well it's not ready as is, but it should be along the lines of having

set(source_files 
"${CMAKE_CURRENT_BINARY_DIR}/empty_osqueryd_target_source_file.cpp"
${CMAKE_CURRENT_BINARY_DIR}/windows_resources.rc
)
[...]
configure_file(
${CMAKE_SOURCE_DIR}/tools/windows_resources.rc.in
${CMAKE_CURRENT_BINARY_DIR}/windows_resources.rc
@ONLY)
[...]
add_osquery_executable(osqueryd "${source_files}")

here: https://github.com/osquery/osquery/blob/c2fde72fa6c67083b7e56001d51054345977d809/osquery/CMakeLists.txt#L55

While I’m not familiar with the code, I’d generally expect it to be random. I’m curious about the use case where order matters.

In my exp, distributed queries are run in alphabetical order

hello, trying to deploy osquery on windows. I have installed via Choco and when i am trying to test

running /path/to/osqueryd --flagfile /path/to/file

i get unsafe permissions for osqueryd...a way around this besides allow-unsafe?

with osquery is it possible to forward also windows events not generated by osquery?

@Andrew Zah thanks for posting your resolution by the way, I love that this is now going to be in the Slack for people searching

Anyone else having 1607 issue when starting osquery service after new V4 MSI install? had to do the below to get it to start (on windows 1903)..

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\osqueryd

ImagePath

from:

C:\Program Files\osquery\osqueryd\osqueryd.exe --flagfile=\Program Files\osquery\osquery.flags

to:

"C:\Program Files\osquery\osqueryd\osqueryd.exe" --flagfile="C:\Program Files\osquery\osquery.flags"

and

ObjectName

from:

NT AUTHORITY\SYSTEM

to:

LocalSystem

Hi! after running osquery installer in windows, I get no output and I don’t see any c:\program files\osquery any suggestion where I could give a look?

osquery sends snapshot queries as an array to the snapshots.log file - is there a way to make it not do this?

I've been trying to build an msi for windows with a pre-written config. There seem to be references to a windows provisioning file (and it's available on the readthedocs.io) but then some of the files it references are no longer there. Has the process for building a windows msi changed, and is it documented anywhere?

While I am able to see the node in my Kolide Fleet server, what is this referring to?

@Mike Myers looking through this diff, there's quite a few things that could stand updates. I'm going to leave a review on this, but definitely don't feel like you need to do all of the updates, I'm happy to take over fixing a lot of this shit.

Can someone verify that you are able to see powershell_events or powershell script block logging from windows_events with master or experimental branches?

anyone has any insight on pre-release 4.0 on all these sst reads? machines gets extremely sloooow..

Ok @Stefano Bonicatti, or someone familiar with WIX, it looks like the error is here https://github.com/osquery/osquery/blob/master/cmake/wix_patches/osquery_wix_patch.xml#L14 and that path should be quoted.

have you tried with

cmake -DOSQUERY_BUILD_TESTING=true

?

Any of you windows gurus able to help me figure out why the tests are failing for https://github.com/osquery/osquery/pull/5479? Some of them seem to exit with code

0xc0000135

, which I assume (based on https://stackoverflow.com/a/11433714/491710) is due to a failure trying to load the

wscapi

dll. This is surprising to me as it seems this library goes back to Windows Vista (https://www.exefiles.com/en/dll/wscapi-dll/), and it works fine for me on my test VM.

So I'm pretty stumped as to how to move forward.

I thought that was fixed in https://github.com/osquery/osquery/pull/5778

@Obi can you open an issue about that? https://github.com/osquery/osquery/issues

I’m hoping @mari0d has more input here.

@Haam3r Trail of Bits is working on a table that implements domain account support

@Haam3r take a look at https://github.com/trailofbits/osquery/tree/garret/feature/windows_active_directory_users_and_groups

Hi All, Does osquery-go have support for windows? If yes, have any of you had any experience with it?

Are we sure that on the Ci hosts things are `rm -r -fo`d or that we start from a clean state?

got any AV installed on that machine?

@lvferdi morning! It doesn't seem so from what I can see, please open an issue with all the information you have

A user land process shouldn’t be able to cause a BSOD, right? (Asking as a non Windows user)

I saw that this question was asked before but I did not see an answer so I apologize if this is repetitive. Is there any way to use osquery to get visibility into the Group Policy configurations deployed on a system?

Hello, I have an issue with Windows permission. I followed the documentation instruction but it hasn't worked. I obtain the following error when executing `osquery_utils.ps1`:

Exception when calling "RemoveAccessRule" with arguments "1": "Some or all identity references could not be converted."