Using PoSH to Analyze LUA Predictor Log Files

I’ve been testing some of our applications for Vista User Account Control compatibility on Windows XP using Application Verifier with the LUA Privilege Predictor.  This tools spits out some massive XML log files.  So big that Internet Explorer balloned up to 1 GB of virtual memory when I tried to open the XML file.  Since the data was so massive I needed to slice it rather than browse through it.  PowerShell to the rescue.  Here’s what I did to extract all the LUA errors:
 
PoSH> $lua = [xml](get-content app.exe.0.dat.xml)
PoSH> $nsmgr = new-object Xml.XmlNamespaceManager($lua.PSBase.NameTable)
PoSH> $nsmgr.AddNamespace("avrf", "Application Verifier")
PoSH> $errors = $lua.SelectNodes("//avrf:logEntry[@Severity = ‘Error’]", $nsmgr)
PoSH> $errors | Measure-Object
 
Count    : 314
Average  :
Sum      :
Maximum  :
Minimum  :
Property :
 
PoSH> $errors | group message | format-list
 
Name   : Access was restricted to trusted users only.
Count  : 87
Group  : {LuaPriv, LuaPriv, LuaPriv, LuaPriv…}
Values : {Access was restricted to trusted users only.}
 
Name   : Object opened/created in a restricted namespace.
Count  : 171
Group  : {LuaPriv, LuaPriv, LuaPriv, LuaPriv…}
Values : {Object opened/created in a restricted namespace.}
 
Name   : Requested a security-relevant privilege.
Count  : 56
Group  : {LuaPriv, LuaPriv, LuaPriv, LuaPriv…}
Values : {Requested a security-relevant privilege.}
 
Other than dealing with XML namespaces, manipulating XML in PowerShell is quite easy.  I have to admit that if it came to writing a C# console app to slice this data I might have passed on it.  That’s the beauty of great script languages!  You can bang out something quick without dealing with the overhead of configuring projects, creating source code files, etc.
Advertisements
This entry was posted in PowerShell. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s