https://github.com/osquery/osquery logo
Join Slack
Powered by
hello osquery windows folks, I am curious does osq...
# windows
t
hello osquery windows folks, I am curious does osquery get any data from 
wmic
output at all anywhere?
s
osquery doesn’t shell out. I wrote a kolide extension for doing 
wmi
queries through osquery. But that ships in the kolide product. So not a huge help
t
well what is that 
wmi
table for? Looking at the docs it implies I can use the windows query language to return results?
s
What 
wmi
table? I wrote a 
kolide_wmi
table, and shipped it in launcher, and did not document it. I think fleet lifted it into their code base, which is mostly, but perhaps not entirely, compliant with the license. But I don’t know what all they’re doing.
t
not a windows engineer but have done stints in the MSFT stacks in my career, they have just been few and far between at this point
Copy code
Windows Management Instrumentation Query Language (WQL) event query that specifies the set of events for consumer notification, and the specific conditions for notification.
s
I don’t know what that is. But the thing you pasted (which I was about to paste) looks like it’s for understanding something that generates events. (windows events is a windows logging system(
t
yeah we have some of the windows event tables turned on, but I am not not familiar with WQL
but on my windows VM I can do this:
Copy code
WMIC.exe datafile "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" list full


AccessMask=18809343
Archive=TRUE
Caption=C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Compressed=FALSE
CompressionMethod=
CreationClassName=CIM_LogicalFile
CreationDate=20240312182146.364332-420
CSCreationClassName=Win32_ComputerSystem
CSName=TOMLARKIN23B2
Description=C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Drive=c:
EightDotThreeFileName=c:\program files (x86)\google\chrome\application\chrome.exe
Encrypted=FALSE
EncryptionMethod=
Extension=exe
FileName=chrome
FileSize=2118944
FileType=Application
FSCreationClassName=Win32_FileSystem
FSName=NTFS
Hidden=FALSE
InstallDate=20240312182146.364332-420
InUseCount=
LastAccessed=20240326181629.750978-420
LastModified=20240311200100.392708-420
Manufacturer=Google LLC
Name=C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Path=\program files (x86)\google\chrome\application\
Readable=TRUE
Status=OK
System=FALSE
Version=122.0.6261.129
Writeable=TRUE
these date/time stamps tho make me 😡
Copy code
LastAccessed=20240326181629.750978-420
LastModified=20240311200100.392708-420
s
wql is the sql’esque query language wmi uses.
t
yeah and IIRC 
wmic
is just the "binary version" of WMI
s
Huh, that is an osquery table. And looking at the implementation https://github.com/osquery/osquery/blob/dcd8594f8d8687cb13bc9540b5aad2c26c5f8d9e/osquery/tables/system/windows/wmi_event_filters.cpp#L20 it seems pretty clear. It’s the results of the wmi query: 
SELECT * FROM __EventFilter
Under the hood, osquery does know how to query WMI, but there’s nothing generic exposed. It’s used in table implementations
t
basically I have no good way to track application usage in Windows and that 
wmic
command I just shared was my attempt at tracking last used dates for the app
I am still learning how osquery internals work so i will read up on that stuff soon
s
I don’t know enough windows to know how to track last open time on things.
I can’t speak to the veracity, but https://superuser.com/questions/1749715/track-last-time-app-exe-was-launched-on-windows suggests a file based approach
Ah, but prefetch requires 
superfetch
be enabled. 🤷
t
well that 
wmic
query I posted above works in a powershell terminal lol but I will have to kick this over to my Windows engineer and hopefully she can educate us all on how to make it work
s
Well, as said at the beginning, osquery does not support arbitrary wmi queries.
t
well that is too bad then 😭
81 Views
Open in Slack
PreviousNext
Powered by