I am using osquery for FIM. Have installed the osquery version 5.11. It working fine with mac but for window 11 I am not getting file events. Below errors are printed on console… I0221 221847.304080 11332 ntfs_event_publisher.cpp:554] Parent FRN lookup failed: Failed to open the file in volume C:\. Error: The parameter is incorrect. I0221 221847.306871 11332 ntfs_event_publisher.cpp:544] FRN pathname lookup failed, trying parent: Failed to open the file in volume C:\. Error: The parameter is incorrect. I0221 221847.310052 11332 ntfs_event_publisher.cpp:554] Parent FRN lookup failed: Failed to open the file in volume C:\. Error: The parameter is incorrect. I0221 221847.310052 11332 ntfs_event_publisher.cpp:544] FRN pathname lookup failed, trying parent: Failed to open the file in volume C:\. Error: The parameter is incorrect. I0221 221847.310052 11332 ntfs_event_publisher.cpp:554] Parent FRN lookup failed: Failed to open the file in volume C:\. Error: The parameter is incorrect. I0221 221847.317608 11332 ntfs_event_publisher.cpp:544] FRN pathname lookup failed, trying parent: Failed to open the file in volume C:\. Error: The parameter is incorrect. I0221 221847.320739 11332 ntfs_event_publisher.cpp:554] Parent FRN lookup failed: Failed to open the file in volume C:\. Error: The parameter is incorrect. I0221 221847.320739 11332 ntfs_event_publisher.cpp:544] FRN pathname lookup failed, trying parent: Failed to open the file in volume C:\. Error: The parameter is incorrect. I0221 221847.327277 11332 ntfs_event_publisher.cpp:554] Parent FRN lookup failed: Failed to open the file in volume C:\. Error: The parameter is incorrect. I0221 221847.330112 11332 ntfs_event_publisher.cpp:544] FRN pathname lookup failed, trying parent: Failed to open the file in volume C:\. Error: The parameter is incorrect.

This might be coming from here: https://github.com/osquery/osquery/blob/7f557d3188222d6adbe8b5ee291bcceaef6ddd8e/osquery/events/windows/ntfs_event_publisher.cpp#L206 It seems like the file matching that ID no longer exists; the NTFS journal can be cleared and can also miss information. It's a limitation that was deemed acceptable as it's the only possible implementation that does not require a kernel driver