$re = '/\<EventID\>4656\<\/EventID\>.*\<Data Name\=\'ProcessName\'\>(C|D|E|F):\\\\Windows\\\\System32\\\\CpqMgmt\\\\cqmghost\\\\cqmghost\.exe/m';
$str = '<Event xmlns=\'http://schemas.microsoft.com/win/2004/08/events/event\'><System><Provider Name=\'Microsoft-Windows-Security-Auditing\' Guid=\'{54849625-5478-4994-A5BA-3E3B0328C30D}\'/><EventID>4656</EventID><Version>1</Version><Level>0</Level><Task>12801</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime=\'2020-08-12T19:47:25.544399300Z\'/><EventRecordID>1397935969</EventRecordID><Correlation/><Execution ProcessID=\'716\' ThreadID=\'728\'/><Channel>Security</Channel><Computer>svr-apl-cit-01.BANCOREGIONAL.LOCAL</Computer><Security/></System><EventData><Data Name=\'SubjectUserSid\'>NT AUTHORITY\\SYSTEM</Data><Data Name=\'SubjectUserName\'>SVR-APL-CIT-01$</Data><Data Name=\'SubjectDomainName\'>BANCOREGIONAL</Data><Data Name=\'SubjectLogonId\'>0x3e7</Data><Data Name=\'ObjectServer\'>Security</Data><Data Name=\'ObjectType\'>Key</Data><Data Name=\'ObjectName\'>\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\SamSs</Data><Data Name=\'HandleId\'>0x584</Data><Data Name=\'TransactionId\'>{00000000-0000-0000-0000-000000000000}</Data><Data Name=\'AccessList\'>%%1537 %%1538 %%1539 %%1540 %%4432 %%4433 %%4434 %%4435 %%4436 %%4437 </Data><Data Name=\'AccessReason\'>-</Data><Data Name=\'AccessMask\'>0xf003f</Data><Data Name=\'PrivilegeList\'>-</Data><Data Name=\'RestrictedSidCount\'>0</Data><Data Name=\'ProcessId\'>0x1ec0</Data><Data Name=\'ProcessName\'>C:\\Windows\\System32\\CpqMgmt\\cqmghost\\cqmghost.exe</Data><Data Name=\'ResourceAttributes\'>-</Data></EventData></Event>';
preg_match_all($re, $str, $matches, PREG_SET_ORDER, 0);
// Print the entire match result
var_dump($matches);
Please keep in mind that these code samples are automatically generated and are not guaranteed to work. If you find any syntax errors, feel free to submit a bug report. For a full regex reference for PHP, please visit: http://php.net/manual/en/ref.pcre.php