Add tests for queries against userdata (#2388)

add a custom evtx file for the userdata tests to use
2016-09-29 16:23:12 -07:00 · 2016-09-29 16:23:12 -07:00 · 24f9dea287
parent 561824c306
commit 24f9dea287
2 changed files with 32 additions and 1 deletions
--- a/test/powershell/Modules/Microsoft.PowerShell.Diagnostics/Get-WinEvent.Tests.ps1
+++ b/test/powershell/Modules/Microsoft.PowerShell.Diagnostics/Get-WinEvent.Tests.ps1
@ -73,8 +73,39 @@ Describe 'Get-WinEvent' -Tags "CI" {
            $results = Get-WinEvent -logname $logname -filterXPath $xpathFilter -max 3
            $results | should Not BeNullOrEmpty
        }
+
    }
-    # Get-WinEvent works only on windows
+    Context "Get-WinEvent UserData Queries" {
+        It 'Get-WinEvent can retrieve events with UserData queries using FilterXml' {
+            # this relies on apriori knowledge about the log file
+            # the provided log file has been edited to remove MS PII, so we must use -ea silentlycontinue
+            $eventLogFile = [io.path]::Combine($PSScriptRoot, "assets", "Saved-Events.evtx")
+            $filter = "<QueryList><Query><Select Path='file://$eventLogFile'>*[UserData/*/Param2='Windows x64']</Select></Query></QueryList>"
+            $results = Get-WinEvent -FilterXml $filter -ea silentlycontinue
+            @($results).Count | Should be 1
+            $results.RecordId | should be 10
+        }
+        <#
+        It 'Get-WinEvent can retrieve events with UserData queries using FilterHashtable' {
+            # this relies on apriori knowledge about the log file
+            # the provided log file has been edited to remove MS PII, so we must use -ea silentlycontinue
+            $eventLogFile = [io.path]::Combine($PSScriptRoot, "assets", "Saved-Events.evtx")
+            $filter = @{ path = "$eventLogFile"; Param2 = "Windows x64"}
+            $results = Get-WinEvent -filterHashtable $filter -ea silentlycontinue
+            @($results).Count | Should be 1
+            $results.RecordId | should be 10
+        }
+        #>
+        It 'Get-WinEvent can retrieve events with UserData queries using FilterXPath' {
+            # this relies on apriori knowledge about the log file
+            # the provided log file has been edited to remove MS PII, so we must use -ea silentlycontinue
+            $eventLogFile = [io.path]::Combine($PSScriptRoot, "assets", "Saved-Events.evtx")
+            $filter = "*/UserData/*/Param2='Windows x64'"
+            $results = Get-WinEvent -path $eventLogFile -filterXPath $filter -ea silentlycontinue
+            @($results).Count | Should be 1
+            $results.RecordId | should be 10
+        }
+    }    # Get-WinEvent works only on windows
    It 'can query a System log' {
        Get-WinEvent -LogName System -MaxEvents 1 | Should Not BeNullOrEmpty
    }
--- a/test/powershell/Modules/Microsoft.PowerShell.Diagnostics/assets/Saved-Events.evtx
+++ b/test/powershell/Modules/Microsoft.PowerShell.Diagnostics/assets/Saved-Events.evtx