0

Trying to do an -EQ on two values but it's not working. After looking at Get-Variable I notice the values have three dots after it. Like this

0x0...

It should be 0x0 so how do I clean up the variable so it doesn't contain the three dots?

Here is the code and steps I did:

$log = (Get-EventLog -LogName Security -Newest 1 -InstanceId 4769).message

$EID4769 = "Account Name:\s+(?<AccNam>.*)[\s\S]+Service Name:\s+(?<WorNam>.*)[\s\S]+Client Address:\s+(?<IPAdd>.*)[\s\S]+Failure Code:\s+(?<ErrCod>.*)"

if ($log -match $EID4769) {
$AccountName = $matches['AccNam']
$WorkstationName = $matches['WorNam']
$IPAddress = $matches['IPAdd']
$ErrorCode = $matches['ErrCod']
}

$ErrorCode
0x0

$ErrorCode -eq '0x0'
False

Get-Variable

Name                           Value
----                           -----
ErrorCode                      0x0...

$ErrorCode -eq '0x0...'
False
LMZ
  • 25
  • 1
  • 7
  • 1
    Maybe try a match? `$ErrorCode -match "\dx\d(?=.*)"` or `$ErrorCode -match "0x0(?=.*)"`. – xyz Oct 11 '19 at 17:17
  • 2
    The `...` is a display-formatting artifact that lets you know that there's additional information that doesn't fit in the column. Try `Get-Variable | Format-List` instead. See https://stackoverflow.com/a/45356836/45375 for how to inspect a string for hidden control characters, for instance. – mklement0 Oct 11 '19 at 17:19
  • @mklement0 I did that and this is what I got `Name : ErrorCode Description : Value : 0x18 Visibility : Public Module : ModuleName : Options : None Attributes : {}` Reading the link you sent.. – LMZ Oct 11 '19 at 17:31
  • So it sounds like the true value is `'0x18'`. – mklement0 Oct 11 '19 at 17:33
  • @xyz Did that and it came back True – LMZ Oct 11 '19 at 17:35
  • @mklement0 No, sorry I reran my script and there is a new event... It's should be 0x0 – LMZ Oct 11 '19 at 17:36
  • @xyz It seems `$ErrorCode -match "0x0(?=.*)"` is working, I even changed it to `$ErrorCode -match "0x18(?=.*)"` to ensure as `$ErrorCode` has changed from `0x0` to `0x18`. – LMZ Oct 11 '19 at 17:47
  • @K2Chris1983: `-match "0x0(?=.*)"`, if you only want to know _if_ there is a match, is equivalent to `-match '0x0.*'` i.e. anything that _starts with `0x0`. It's unclear to me what you're trying to achieve. It sounds like there are extra characters in the value that perhaps shouldn't be there. Try to identify and remove them, then you can use regular `-eq` comparison. – mklement0 Oct 11 '19 at 18:06

0 Answers0