Regular Expressions 101

Save & Share

  • Regex Version: ver. 1
  • Update Regex
    ctrl+⇧+s
  • Save new Regex
    ctrl+s
  • Add to Community Library

Flavor

  • PCRE2 (PHP >=7.3)
  • PCRE (PHP <7.3)
  • ECMAScript (JavaScript)
  • Python
  • Golang
  • Java 8
  • .NET 7.0 (C#)
  • Rust
  • Regex Flavor Guide

Function

  • Match
  • Substitution
  • List
  • Unit Tests

Tools

Sponsors
There are currently no sponsors. Become a sponsor today!
An explanation of your regex will be automatically generated as you type.
Detailed match information will be displayed here automatically.
  • All Tokens
  • Common Tokens
  • General Tokens
  • Anchors
  • Meta Sequences
  • Quantifiers
  • Group Constructs
  • Character Classes
  • Flags/Modifiers
  • Substitution
  • A single character of: a, b or c
    [abc]
  • A character except: a, b or c
    [^abc]
  • A character in the range: a-z
    [a-z]
  • A character not in the range: a-z
    [^a-z]
  • A character in the range: a-z or A-Z
    [a-zA-Z]
  • Any single character
    .
  • Alternate - match either a or b
    a|b
  • Any whitespace character
    \s
  • Any non-whitespace character
    \S
  • Any digit
    \d
  • Any non-digit
    \D
  • Any word character
    \w
  • Any non-word character
    \W
  • Non-capturing group
    (?:...)
  • Capturing group
    (...)
  • Zero or one of a
    a?
  • Zero or more of a
    a*
  • One or more of a
    a+
  • Exactly 3 of a
    a{3}
  • 3 or more of a
    a{3,}
  • Between 3 and 6 of a
    a{3,6}
  • Start of string
    ^
  • End of string
    $
  • A word boundary
    \b
  • Non-word boundary
    \B

Regular Expression
No Match

/
/
gm

Test String

Code Generator

Language

Generated Code

#include <StringConstants.au3> ; to declare the Constants of StringRegExp #include <Array.au3> ; UDF needed for _ArrayDisplay and _ArrayConcatenate Local $sRegex = "(?m)(New Logon:)(.*\n+.*\n+.|[\r\n\w:\s-]+)Account Name:\s+((?i)\b(?!System)[a-zA-Z0-9]+)" Local $sString = "Log Name: Security" & @CRLF & _ "Source: Microsoft-Windows-Security-Auditing" & @CRLF & _ "Date: 05/05/2021 15:02:41" & @CRLF & _ "Event ID: 4624" & @CRLF & _ "Task Category: Logon" & @CRLF & _ "Level: Information" & @CRLF & _ "Keywords: Audit Success" & @CRLF & _ "User: N/A" & @CRLF & _ "Computer: WebServer04" & @CRLF & _ "Description:" & @CRLF & _ "An account was successfully logged on." & @CRLF & _ "" & @CRLF & _ "Subject:" & @CRLF & _ " Security ID: SYSTEM" & @CRLF & _ " Account Name: WEBSERVER04$" & @CRLF & _ " Account Domain: WORKGROUP" & @CRLF & _ " Logon ID: 0x3E7" & @CRLF & _ "" & @CRLF & _ "Logon Information:" & @CRLF & _ " Logon Type: 7" & @CRLF & _ " Restricted Admin Mode: -" & @CRLF & _ " Virtual Account: No" & @CRLF & _ " Elevated Token: No" & @CRLF & _ "" & @CRLF & _ "Impersonation Level: Impersonation" & @CRLF & _ "" & @CRLF & _ "New Logon:" & @CRLF & _ " Security ID: WEBSERVER04\mcanbaz" & @CRLF & _ " Account Name: mcanbaz" & @CRLF & _ " Account Domain: WEBSERVER04" & @CRLF & _ " Logon ID: 0x19CCD80" & @CRLF & _ " Linked Logon ID: 0x19CCD62" & @CRLF & _ " Network Account Name: -" & @CRLF & _ " Network Account Domain: -" & @CRLF & _ " Logon GUID: {00000000-0000-0000-0000-000000000000}" & @CRLF & _ "" & @CRLF & _ "Process Information:" & @CRLF & _ " Process ID: 0x614" & @CRLF & _ " Process Name: C:\Windows\System32\svchost.exe" & @CRLF & _ "" & @CRLF & _ "Network Information:" & @CRLF & _ " Workstation Name: WEBSERVER04" & @CRLF & _ " Source Network Address: 192.168.0.10" & @CRLF & _ " Source Port: 0" & @CRLF & _ "" & @CRLF & _ "Detailed Authentication Information:" & @CRLF & _ " Logon Process: User32 " & @CRLF & _ " Authentication Package: Negotiate" & @CRLF & _ " Transited Services: -" & @CRLF & _ " Package Name (NTLM only): -" & @CRLF & _ " Key Length: 0" & @CRLF & _ "" & @CRLF & _ "This event is generated when a logon session is created. It is generated on the computer that was accessed." & @CRLF & _ "" & @CRLF & _ "The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe." & @CRLF & _ "" & @CRLF & _ "The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network)." & @CRLF & _ "" & @CRLF & _ "The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on." & @CRLF & _ "" & @CRLF & _ "The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases." & @CRLF & _ "" & @CRLF & _ "The impersonation level field indicates the extent to which a process in the logon session can impersonate." & @CRLF & _ "" & @CRLF & _ "The authentication information fields provide detailed information about this specific logon request." & @CRLF & _ " - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event." & @CRLF & _ " - Transited services indicate which intermediate services have participated in this logon request." & @CRLF & _ " - Package name indicates which sub-protocol was used among the NTLM protocols." & @CRLF & _ " - Key length indicates the length of the generated session key. This will be 0 if no session key was requested." & @CRLF & _ "Event Xml:" & @CRLF & _ "<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">" & @CRLF & _ " <System>" & @CRLF & _ " <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />" & @CRLF & _ " <EventID>4624</EventID>" & @CRLF & _ " <Version>2</Version>" & @CRLF & _ " <Level>0</Level>" & @CRLF & _ " <Task>12544</Task>" & @CRLF & _ " <Opcode>0</Opcode>" & @CRLF & _ " <Keywords>0x8020000000000000</Keywords>" & @CRLF & _ " <TimeCreated SystemTime="2021-05-05T12:02:41.872791700Z" />" & @CRLF & _ " <EventRecordID>111399</EventRecordID>" & @CRLF & _ " <Correlation ActivityID="{80931da6-4143-0001-071f-93804341d701}" />" & @CRLF & _ " <Execution ProcessID="680" ThreadID="96" />" & @CRLF & _ " <Channel>Security</Channel>" & @CRLF & _ " <Computer>WebServer04</Computer>" & @CRLF & _ " <Security />" & @CRLF & _ " </System>" & @CRLF & _ " <EventData>" & @CRLF & _ " <Data Name="SubjectUserSid">S-1-5-18</Data>" & @CRLF & _ " <Data Name="SubjectUserName">WEBSERVER04$</Data>" & @CRLF & _ " <Data Name="SubjectDomainName">WORKGROUP</Data>" & @CRLF & _ " <Data Name="SubjectLogonId">0x3e7</Data>" & @CRLF & _ " <Data Name="TargetUserSid">S-1-5-21-2305414523-2991885378-3430239152-1000</Data>" & @CRLF & _ " <Data Name="TargetUserName">mcanbaz</Data>" & @CRLF & _ " <Data Name="TargetDomainName">WEBSERVER04</Data>" & @CRLF & _ " <Data Name="TargetLogonId">0x19ccd80</Data>" & @CRLF & _ " <Data Name="LogonType">7</Data>" & @CRLF & _ " <Data Name="LogonProcessName">User32 </Data>" & @CRLF & _ " <Data Name="AuthenticationPackageName">Negotiate</Data>" & @CRLF & _ " <Data Name="WorkstationName">WEBSERVER04</Data>" & @CRLF & _ " <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>" & @CRLF & _ " <Data Name="TransmittedServices">-</Data>" & @CRLF & _ " <Data Name="LmPackageName">-</Data>" & @CRLF & _ " <Data Name="KeyLength">0</Data>" & @CRLF & _ " <Data Name="ProcessId">0x614</Data>" & @CRLF & _ " <Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>" & @CRLF & _ " <Data Name="IpAddress">192.168.10.25</Data>" & @CRLF & _ " <Data Name="IpPort">0</Data>" & @CRLF & _ " <Data Name="ImpersonationLevel">%%1833</Data>" & @CRLF & _ " <Data Name="RestrictedAdminMode">-</Data>" & @CRLF & _ " <Data Name="TargetOutboundUserName">-</Data>" & @CRLF & _ " <Data Name="TargetOutboundDomainName">-</Data>" & @CRLF & _ " <Data Name="VirtualAccount">%%1843</Data>" & @CRLF & _ " <Data Name="TargetLinkedLogonId">0x19ccd62</Data>" & @CRLF & _ " <Data Name="ElevatedToken">%%1843</Data>" & @CRLF & _ " </EventData>" & @CRLF & _ "</Event>" Local $aArray = StringRegExp($sString, $sRegex, $STR_REGEXPARRAYGLOBALFULLMATCH) Local $aFullArray[0] For $i = 0 To UBound($aArray) -1 _ArrayConcatenate($aFullArray, $aArray[$i]) Next $aArray = $aFullArray ; Present the entire match result _ArrayDisplay($aArray, "Result")

Please keep in mind that these code samples are automatically generated and are not guaranteed to work. If you find any syntax errors, feel free to submit a bug report. For a full regex reference for AutoIt, please visit: https://www.autoitscript.com/autoit3/docs/functions/StringRegExp.htm