From 24f9dea287b42e19d655adcfbb02714d8207b0fe Mon Sep 17 00:00:00 2001
From: "James Truher [MSFT]" <jimtru@microsoft.com>
Date: Thu, 29 Sep 2016 16:23:12 -0700
Subject: [PATCH] Add tests for queries against userdata (#2388)

add a custom evtx file for the userdata tests to use
---
 .../Get-WinEvent.Tests.ps1                    |  33 +++++++++++++++++-
 .../assets/Saved-Events.evtx                  | Bin 0 -> 69632 bytes
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 test/powershell/Modules/Microsoft.PowerShell.Diagnostics/assets/Saved-Events.evtx

diff --git a/test/powershell/Modules/Microsoft.PowerShell.Diagnostics/Get-WinEvent.Tests.ps1 b/test/powershell/Modules/Microsoft.PowerShell.Diagnostics/Get-WinEvent.Tests.ps1
index 8841f7181..77cfca748 100644
--- a/test/powershell/Modules/Microsoft.PowerShell.Diagnostics/Get-WinEvent.Tests.ps1
+++ b/test/powershell/Modules/Microsoft.PowerShell.Diagnostics/Get-WinEvent.Tests.ps1
@@ -73,8 +73,39 @@ Describe 'Get-WinEvent' -Tags "CI" {
             $results = Get-WinEvent -logname $logname -filterXPath $xpathFilter -max 3
             $results | should Not BeNullOrEmpty
         }
+
     }
-    # Get-WinEvent works only on windows
+    Context "Get-WinEvent UserData Queries" {
+        It 'Get-WinEvent can retrieve events with UserData queries using FilterXml' {
+            # this relies on apriori knowledge about the log file
+            # the provided log file has been edited to remove MS PII, so we must use -ea silentlycontinue
+            $eventLogFile = [io.path]::Combine($PSScriptRoot, "assets", "Saved-Events.evtx")
+            $filter = "<QueryList><Query><Select Path='file://$eventLogFile'>*[UserData/*/Param2='Windows x64']</Select></Query></QueryList>"
+            $results = Get-WinEvent -FilterXml $filter -ea silentlycontinue
+            @($results).Count | Should be 1
+            $results.RecordId | should be 10
+        }
+        <#
+        It 'Get-WinEvent can retrieve events with UserData queries using FilterHashtable' {
+            # this relies on apriori knowledge about the log file
+            # the provided log file has been edited to remove MS PII, so we must use -ea silentlycontinue
+            $eventLogFile = [io.path]::Combine($PSScriptRoot, "assets", "Saved-Events.evtx")
+            $filter = @{ path = "$eventLogFile"; Param2 = "Windows x64"}
+            $results = Get-WinEvent -filterHashtable $filter -ea silentlycontinue
+            @($results).Count | Should be 1
+            $results.RecordId | should be 10
+        }
+        #>
+        It 'Get-WinEvent can retrieve events with UserData queries using FilterXPath' {
+            # this relies on apriori knowledge about the log file
+            # the provided log file has been edited to remove MS PII, so we must use -ea silentlycontinue
+            $eventLogFile = [io.path]::Combine($PSScriptRoot, "assets", "Saved-Events.evtx")
+            $filter = "*/UserData/*/Param2='Windows x64'"
+            $results = Get-WinEvent -path $eventLogFile -filterXPath $filter -ea silentlycontinue
+            @($results).Count | Should be 1
+            $results.RecordId | should be 10
+        }
+    }    # Get-WinEvent works only on windows
     It 'can query a System log' {
         Get-WinEvent -LogName System -MaxEvents 1 | Should Not BeNullOrEmpty
     }
diff --git a/test/powershell/Modules/Microsoft.PowerShell.Diagnostics/assets/Saved-Events.evtx b/test/powershell/Modules/Microsoft.PowerShell.Diagnostics/assets/Saved-Events.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..9427f037a0329aef851ebe0a37e2c03358a4e5f4
GIT binary patch
literal 69632
zcmeI2e`wri9mhZ4%l*nFxg<*y=GfL-9ks2t>954rZfcg?xw55;YiBFQjazatX_8CG
zU1wrd0^O`rkjgp)hq4JGgQ1|5l_LHjY%u?5QP9l^{!=C*2yXMo{u%N8e!kzQxjS36
zHVVP_b9{5p^L#(gkMHaA>-iqZ&rB4iW=hsr5>dx8z5{DA>j)Y}Zn*ueAARB38=gcH
zh=2%)fCz|y2#A0Ph=2%)fCz|y2>eR|`I(8q$?`Pb@xv02z8l-i=-;xzEZ1Xp>8lUk
z9EttMU!4CNUpaHBc7ofIX1{4Si*=Z7#dWHA_3nX;+1>aVqOtq|{l2uK{xHV8P&4ku
zn)_a^_WMPw$#PrtgU8>n#=|XUuSfm7_YC?bJQ#MMd<5-xVqyIj+~0*Uz62>>GkZRo
zcNnq-%y|LhewAIlzm~Pl(SC-~^|SuqpRBiSo7p7x?)80s=}Q~m>iR{{9t74J{OR#$
z@_ts<^W85WYySDfOK01@-TDTegi-@5E5AmS56E(%HDP&s%t}_aD%z)UC67lpf83t1
zMVqx5+^pb6BIvV8h*fRgK4iW4RBQ}ACCC&}-+}Kb^eosMT5~o5$sK6Vp}*HYi+g2!
z@3x)z>_u&-?Ze;FmE|jStyr+K606bM+>xXmwk6D5bt}U1@GzgmzNk@_H&3Q*#I61q
z)*6S@0($##6}&Ot_jKG2VY9QiX_n1ekUSQR-r60vkJ$+~61Uo|y=kDyh9UO3Na8QW
zR1K_yHiUcc!<D4Tahk2KXYAvcq6lPDc>F211)|HwEg8!;Su!59*d}ybjOM(#Ic1-S
z#HK*1jC-+ci^b#6@$G2P#978KChUF)Qdcu*$6zK9irKAb+zL)C`IB)w;&d^MRxBIi
zf`R4GpbM~k|MsLk00mMlL`1QGGbQX!G`!~=zm&H7aC-@Qn*+yjaHnX(y5qn;g2vaQ
z84rA|1&dBOrh^bIVFOgrIAk0idJ%2vu9KNM4f;XAleEsJAOmYL`+YQRp{cEg_Jf#^
zTjowe^092jGTh4(7~})Ociw8TK_|w2%($I+tfP=C6e17LyqU29%vi<7X)RSeX*h2-
zW$npXh*9l*FLfH14rk&sU1Lxi&1Gd}7Hjw*a{gR19$?XJ{DfO5RPVjq2efJ2OXk()
z$Y#eNSivXSMcUHIw;@2)KCwRy!jlnO4<OrY>87B=nG=IC%PE-XAS8=0q_W#LmDXWF
zJXl#d4gp3rD(*lz?Lf`K6u7z2S7M3ay>=Y@O6aV(&VDFmq3%PM4nN+x=iPcswhPYf
z`>2_Fu%Hjw&+bS=`BdTw%oYMS+X#uIkKPmaC+(qV*@!}`bv4C<PG_0{0yXv0hluIL
zhMb0rm?f6&v^(N)y9ssJv%6sa#)~Cw-MBhkJ&qc$v}K$eR&o7zq19pSb}zo)pSZ(f
ztzGu2<-%~dd^QTUi%3|DSmsLJf`_prxb!d{tv&*7x1;DQ!*u50OBLJh^v#~C1G3=k
zkJ^9tuV1Y8z0os#uH&9p+9xZ|-N;<MFw}9lB-aVE!`Pjd-}bqN_22z@+ovAS<x}sT
z9nNinsYltN2i55)B@I3Q9=F9RbT$veWE!Y~_zXS_wBbY0bcS4uv56t~d$?Q{Ndylx
zWDI7CG6qgSl#^Xw*66#EHNtG-nf79PemmUMXCPNW-yA+OZd1L`3ZqA<F2_`iS%zVj
zClQt-4>8OZ?NLa&Fxv)mqVq6lpNfP|pH4y1p}Q8bSPA!HZ9yow6Agc+`Q<mWP7mXF
zVn!MU0OBLc3A8vYwmSc1%+K)m@^4d-$Oy!%KuE!+P;d(xJUg*GHJqtKzna=&ZEykZ
zo7>@Wi~;9ouVfpv7<#1N8dph#!#<2*3mC=_l>c;hLyRKH0bI=fd@{N<jf8wTNiv+|
z18DF_$7J_fS1TqdLU0;?$!q}bP`olE6%P3*hWJzBnTtJ9FfY|T<q!tX<DyUT?-=$#
zWpL$mIL&4>{2}j$Pc}Q1(%kY`kH-^QX{@c;Hh9(Y6v^`47gBJ4hWrYiX9hzkn1Nv2
zC~^p)VK**l%`Vi`dr;pL^~Y@k!pjDSI*hEVTK{((sNl9Z+kopJb`;tT|JFL(VeB%r
z?HsJC2pY8caYULyoYO`Te-2{bLrD8a;m)JDR!>oT@HC^>m~GSw(Ol#~Z>l(LbFC$e
zqW7-)-45KNRX>6q%wqL^obeukZuZ(9c+)QQj@y3p7O`Rpz2oTZzve7laTY6*Uk>}D
zKBnDs&ZC{jEEVh_R}+RB<7^J8mwPzmX31fvwZ@l2%bVYJI|HXXYN=%?*qyI=&K`l$
zhLPWF-%qc0&Stz{i&WDYW2)I~3qh1qmi@WjryBTBSk_0Xd9rir7XKQ<`fFb<A3Oit
zk&P3d|6_6)$udecRaE`k)!p5j8tk1Gz%apM%mTFKgH*xUdaeBzaM#=Xx=TJeD3-6$
z%(?NyNe6+CI}4X#=!wz~#bS8NW=u}hiS2e`QSzY}U&b#ZlO*fJ_Bb&nn>hbLzy&b|
zt($ONzq8dJX}qiLvk$^0x8TKY(fUx|iglbH(VynADi>xM{jd7dF6U3RM>p@k-k+ji
z54JEtly!1+YfL~tf$qw<n2i1(6A+V68J<#s#qC6zxq1rXQI1JyKdv!&73=KjhmG#V
zPY|OniCt};e>{NaTtEunuXto1hrN#=ATjk-QRm?{?DNOb9M<FyAWT0DVUM~{6~6!E
zAWOOM+`L8!jDALcdk3bCv{qNbHv#`U(OTuNbJm!@ynlOtYxTQWAO7a^7sD0(%g4$8
ztvy^vj3r*`TSWv!Km<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU
z1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1Vlgt
zL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>Y
zKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU
z1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1Vlgt
zL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>Y
zKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1Vmsx5Qtmac%?04
V0cx$*<+i;WtqyBPJ6OZV_&XI6WBmXC

literal 0
HcmV?d00001