$re = '/<EventID>4702<\/EventID>|<TimeCreated SystemTime=\'[^\']+\'\/>|<Computer>[^<]+<\/Computer>|<Data Name=\'[^\']+\'>[^<]+<\/Data>:/m';
$str = '<Event xmlns=\'http://schemas.microsoft.com/win/2004/08/events/event\'><System><Provider Name=\'Microsoft-Windows-Security-Auditing\' Guid=\'{54849625-5478-4994-a5ba-3e3b0328c30d}\'/><EventID>4702</EventID><Version>1</Version><Level>0</Level><Task>12804</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime=\'2024-12-05T14:59:44.9923272Z\'/><EventRecordID>2470365</EventRecordID><Correlation ActivityID=\'{625186de-46eb-0000-1689-5162eb46db01}\'/><Execution ProcessID=\'1408\' ThreadID=\'1600\'/><Channel>Security</Channel><Computer>Host</Computer><Security/></System><EventData><Data Name=\'SubjectUserSid\'>S-1-5-20</Data><Data Name=\'SubjectUserName\'> Host $</Data><Data Name=\'SubjectDomainName\'> Host </Data><Data Name=\'SubjectLogonId\'>0x3e4</Data><Data Name=\'TaskName\'>\\Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTask</Data><Data Name=\'TaskContentNew\'><?xml version="1.0" encoding="UTF-16"?>
<Task version="1.6" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Source>$(@%systemroot%\\system32\\sppc.dll,-200)</Source>
<Author>$(@%systemroot%\\system32\\sppc.dll,-200)</Author>
<Version>1.0</Version>
<Description>$(@%systemroot%\\system32\\sppc.dll,-201)</Description>
<URI>\\Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTask</URI>
<SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor>
</RegistrationInfo>
<Triggers>
<CalendarTrigger>
<StartBoundary>2024-12-10T07:54:44Z</StartBoundary>
<Enabled>true</Enabled>
<ScheduleByDay>
<DaysInterval>1</DaysInterval>
</ScheduleByDay>
</CalendarTrigger>
</Triggers>
<Principals>
<Principal id="NetworkService">
<UserId>S-1-5-20</UserId>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>false</AllowHardTerminate>
<StartWhenAvailable>true</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>true</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
<UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
<Priority>7</Priority>
<RestartOnFailure>
<Interval>PT1M</Interval>
<Count>3</Count>
</RestartOnFailure>
</Settings>
<Actions Context="NetworkService">
<ComHandler>
<ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId>
<Data><![CDATA[timer]]></Data>
</ComHandler>
</Actions>
</Task></Data><Data Name=\'ClientProcessStartKey\'>26177172834095606</Data><Data Name=\'ClientProcessId\'>2408</Data><Data Name=\'ParentProcessId\'>1368</Data><Data Name=\'RpcCallClientLocality\'>0</Data><Data Name=\'FQDN\'>Host</Data></EventData></Event>';
preg_match_all($re, $str, $matches, PREG_SET_ORDER, 0);
// Print the entire match result
var_dump($matches);
Please keep in mind that these code samples are automatically generated and are not guaranteed to work. If you find any syntax errors, feel free to submit a bug report. For a full regex reference for PHP, please visit: http://php.net/manual/en/ref.pcre.php