In relation to ETW events, recent windows process PR. Does ETW have any concept of filtering? Is there any possibility of defining a capture filter ie

exclude processes that look like svchost.exe -k

@Marcos Oviedo et al.

Hey, I recently raised an issue about about running osquery as a SYSTEM process, and not being able to view files with privileges removed (https://github.com/osquery/osquery/issues/7820). I have also provided a suggested fix, although was wondering if there was a specific reason for not using SeBackupPrivilege previously to read files and registries?

Hi Team, is there anyway to get network usage per process using osquery?

Hi Team, is there anyway to get per process in focus time/screen time using osquery?

Please ask questions in one place. I’ve answered these in #general

Hi Team, I am trying to run a simple select query on windows_crashes table; on command prompt its giving output but I am running it from Servicenow and it gives me below error. Can anyone help here. FYI - all other tables are giving proper output. I0113 101629.751997 23860 init.cpp:357] osquery initialized [version=4.9.0] I0113 101629.755003 23860 extensions.cpp:453] Could not autoload extensions: Cannot open file for reading: \Program Files\osquery\extensions.load I0113 101629.755997 23860 init.cpp:568] An error occurred during extension manager startup: Extensions disabled I0113 101629.755997 23860 auto_constructed_tables.cpp:97] Removing stale ATC entries I0113 101630.894249 23860 sqlite_util.cpp:269] DBManager contention: opening transient SQLite database I0113 101630.911240 23860 sqlite_util.cpp:269] DBManager contention: opening transient SQLite database I0113 101630.962268 23860 dispatcher.cpp:149] Thread: 23860 requesting a stop I0113 101630.962268 23860 dispatcher.cpp:122] Thread: 23860 requesting a join I0113 101630.962268 23860 dispatcher.cpp:144] Services and threads have been cleared [ ]

Hi Team, I am running osquery "select * from windows_events" and it gives me error

Table windows_events is event-based but events are disabled

I then used --disable_events=0 as said in this doc https://osquery.readthedocs.io/en/stable/deployment/debugging/ but got the same error. Any thoughts?

Hi Team, I want to get the session time or the time when users log in and log out of a system. Is there a way to fetch that using osquery ? I see a logon_sessions table that has login time but does not have logoff time or session duration.

Team, I want to call osquery windows SDK in my windows app. Where I download the .lib file? Is there one or should I build it myself? I fount the head file, but not the library. Could someone show instructions of the steps?

the build command built bunch of osquery lib files, which .lib file is corresponding to osquery/sdk.h?

Hello! looking to see if anyone has found a way to find the Nvidia GeForce version installed? I can get the display drivers but my team needs the GeForce version. Tried multiple tables and have not found anything. Any assistance would be appreciated!

Hello. I am new to osquery. I'd like to know if it's possible to use osquery to get the results from a powershell command? For example, I would like to have the information from "net users /domain "username" from powershell. Can I use osquery to run that powershell command and get me the result? Thanks

Hello, How many maximum number of queries can we run in one pack ?

Hello looking to see if anyone has a way to pull all events from the windows_eventlog table? I know you can do something like this

SELECT * FROM windows_eventlog
WHERE eventid=4720 AND channel='Security'

But i am looking to just pull everything from the Security channel but from my understanding you can wildcard a integer. So something like

SELECT * FROM windows_eventlog
WHERE eventid=% AND channel='Security'

Hello I am testing the new windows feature : "ETW-based visibility on Windows" (https://github.com/osquery/osquery/issues/7836). I see the following error when I try to query 'shared_resources" table after enabling "process_etw_events". Below is the output from osqueryi (version 5.8.1):

C:\Program Files\osquery>osqueryi --disable-events=false --enable_process_etw_events=true
W0320 10:04:49.862340  9200 options.cpp:106] The CLI only flag --logger_plugin set via config file will be ignored, please use a flagfile or pass it to the process at startup
Using a [1mvirtual database[0m. Need help, type '.help'

osquery> select * from shared_resources;
E0320 10:04:57.237459  9200 shared_resources.cpp:54] The following WMI query could not be constructed: SELECT * FROM Win32_Share. enum osquery::WmiError[0] (WmiRequest creation failed in ExecQuery)

Is this a bug ? Thanks Kunal

Hey friends! Wanted to drop in and mention I noticed I'm way behind on chocolatey releases for osquery, really sorry about that! I'm spending tonight getting them updated!

Hey everyone, is it possible to query the Mark-of-the-web attribute of a file in Windows using Osquery? In powershell it looks like:

Get-Content <target_file> -Stream Zone.Identifier

Hi All, Can we run multiple instances of osquery service (possibly from 2 different osquery.exe files present at 2 different folders and installed as 2 different services). Are there any known issues for this configuration ? Thanks Kunal

Hello, I have 2 questions. 1. Is there an editor where I can create syncml? 2. If I want my device to sync, for example, 1 MDM server per minute, how can I do that? https://github.com/fleetdm/fleet/tree/main/tools/mdm/windows/poc-mdm-server/sample_syncml_commands

Hello, During the installation of Osquery in Windows with a custom path, an "osquery" folder is still created in the ProgramFiles directory, containing the "Pidfile" and "Osquery.db" files. Upon examining the code, I couldn't find any exposed parameters to modify these paths during the installation process. However, after the installation is complete, it is possible to change the path of these files using the following command:

path_to_custom_osquery\osqueryd\osqueryd.exe --flagfile=path_to_custom_osquery\osquery.flags --config_path=path_to_custom_osquery\osquery.conf --logger_path=path_to_custom_osquery\log --pidfile=path_to_custom_osquery\osqueryd.pidfile --database_path=path_to_custom_osquery\osquery.db

Is there a way to modify the paths for "Pidfile" and "Osquery.db" during the installation process?

Hi all, I have 2 queries regarding the following osquery tables: • Regarding

windows_crashes

table: When an application is crashed during the login session of user A and I access table from the same user A, I can read this data. But when I try to access the data from this user:

nt authority\system

(This is the local system account that has unrestricted access to all local system resources.), I am not able to fetch data from this table. I am able to fetch data from all other tables using this account/user. Is there a way, I can access the data in this table using this account/user only ? • Regarding

background_activities_moderator

table: When an application is not running from a long time, the data for that application/process is not available in this table. If we close the application now, the data is available after few hours but not after a long time. The use-case is to fetch the last access time of an application (even if it was last used few days back). Or is there some other way to fetch this metric using osquery ? It would be helpful I can get some insights on the above queries. Thanks.

Hi. In this query, on MacOS, it was returning the active application on the screen. How can I get this information in Windows?

select * from running_apps where is_active = 1

Hi everyone! Is osquery capable of detect docking stations for dell/lenovo?

Lenovo publishes the hardware identifiers of their docks here: https://docs.lenovocdrt.com/#/docks/docks_main - you'd probably want to key off the USB Billboard id.

Dell's Command Monitor software will put dock information in WMI, which you can interrogate with osq https://www.dell.com/support/kbdoc/en-us/000177080/dell-command-monitor (I don't know of a hardware query for the Dell Docks))

@Collin thanks for your response! I'll check those links

Hello everyone, I have one question, I installed, launched fleet, executed several osquery requests, everything works, but I have a question whether I can use fleet to perform some direct actions (for example, execute some script in cmd) or run some file on a remote pc?

Hello! Does anyone know how to fix the duplicate Windows OS version on the hosts?

Hi all, is it have logstash build in osquery?

Anyone seen this before?

Failed to get a handle to the following volume: \\\\.\\/:. Terminating...