https://github.com/osquery/osquery logo
Join Slack
Powered by
hello, we are using the `programs` to fetch all ap...
# general
c
hello, we are using the 
programs
to fetch all apps installed on a Windows machine. Unfortunately we are not able to fetch applications whose binaries are located under the Program 
Files\WindowsApps
folder... did anyone faced the same issue? is there a workaround? thanks 😉
s
The 
programs
table (https://github.com/osquery/osquery/blob/master/osquery/tables/system/windows/programs.cpp) is implemented using part of the logic of the 
registry
table. If those apps are registered too in the system registry, the 
registry
table can be used. Not sure where they are though.
c
the apps are registered in registry, but unfortunately their entries from registry are not coming in the results, when we query the 
registry
table
s
So, you've verified that you have the data under a certain path in the registry but you are unable to query it via osquery? If so, sounds like a specific issue with the query you're using.
c
the path in registry is this one: _`HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages`_
I run the following query:
Copy code
SELECT * from registry
where
path like '%HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages%'
s
If you know that there's data there, then as I mentioned above, it's likely that the issue is the query. I know that the table is a bit particular
^ I've written a (slightly long) explanation there on what to expect
c
cool, thanks
s
Hum why you have a starting 
%
?
maybe a TLDR on how you're using the query is that if you want to list all the keys (one level) under Packages, you want to do 
[...]\Packages\%
, otherwise if no separator, the listing of keys actually starts one level above, and then if I remember correctly it will only return that single key
The "Example 3" on the bottom of the comment has a similar use case
In any case you have to assume that writing 
Packages%
means matching also 
PackagesSomeOtherWords
Ah the other thing I see is that HKEY_CURRENT_USER cannot be used. You have to query HKEY_USERS and specify the desired user SID
If you test the query locally on a machine, with osqueryi, osquery should print a warning.
HKEY_USERS\<SID>\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages\%
c
following query worked... thanks for the help 🙏
Copy code
SELECT * from registry
where
path like 'HKEY_USERS\%\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages\%'
🎉 1
t
Hi, thanks for exploring this issue with identifying Windows Apps via the registry table. I tried the statement provided above and get results. However, the results are not very helpful because the information is cryptic, e. g. I expected to get Mozilla Firefox but get kind of identifiers. Is this expected? It would be great if someone could share a result of a properly working query. Thank you.
Hi, we worked on a query to enumerate the software installed in "C:\Program Files\WindowsApps". This is what worked well enough for us:
Copy code
SELECT DISTINCT 
    SUBSTR(filename,  1, INSTR(filename, '_') - 1 ) AS name,
    SUBSTR(filename, INSTR(filename, '_') + 1, INSTR(SUBSTR(filename, INSTR(filename, '_') + 1), '_') - 1) AS version,
    CASE
        WHEN filename LIKE '%_x64__%' THEN 'x64'
        WHEN filename LIKE '%_x86__%' THEN 'x86'
        WHEN filename LIKE '%_neutral__%' THEN 'neutral' 
    ELSE ''
    END AS arch
FROM file
WHERE directory =  'C:\Program Files\WindowsApps' AND filename like "%.%_%_%__%"
More and more software products seem to get installed in this location. Popular examples in our case is Apps installed from Microsoft Store such as the Company Portal and Mozilla Firefox. As a result, the software inventory in Fleet is increasingly incomplete. It would be great if Fleet would be able to add this location to the software inventory as well.
Hey guys, not sure how to get some awareness for this issue. So, I repost it on #C08V7KTJB. Is this worth an issue on Fleet's Github repo?
20 Views
Open in Slack
PreviousNext
Powered by