This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 51%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EW%3C/text%3E%3C/svg%3E)
I am upgrading sysmon (uninstall old version then install new version) and logging more detailed output to a local log file in case it needs to be referenced. In the log, I'm writing the timestamp, the current version of sysmon detected, and the output from the uninstall.
$uninstall is the output you see in console (or what I captured from standard out) when running "sysmon.exe -u force" - I have omitted this part of the code from the snippet below:
System Monitor v11.10 - System activity monitor
Copyright (C) 2014-2020 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.comStopping sysmon..
sysmon stopped.
sysmon removed.
Stopping SysmonDrv.
SysmonDrv stopped.
SysmonDrv removed.
Removing service files.
When echoing the values for $sysmonVer and $uninstall, it shows exactly as you would expect to see (there is no question mark). However when I Add-Content them together in the Write-Log function, there is always a line with a question mark (?) inserted between them:
8/30/2022 8:37:15 PM
Detected Version: 14.0
?
System Monitor v11.10 - System activity monitor
...
I also have a similar $install log which has similar format to $uninstall and again it's just a capture of standard out. When this variable is also appended to the log via Add-Content it does not add a question mark and displays in the log as expected.
Not a showstopper by any means but I'm curious to know where the question mark (?) is coming from and how I can potentially eliminate it.
function Detect-Version {
$getService = Get-CimInstance -ClassName win32_service | ? {$_.Name -match '^sysmon[6]{0,1}[4]{0,1}$'}
if ($getService -eq $null) {$sysmonVer = 'NotDetected'}
if ($getService -ne $null) {
$sysmonVer = (Get-ChildItem -Path $getService.PathName).VersionInfo.FileVersion
}
return $sysmonVer
}
function Write-Log {
$logFile = 'c:\temp\my.log'
$timeStamp = (Get-Date).ToString()
Add-Content -Path $logFile -Value $timeStamp
Add-Content -Path $logfile -Value "Detected Version: $($sysmonVer)"
Add-Content -Path $logFile -Value $uninstall
}
$sysmonVer = Detect-Version
Write-Log
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
Try adding "-Encoding UTF8" to each of the Add-Content cmdlets.
I added the encoding just to one line first just to test/confirm (the source of the ?) and it resolved the issue. I've used this specific property from gci many times before without any issues so not sure what's going on here. Although most of my use cases were Write-Host which is picked up by AWS Run Command output - rather than append to a text file. Thanks!
Add-Content -Path $logFile -Value $timeStamp
Add-Content -Path $logfile -Value "Detected Version: $($sysmonVer)" -Encoding utf8
Add-Content -Path $logFile -Value $uninstall