Hello! I'm unable to query 'Microsoft-Windows-Sysmon/Operational' windows event log when running sheduled or live distributed queries from fleetdm server, the output is null with no errors in logs. When I run the same query directly on the machine - it's working as expected. Could you, please, tell me what can I do to investigate the problem?

Hi everyone, does osquery does not give real-time data for windows as mentioned in this blog https://blog.trailofbits.com/2017/12/21/osquery-pain-points/ ?

👋 Hello, team! I need some help on adding windows/linux devices into fleedm hosts.

Can anyone share me query to block the usb ports in windows/linux/macos laptops

Hello everyone, I get a lot of "The Fleet osquery service terminated unexpectedly" Event 7031 on all Windows Systems. Where do they come from?

Hello everyone. Does anyone know how can i fix this? osquery.conf file is as: { // Configure the daemon below: "options": { "event_publisher": "etw_process_publisher", "enable_ntfs_event_publisher": true }, "schedule": { "chrome_extensions": { "query": "SELECT * from users;", "interval": 3600 } } } when i run osqueryd.exe --config_path="C:\Program Files\osquery\osquery.conf", i got the following error: I0212 13:55:33.071751 8240 eventfactory.cpp:156] Event publisher not enabled: etw_process_publisher: etw_process_publisher publisher disabled via configuration. How can i solve it?

Hello everyone. Does anyone know how can i fix this? osquery.conf file is as: { // Configure the daemon below: "options": { "event_publisher": "etw_process_publisher", "enable_ntfs_event_publisher": true }, "schedule": { "chrome_extensions": { "query": "SELECT * from users;", "interval": 3600 } } } when i run osqueryd.exe --config_path="C:\Program Files\osquery\osquery.conf", i got the following error: I0212 13:55:33.071751 8240 eventfactory.cpp:156] Event publisher not enabled: etw_process_publisher: etw_process_publisher publisher disabled via configuration. How can i solve it?

osquery.conf file:

{
  // Configure the daemon below:
  "options": {

    "event_publisher": "etw_process_publisher",
    "enable_ntfs_event_publisher": true
    
  },

  "schedule": {
    "chrome_extensions": {
      "query": "SELECT * from users;",
      "interval": 3600
    }
  }
   
}

when i run osqueryd.exe --config_path="C:\Program Files\osquery\osquery.conf", i got the following error: I0212 135533.071751 8240 eventfactory.cpp:156] Event publisher not enabled: etw_process_publisher: etw_process_publisher publisher disabled via configuration. How can i solve it?

can anyone help me about this issue?

The question is regarding windows_crashes table on windows. Currently I'm using windows 10 and osquery version 5.9.1 . Is there any way to fetch data in the osquery tables without having to manually create dump files everytime we need to see the osquery outputs? Does osquery only fetch data from the minidump folder only?

Faces issue, Installed Software in windows 10 Laptop not showing on Fleet Osquery web app, (Laptop is showing online and showing other details also but not fetching Installed Software), Showing No Installed Software detected on this host.) Please advise how to resolve. , Osquery version is 5.11.0

Hello everyone, there is a table usb_devices, unfortunately not for windows. I was wondering, whether there is an alternative way to query all connected devices. Thank you!

Hello everyone, there is a table usb_devices, unfortunately not for windows. So I was wondering how I could achieve the same for windows clients. Any ideas?

Hello everyone, I'm trying to use the ntfs_acl_permissions table with a wildcard in the path field but I'm not able to get any results. For example, the following query worked:

select * ntfs_acl_permissions where path = "C:\Users\vagrant\Documents\test.txt";

But when I tried to use wildcard, I cannot have results:

select * from ntfs_acl_permissions where path like "C:\Users\vagrant\Documents\%";

Do you know if it is possible to use wildcard with this table or am I making a mistake? Thanks for your help.

hello osquery windows folks, I am curious does osquery get any data from

wmic

output at all anywhere?

TL;DR I want the output of this if I could say, join the programs table to something

WMIC.exe datafile "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" list full


AccessMask=
Archive=TRUE
Caption=C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Compressed=FALSE
CompressionMethod=
CreationClassName=CIM_LogicalFile
CreationDate=20240312182146.364332-420
CSCreationClassName=Win32_ComputerSystem
CSName=TOMLARKIN23B2
Description=C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Drive=c:
EightDotThreeFileName=c:\program files (x86)\google\chrome\application\chrome.exe
Encrypted=FALSE
EncryptionMethod=
Extension=exe
FileName=chrome
FileSize=2118944
FileType=Application
FSCreationClassName=Win32_FileSystem
FSName=NTFS
Hidden=FALSE
InstallDate=20240312182146.364332-420
InUseCount=
LastAccessed=20240312182146.364332-420
LastModified=20240311200100.392708-420
Manufacturer=Google LLC
Name=C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Path=\program files (x86)\google\chrome\application\
Readable=TRUE
Status=OK
System=FALSE
Version=122.0.6261.129
Writeable=TRUE

Hey friends, please see my note in #general about Azure Code Signing - https://osquery.slack.com/archives/C08V7KTJB/p1710348604068739

tl;dr - if anyone has hook ups with Azure Code Signing, please reach out ❤️ We need a new code signing solution

Hey folks, I’m seeing some unexpected behavior when querying the the

windows_security_center

with osquery

5.11.0

. Right after booting up, osquery reports

Error

for most of the columns in it (except

autoupdate

) and only after a minute or so do the columns show the correct values of

Good

. Any ideas what I could do about this or if there’s another table I could query to check if osquery might not be ready for this query?

Does anybody know of, or have, an extension for osquery that collects user/group information from an Active Directory server and presents it as a table?

hi Guys , I just installed fleetdm on my laptop using docker images . I am trying to add my laptop as a host into fleetdm . It got added and then went offline immediately without fetching the vitals of the system . Am i missing something here ?

Hi there, Does anyone know how to get the (total) memory usage of a Windows machine? I tried to use

total_size

in

processes

table, but I found that some of the services shown -1 even if they do use a lot of memory. Thanks!

Hi all. Wondering if anyone has run into this issue or would have an idea what might be causing it? This is happening on windows servers (2019 in this case). The query referenced in the error isn't consistent.

E0912 08:41:21.486761 7268 shutdown.cpp:79] Error adding new results to database for query pack_osquery-monitoring_schedule: Error serializing JSON

I’m having an issue. On Windows 10 machines, no firewall is reported when querying FirewallProduct WMI clad neither when searching on the registry. But when I go to settings security providers it’s tells that Windows Firewall is turned on. Sos anyone had the same issue? This happens on a couple of Windows 10 workstation. WMI is working fine because it’s not crushing, is responding nothing

Fix for `windows_crashes` missing information on user mode memory dumps #8394 Above is a fix for windows_crashes table missing information for Windows. Issue:- I pulled over the latest osquery code, I couldn't see the change that you mentioned in the latest public master code that I just pulled and could see it in pradishmp:master. #8394 1)When and for what osquery version can we expect to see this change? 2)Does the end user still need to configure this on this system to see the logs? https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps 3)Also does this mean that we get only User mode applications crashes when we get data from windows_crashes? Do we get kernel level crashes too? I've attached the same issue in osquery github repo as well. https://github.com/osquery/osquery/issues/8381

Hi everyone. I tried to build osq binaries from source. My target is x86 exe for Windows. My commands

git clone <https://github.com/osquery/osquery>
cd osquery
mkdir build
cd build
cmake -G "Visual Studio 17 2022" -A Win32 ..
cmake --build . --config Release -j10
mkdir package
$env:DESTDIR="C:\Temp\osquery\build\package"
cmake --build . --config Release --target install

And after all waiting there's nothing in "package" dir. No errors, output looks like OK I tried for x64 too or different configs (debug, relwithdefinfo) - same result Found old threads with same problem, but no solution there Anything i missed?

@Hyder Hussain has left the channel

Hi osquery team, I'm encountering an issue with osquery where it is not working as expected. Below are the details of the issue: Problem Description: if we run osquery with extension on windows socket it works for few minutes and then we get the error "Extension socket not available: \\.\pipe\osquery.em.7065" E0322 195053.988317 2444 scheduler.cpp:128] Error executing scheduled query foobar_win: vtable constructor failed: foobar What i did? • this is a fresh installation of osquery which i have downloaded from the offficial site https://pkg.osquery.io/windows/osquery-5.16.0.msi • after successfully installing the osquery i have created simple extension with foobar • created a new folder named "extention" inside c:\program files\osquery and moved the extension inside this folder then i have followed this document to change the permission https://osquery.readthedocs.io/en/stable/deployment/extensions/ • created a new file called extensions.load in c:\program files\osquery and added the extension path inside this • in osquery.conf file i have added schedule which will query and get the data for every 60 sec • then from windows service manager i have started the osqueryd service • in c:\program files\osquery\logs i was able to see the logs and also the result ("snapshots")

{
  "schedule": {
    "foobar_win": {
      "query": "SELECT * FROM foobar;",
      "interval": 10,
      "snapshot": true
    }
  }
}

Working smaple:

{
  "snapshot": [
    {
      "baz": "baz",
      "foo": "bar"
    },
    {
      "baz": "baz",
      "foo": "bar"
    }
  ],
  "action": "snapshot",
  "name": "foobar_win",
  "hostIdentifier": "DESKTOP-CLKS76M",
  "calendarTime": "Sat Mar 22 14:09:26 2025 UTC",
  "unixTime": 1742652566,
  "epoch": 0,
  "counter": 0,
  "numerics": false
}

What i have noticed? (in linux it works but in windows it's not) when i get the error E0322 195053.988317 2444 scheduler.cpp:128] Error executing scheduled query foobar_win: vtable constructor failed: foobar memory usage and disk usage goes to 100% and also cpu usage goes to 70% which is not consumed by osquery. this 100% usage issue comes right after i get the vtable constructor failed: foobar "also noticed 2 process running in the task manager not sure why" System Information: • OS: [windows 11 version: 24H2] • osquery Version: [5.16.0] Logs and Errors: I have attached a zip file containing logs, including both working and error states, to help debug the issue. Let me know if you need any additional details.

image.png,Screenshot 2025-03-25 163555.png

Is there a similar table to

usb_devices

for Windows that I'm not seeing in the schema?