Would anyone have a handle on the proper way to list files in a path? I am trying to identify some msmxl*.dll library files scattered about our environent. I thought that SELECT * FROM file WHERE path LIKE "/Windows/System32/msxml*.dll"; or maybe SELECT * FROM file WHERE path LIKE "/Windows/System32/msxml%%"; would do it but clearly I am incorrect. Any help is appreciated as I am an osquery noob.

Can you give a couple of examples of the paths you'd like to match?

the path will always be under the /windows/system32/ but the file names may be different. I am looking for a summary of files that exist that match the pattern filename#.dll

Could there be additional directories, or will they be directly under system32?

so the example is msxml3.dll msxml4r.dll msxml6.dll ...

you can try something like this to get that file list

SELECT * FROM file WHERE directory='C:\\windows\\system32' AND filename LIKE 'msxml%.dll';

Does

SELECT * FROM file WHERE path LIKE "/Windows/System32/msxml%.dll"

work?

zwass I trued that with no returns earlier but let me try your written example. Perhaps I mis entered something

Yeah maybe try that

err c:\\

Jo, how are you testing this query? I've just double checked it by manually running it and it worked for me

Yeah it can be a bit dependent on the context for how the double-backslashes are treated

I am actually running this under my depoyed OSquery via Elastic agent may be a little funky

good to know that! I was wondering how that error might end up appearing

id bet if I removed those escape \'s it might fire. let see

The main difference is that your query used

*

, but you need the sql wildcard is

%

.

Hey seph. Yeah, I am up to date with whatever is deployed with the Elastic Agent Osquery integration .

I have no idea what version elastic ships.