From ea97820b7947c456a1a4655b660cc4d3583f443b Mon Sep 17 00:00:00 2001
From: TheNiv <nivai2233@gmail.com>
Date: Sat, 6 Nov 2021 10:11:03 +0200
Subject: [PATCH] Fixed windows event log check.

The output of the start/stop windows event log service was not correct.
After checking the script on the sample file: disablestop-eventlog.evtx I have noticed that the output was not correct and found out it is actually the third parameter that should be checked instead of the second.
---
 DeepBlue.ps1 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/DeepBlue.ps1 b/DeepBlue.ps1
index 5e6abb4..6b6daca 100644
--- a/DeepBlue.ps1
+++ b/DeepBlue.ps1
@@ -391,7 +391,7 @@ function Main {
             ElseIf ($event.id -eq 7040){
                 # The start type of the Windows Event Log service was changed from auto start to disabled.
                 $servicename=$eventXML.Event.EventData.Data[0]."#text"
-                $action = $eventXML.Event.EventData.Data[1]."#text"
+                $action = $eventXML.Event.EventData.Data[2]."#text"
                 if ($servicename -ccontains "Windows Event Log") {
                     $obj.Results = "Service name: $servicename`n"
                     $obj.Results += $text