Title
#windows
Stefano Bonicatti

Stefano Bonicatti

04/04/2022, 10:50 AM
Do you know how it was deployed then? Maybe an administrative install was used? What is the version of the old agent? Do you still have the osquery service?
o

Ojas

04/04/2022, 10:50 AM
4.8.0 is the version
10:50 AM
it was installed with admin privs when host was setup at the very begninng
10:51 AM
its running with osqueryd service
Stefano Bonicatti

Stefano Bonicatti

04/04/2022, 10:52 AM
With administrative install I mean something like
msiexec /A osquery-4.8.0.msi
which will not add a reference to the Add/Remove program but also it will not add an osquery service on its own which has to be later added manually.
10:56 AM
Otherwise I'm not sure why it's not in the list of Add/Remove programs.. in any case, you can also remove it manually if there's no reference of it. From an admin powershell you can
Stop-Service -Name osqueryd
Remove-Service -Name osqueryd
Then go to the osquery installation folder and make a copy of any config you want to keep, if any, then just delete the osquery folder, and install the new one.
10:57 AM
The installer beyond adding a reference to the Add/Remove programs, adding a service and installing the files, doesn't do anything else.
o

Ojas

04/04/2022, 11:08 AM
Hey thanks for your input i am gonna try to stop the service and remove the folder one.
Stefano Bonicatti

Stefano Bonicatti

04/04/2022, 11:08 AM
To be specific, among the configs, remember that there's also the osquery database which may contain the node identifier if it was enrolled into a fleet manager
11:09 AM
You maybe want to carry that over too, so that it's already enrolled and depending on what you've selected as identifier, it doesn't regenerate
11:11 AM
There's something I still don't understand though. osquery 4.8.0 MSI should install under
C:\Program Files\osquery
which is the same path used by newer installations. When you have tried previously to install the newer version, what do you mean that it installed it as a separate application?
11:12 AM
separate in what way?
o

Ojas

04/04/2022, 11:41 AM
Separate as in i see both the osquery agents there 5.2 and 4.8
Stefano Bonicatti

Stefano Bonicatti

04/04/2022, 11:42 AM
Could you clarify where "there" is?
o

Ojas

04/04/2022, 11:48 AM
There as in installed on the machine. If i see installed apps/services on my host it shows both osquery agents
Stefano Bonicatti

Stefano Bonicatti

04/04/2022, 11:48 AM
How are you verifying that?
o

Ojas

04/04/2022, 11:49 AM
i can see the device on osquery
11:50 AM
and in apps installed it shows both agents