb000   VMBusVideoD  Mon Jul 13 16:43:00 2009 (4A5BC684)
fffff960`00af0000 fffff960`00b26000   RDPDD     Mon Jul 13 17:16:54 2009 (4A5BCE76)

Unloaded modules:
fffff880`018e5000 fffff880`018f3000   crashdmp.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  0000E000
fffff880`018f3000 fffff880`018ff000   dump_ataport.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  0000C000
fffff880`018ff000 fffff880`01908000   dump_atapi.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  00009000
fffff880`00de5000 fffff880`00e00000   sacdrv.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  0001B000
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {fffff8a0032dd010, 2, 0, fffff8800567d530}

Page eb21d not present in the dump file. Type ".hh dbgerr004" for details
Probably caused by : myfault.sys ( myfault+1530 )

Followup: MachineOwner
---------

Finished dump check
"@

This should return 2 possible matches

([regex]"(?ms)\*{20,}.+-{8,}").Matches($text)

but gives this..

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {fffff8a0032dd010, 2, 0, fffff8800567d530}

*** ERROR: Module load completed but symbols could not be loaded for myfault.sys
Page eb21d not present in the dump file. Type ".hh dbgerr004" for details
Probably caused by : myfault.sys ( myfault+1530 )

Followup: MachineOwner
---------

----- 64 bit Kernel Summary Dump Analysis

DUMP_HEADER64:
MajorVersion        0000000f
MinorVersion        00001db0
KdSecondaryVersion  00000000
DirectoryTableBase  00000000`cadb0000
PfnDataBase         fffffa80`00000000
PsLoadedModuleList  fffff800`01895e50
PsActiveProcessHead fffff800`01877b30
MachineImageType    00008664
NumberProcessors    00000001
BugCheckCode        000000d1
BugCheckParameter1  fffff8a0`032dd010
BugCheckParameter2  00000000`00000002
BugCheckParameter3  00000000`00000000
BugCheckParameter4  fffff880`0567d530
KdDebuggerDataBlock fffff800`01841070
SecondaryDataState  00000000
ProductType         00000002
SuiteMask           00000131

SUMMARY_DUMP64:
DumpOptions         504d4453
HeaderSize          00024000
BitmapSize          00108000
Pages               00013cb0
Bitmap.SizeOfBitMap 00108000

KiProcessorBlock at fffff800`01900900
  1 KiProcessorBlock entries:
  fffff800`01842e80


Windows 7 Kernel Version 7600 UP Free x64
Product: LanManNt, suite: SmallBusiness TerminalServer SmallBusinessRestricted SingleUserTS
Built by: 7600.16385.amd64fre.win7_rtm.090713-1255
Machine Name:
Kernel base = 0xfffff800`01658000 PsLoadedModuleList = 0xfffff800`01895e50
Debug session time: Tue Apr 16 04:27:05.412 2019 (UTC - 7:00)
System Uptime: 7 days 1:02:26.286
start             end                 module name
fffff800`0142c000 fffff800`01436000   kdcom     Mon Jul 13 18:31:07 2009 (4A5BDFDB)
fffff800`0160f000 fffff800`01658000   hal       Mon Jul 13 18:27:36 2009 (4A5BDF08)
fffff800`01658000 fffff800`01c35000   nt        Mon Jul 13 16:40:48 2009 (4A5BC600)
fffff880`00c00000 fffff880`00c3c000   vmbus     Mon Jul 13 16:42:54 2009 (4A5BC67E)
fffff880`00c3c000 fffff880`00c66000   ataport   Mon Jul 13 16:19:52 2009 (4A5BC118)
####

Some similar text just to save characters

####
Page eb21d not present in the dump file. Type ".hh dbgerr004" for details
fffff960`004c0000 fffff960`004de000   dxg       Mon Jul 13 16:38:28 2009 (4A5BC574)
fffff960`00620000 fffff960`0062a000   TSDDD     Mon Jul 13 17:16:34 2009 (4A5BCE62)
fffff960`008c0000 fffff960`008cb000   VMBusVideoD  Mon Jul 13 16:43:00 2009 (4A5BC684)
fffff960`00af0000 fffff960`00b26000   RDPDD     Mon Jul 13 17:16:54 2009 (4A5BCE76)

Unloaded modules:
fffff880`018e5000 fffff880`018f3000   crashdmp.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  0000E000
fffff880`018f3000 fffff880`018ff000   dump_ataport.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  0000C000
fffff880`018ff000 fffff880`01908000   dump_atapi.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  00009000
fffff880`00de5000 fffff880`00e00000   sacdrv.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  0001B000
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {fffff8a0032dd010, 2, 0, fffff8800567d530}

Page eb21d not present in the dump file. Type ".hh dbgerr004" for details
Probably caused by : myfault.sys ( myfault+1530 )

Followup: MachineOwner
---------

but I ended up doing this to get the second part which is successful

$text -match [regex]"(?ms)\*{20,}.+-{8,}\s+\n+-.+\n(^\*{20,}.+\*\s+[bB].+\*{20,}.+-{8,})" 
$Matches[1]

Desired Result is only second part

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {fffff8a0032dd010, 2, 0, fffff8800567d530}

Page eb21d not present in the dump file. Type ".hh dbgerr004" for details
Probably caused by : myfault.sys ( myfault+1530 )

Followup: MachineOwner
---------
P V Ajay Thota
  • 91
  • 1
  • 2
  • 7

1 Answers1

0

You can do this with your first regex slightly altered to use a lazy quantifier .*?. Then select the second indexed value [1] of your two matches.

([regex]"(?ms)\*{20,}.*?-{8,}").matches($text).value[1]

If you want both matches, then just leave off the index:

([regex]"(?ms)\*{20,}.*?-{8,}").matches($text).value
AdminOfThings
  • 23,946
  • 4
  • 17
  • 27
  • thank you very much. andl that worked. what went wrong? can you explain? – P V Ajay Thota Apr 18 '19 at 16:47
  • He already did (+1). The `.*` is by default greedy - it takes the largest match it can get. Here it spans your intended two matches, the question mark `.*?` changes that behaviour. –  Apr 18 '19 at 16:50