Morning all, I know there have been issues submit...
# windows
Morning all, I know there have been issues submitted in the past for the ntfs_journal_events publisher, with regard to errors observed similar to:
Copy code
ntfs_journal_events.cpp:323] Couldn't open C:\Users\teddoro\AppData\Local\Temporary Internet Files\ while building FRN set
In the case of the file path listed above, i believe the reason that this error occurred is because that path does not actually exist. I figured that osquery was trying to add the directory because the path was listed in my
within config. However it does not! So that is odd behavior. Though "C:\\Users\\%\\AppData\\Local\\%" is listed in my config, and so logically osquery enumerates Local and monitors everything within, why would it try to add a directory that is not within local? How does it even know about the directory "Temporary Internet Files" ?
Copy code
"file_paths": {
    "windows": [
    "Users": [
      "C:\\Users\\%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\%",
      "C:\\Users\\%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\%",
  "exclude_paths": {
    "windows": [
      "C:\\Windows\\System32\\Tasks\\Adobe Acrobat Update Task\\%",
      "C:\\Windows\\System32\\Tasks\\Adobe Flash Player Updater\\%",
I think the entry is there, the entry is hidden and a system protected file, if you enable hidden files and untick the “Hide protected operating system files” in the folder options of the Windows Explorer, you should see it. Or you should be able to see it via the osquery
It’s also not a standard folder, so osquery might have some issues handling it
ahh okay