Do you know how it was deployed then? Maybe an adm...
# windows
Do you know how it was deployed then? Maybe an administrative install was used? What is the version of the old agent? Do you still have the osquery service?
4.8.0 is the version
it was installed with admin privs when host was setup at the very begninng
its running with osqueryd service
With administrative install I mean something like
msiexec /A osquery-4.8.0.msi
which will not add a reference to the Add/Remove program but also it will not add an osquery service on its own which has to be later added manually.
Otherwise I'm not sure why it's not in the list of Add/Remove programs.. in any case, you can also remove it manually if there's no reference of it. From an admin powershell you can
Copy code
Stop-Service -Name osqueryd
Remove-Service -Name osqueryd
Then go to the osquery installation folder and make a copy of any config you want to keep, if any, then just delete the osquery folder, and install the new one.
👀 1
🙌 1
The installer beyond adding a reference to the Add/Remove programs, adding a service and installing the files, doesn't do anything else.
Hey thanks for your input i am gonna try to stop the service and remove the folder one.
To be specific, among the configs, remember that there's also the osquery database which may contain the node identifier if it was enrolled into a fleet manager
You maybe want to carry that over too, so that it's already enrolled and depending on what you've selected as identifier, it doesn't regenerate
There's something I still don't understand though. osquery 4.8.0 MSI should install under
C:\Program Files\osquery
which is the same path used by newer installations. When you have tried previously to install the newer version, what do you mean that it installed it as a separate application?
separate in what way?
Separate as in i see both the osquery agents there 5.2 and 4.8
Could you clarify where "there" is?
There as in installed on the machine. If i see installed apps/services on my host it shows both osquery agents
How are you verifying that?
i can see the device on osquery
and in apps installed it shows both agents