# Get-BluGenieAuditProcessTracking



### Get-BluGenieAuditProcessTracking <a href="#get-blugenieauditprocesstracking" id="get-blugenieauditprocesstracking"></a>

### SYNOPSIS <a href="#synopsis" id="synopsis"></a>

Format a System Event Log with new properties from the Message field

### SYNTAX <a href="#syntax" id="syntax"></a>

```
Get-BluGenieAuditProcessTracking [[-QueryType] <String>] [[-Algorithm] <String>] [-Signature] [-OnDisk] [-ShowAllValues] [-ClearGarbageCollecting] [-UseCache] [[-CachePath] <String>] [-RemoveCache] [[-DBName] 
<String>] [[-DBPath] <String>] [-UpdateDB] [-ForceDBUpdate] [-NewDBTable] [-Walkthrough] [-ReturnObject] [-OutUnEscapedJSON] [-OutYaml] [[-FormatView] <String>] [<CommonParameters>]
```

### DESCRIPTION <a href="#description" id="description"></a>

Format a System Event Log with new properties from the Message field

An Event has a Message that is one big string. The function will parse that information and convert any valid line item into a new Object Property and bind it back to the original Object.

### EXAMPLES <a href="#examples" id="examples"></a>

#### EXAMPLE 1 <a href="#example-1" id="example-1"></a>

```
Command: Get-BluGenieAuditProcessTracking
```

```
Description: This will return a Hash Table with a specific list of captured event Properties
Notes:
```

#### EXAMPLE 2 <a href="#example-2" id="example-2"></a>

```
Command: Get-BluGenieAuditProcessTracking -ShowAllValues
```

```
Description: This will return a Hash Table with all captured event Properties
Notes:
```

#### EXAMPLE 3 <a href="#example-3" id="example-3"></a>

```
Command: Get-BluGenieAuditProcessTracking -ReturnObject
```

```
Description: This will return a Object with a specific list of captured event Properties
Notes:
```

#### EXAMPLE 4 <a href="#example-4" id="example-4"></a>

```
Command: Get-BluGenieAuditProcessTracking -QueryType OnCreated -Signature
```

```
Description: This will return a Hash Table with a specific list of captured event Properties including the Authentication Information
Notes:
```

#### EXAMPLE 5 <a href="#example-5" id="example-5"></a>

```
Command: Get-BluGenieAuditProcessTracking -UseCache
```

```
Description: Cache found objects to disk to not over tax Memory resources
Notes: By default the Cache location is %SystemDrive%\Windows\Temp
```

#### EXAMPLE 6 <a href="#example-6" id="example-6"></a>

```
Command: Get-BluGenieAuditProcessTracking -UseCache -RemoveCache
```

```
Description: Remove Cache data
Notes: By default the Cache information is removed right before the data is returned to the caller
```

#### EXAMPLE 7 <a href="#example-7" id="example-7"></a>

```
Command: Get-BluGenieAuditProcessTracking -UseCache -CachePath $Env:Temp
```

```
Description: Change the Cache path to the current users Temp directory
Notes: By default the Cache location is %SystemDrive%\Windows\Temp
```

#### EXAMPLE 8 <a href="#example-8" id="example-8"></a>

```
Command: Get-BluGenieAuditProcessTracking -UseCache -ClearGarbageCollecting
```

```
Description: Scan large directories and limit the memory used to track data
Notes:
```

#### EXAMPLE 9 <a href="#example-9" id="example-9"></a>

```
Command: Get-BluGenieAuditProcessTracking -Help
```

```
Description: Call Help Information
Notes: If Help / WalkThrough is setup as a parameter, this script will be called to setup the Dynamic Help Menu if not the normal
       Get-Help will be called with the -Full parameter
```

#### EXAMPLE 10 <a href="#example-10" id="example-10"></a>

```
Command: Get-BluGenieAuditProcessTracking -WalkThrough
```

```
Description: Call Help Information [2]
Notes: If Help / WalkThrough is setup as a parameter, this script will be called to setup the Dynamic Help Menu if not the normal
       Get-Help will be called with the -Full parameter
```

#### EXAMPLE 11 <a href="#example-11" id="example-11"></a>

```
Command: Get-BluGenieAuditProcessTracking -OutUnEscapedJSON
```

```
Description: Return a detailed function report in an UnEscaped JSON format
Notes:  The OutUnEscapedJSON is used to Beautify the JSON return and not Escape any Characters.  Normal return data is a Hash Table.
```

#### EXAMPLE 12 <a href="#example-12" id="example-12"></a>

```
Command: Get-BluGenieAuditProcessTracking -OutYaml
```

```
Description: Return a detailed function report in YAML format
Notes:  The OutUnEscapedJSON is used to Beautify the JSON return and not Escape any Characters.  Normal return data is a Hash Table.
```

#### EXAMPLE 13 <a href="#example-13" id="example-13"></a>

```
Command: Get-BluGenieAuditProcessTracking -ReturnObject
```

```
Description: Return Output as a Object
Notes:  The ReturnObject is used to return a PowerShell Object.  Normal return data is a Hash Table.
       This parameter is also used with the FormatView
```

#### EXAMPLE 14 <a href="#example-14" id="example-14"></a>

```
Command: Get-BluGenieAuditProcessTracking -ReturnObject -FormatView Yaml
```

```
Description: Output PSObject information in Yaml format
Notes:  Current formats supported by default are ('Table','Custom','CustomModified','None','JSON','OutUnEscapedJSON','CSV', 'Yaml')
       Default is set to (None) and normal PSObject.
```

### PARAMETERS <a href="#parameters" id="parameters"></a>

#### QueryType <a href="#querytype" id="querytype"></a>

```
-QueryType <String>
   Description: Specifies the type of Events to Query for
   Notes: The acceptable values for this parameter are:
           - OnCreated          : Query On Created Events Only
           - OnExited           : Query On Exited Events Only
           - OnAll = (Default)  : Query On All Event types (Created and Exited)
   
           If no value is specified, or if the parameter is omitted, the default value is (OnAll).
   Alias:
   ValidateSet:'OnCreated','OnExited','OnAll'
   
   Required?                    false
   Position?                    1
   Default value                OnAll
   Accept pipeline input?       false
   Accept wildcard characters?  false
```

#### Algorithm <a href="#algorithm" id="algorithm"></a>

```
-Algorithm <String>
   Description: Specifies the cryptographic hash to use for computing the hash value of the contents of the specified file.
   Notes: The acceptable values for this parameter are:
           - SHA1
           - SHA256
           - SHA384
           - SHA512
           - MACTripleDES
           - MD5 = (Default)
           - RIPEMD160
   
           If no value is specified, or if the parameter is omitted, the default value is (MD5).
   Alias:
   ValidateSet:'MACTripleDES','MD5','RIPEMD160','SHA1','SHA256','SHA384','SHA512'
   
   Required?                    false
   Position?                    2
   Default value                MD5
   Accept pipeline input?       false
   Accept wildcard characters?  false
```

#### Signature <a href="#signature" id="signature"></a>

```
-Signature [<SwitchParameter>]
   Description: Validate Signature information of the process if the item is still on disk.
   Notes:
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false
```

#### OnDisk <a href="#ondisk" id="ondisk"></a>

```
-OnDisk [<SwitchParameter>]
   Description: Verify if the flagged process is still on disk
   Notes:
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false
```

#### ShowAllValues <a href="#showallvalues" id="showallvalues"></a>

```
-ShowAllValues [<SwitchParameter>]
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false
```

#### ClearGarbageCollecting <a href="#cleargarbagecollecting" id="cleargarbagecollecting"></a>

```
-ClearGarbageCollecting [<SwitchParameter>]
   Description: Garbage Collection in Powershell to Speed up Scripts and help lower memory consumption
   Notes: This is enabled by default.  To disable use -ClearGarbageCollecting:$False
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false
```

#### UseCache <a href="#usecache" id="usecache"></a>

```
-UseCache [<SwitchParameter>]
   Description: Cache found objects to disk.  This is to not over tax Memory resources with found artifacts
   Notes: By default the Cache location is %SystemDrive%\Windows\Temp
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false
```

#### CachePath <a href="#cachepath" id="cachepath"></a>

```
-CachePath <String>
   Description: Path to store the Cache information
   Notes: By default the Cache location is %SystemDrive%\Windows\Temp
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    3
   Default value                $('{0}\Windows\Temp\{1}.log' -f $env:SystemDrive, $(New-BluGenieUID))
   Accept pipeline input?       false
   Accept wildcard characters?  false
```

#### RemoveCache <a href="#removecache" id="removecache"></a>

```
-RemoveCache [<SwitchParameter>]
   Description: Remove Cache data on completion
   Notes: Cache information is removed right before the data is returned to the calling process
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false
```

#### DBName <a href="#dbname" id="dbname"></a>

```
-DBName <String>
   Description: Database Name (Without extention)
   Notes: The default name is set to 'BluGenie'
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    4
   Default value                BluGenie
   Accept pipeline input?       false
   Accept wildcard characters?  false
```

#### DBPath <a href="#dbpath" id="dbpath"></a>

```
-DBPath <String>
   Description: Path to either Save or Update the Database
   Notes: The default path is $('{0}\BluGenie' -f $env:ProgramFiles)  Example: C:\Program Files\BluGenie
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    5
   Default value                $('{0}\BluGenie' -f $env:ProgramFiles)
   Accept pipeline input?       false
   Accept wildcard characters?  false
```

#### UpdateDB <a href="#updatedb" id="updatedb"></a>

```
-UpdateDB [<SwitchParameter>]
   Description: Save return data to the Sqlite Database
   Notes:
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false
```

#### ForceDBUpdate <a href="#forcedbupdate" id="forcedbupdate"></a>

```
-ForceDBUpdate [<SwitchParameter>]
   Description: Force an update of the return data to the Sqlite Database
   Notes: By default only new items are saved.  The primary key is ( FullName )
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false
```

#### NewDBTable <a href="#newdbtable" id="newdbtable"></a>

```
-NewDBTable [<SwitchParameter>]
   Description: Delete and Recreate the Database Table
   Notes:
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false
```

#### Walkthrough <a href="#walkthrough" id="walkthrough"></a>

```
-Walkthrough [<SwitchParameter>]
   Description:  Start the dynamic help menu system to help walk through the current command and all of the parameters
   Notes:
   Alias: Help
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false
```

#### ReturnObject <a href="#returnobject" id="returnobject"></a>

```
-ReturnObject [<SwitchParameter>]
   Description: Return information as an Object
   Notes: By default the data is returned as a Hash Table
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false
```

#### OutUnEscapedJSON <a href="#outunescapedjson" id="outunescapedjson"></a>

```
-OutUnEscapedJSON [<SwitchParameter>]
   Description: Remove UnEsacped Char from the JSON information.
   Notes: This will beautify json and clean up the formatting.
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false
```

#### OutYaml <a href="#outyaml" id="outyaml"></a>

```
-OutYaml [<SwitchParameter>]
   Description: Return detailed information in Yaml Format
   Notes: Only supported in Posh 3.0 and above
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false
```

#### FormatView <a href="#formatview" id="formatview"></a>

```
-FormatView <String>
   Description: Automatically format the Return Object
   Notes: Yaml is only supported in Posh 3.0 and above
   Alias:
   ValidateSet: 'Table','Custom','CustomModified','None','JSON','OutUnEscapedJSON','CSV', 'Yaml'
   
   Required?                    false
   Position?                    6
   Default value                None
   Accept pipeline input?       false
   Accept wildcard characters?  false
```

#### CommonParameters <a href="#commonparameters" id="commonparameters"></a>

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about\_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).