I'm encountering the same issue as mentioned at https://serverfault.com/questions/743515/my-event-log-has-corrupted-dacl-write-attributes-in-4656-file-audit-events/852636#852636 where there are some invalid characters in the event logs and therefore using .ToXML() fails with the exception:
System.Management.Automation.RuntimeException Cannot convert value "http://schemas.microsoft.com/win/2004/08/events/event'>
irrelevant data omitted
<Data Name='AccessReason'>%%1538: %%1804
%%1541: %%1801 D:(A;ID;FA;;;S-1-5-21-4261485934-2742084322-1513010315-1120)
%%4416: %%1801 D:(A;ID;FA;;;S-1-5-21-4261485934-2742084322-1513010315-1120)
%%4417: %%1801 D:(A;ID;FA;;;S-1-5-21-4261485934-2742084322-1513010315-1120)
%%4418: %%1801 D:(A;ID;FA;;;S-1-5-21-4261485934-2742084322-1513010315-1120)
%%4419: %%1801 D:(A;ID;FA;;;S-1-5-21-4261485934-2742084322-1513010315-1120)
%%4420: %%1801 D:(A;ID;FA;;;S-1-5-21-4261485934-2742084322-1513010315-1120)
%%4423: %%1801 D:(A;ID;FA;;;S-1-5-21-4261485934-2742084322-1513010315-1120)
%%4424: %%1801 D:(A;ID;FA;;;S-1-5-21-4261485934-2742084322-151301031亖퍲翾</Data>
to type "System.Xml.XmlDocument". Error: "'', hexadecimal value 0x04, is an invalid character. Line 19, position 117."
How could I strip the invalid characters out? I'm thinking the following might be the process:
- converting to string (ToString() doesn't seem to work, when outputting via Write-Host it simply outputs the name of the object type)
- removing the invalid XML characters using .replace and regex
- convert back/serialize to System.Diagnostics.Eventing.Reader.EventLogRecord object (somehow?)
- convert to XML (with .ToXML())
How would I achieve steps 1 and 3 of this process?