Title
#windows
t

Ted Dorosheff

02/04/2022, 2:17 PM
Morning all, I know there have been issues submitted in the past for the ntfs_journal_events publisher, with regard to errors observed similar to:
ntfs_journal_events.cpp:323] Couldn't open C:\Users\teddoro\AppData\Local\Temporary Internet Files\ while building FRN set
In the case of the file path listed above, i believe the reason that this error occurred is because that path does not actually exist. I figured that osquery was trying to add the directory because the path was listed in my
file_paths
within config. However it does not! So that is odd behavior. Though "C:\Users\%\AppData\Local\%" is listed in my config, and so logically osquery enumerates Local and monitors everything within, why would it try to add a directory that is not within local? How does it even know about the directory "Temporary Internet Files" ?
"file_paths": {
    "windows": [
      "C:\\Windows\\%",
      "C:\\Windows\\Temp\\%",
      "C:\\Windows\\System32\\drivers\\%",
      "C:\\Windows\\SysWOW64\\drivers\\%",
      "C:\\Windows\\System32\\Wbem\\%",
      "C:\\Windows\\SysWOW64\\Wbem\\%",
      "C:\\Windows\\System32\\WindowsPowerShell\\%",
      "C:\\Windows\\SysWOW64\\WindowsPowerShell\\%",
      "C:\\Windows\\Tasks\\%",
      "C:\\Windows\\System32\\Tasks\\%",
      "C:\\Windows\\AppPatch\\Custom\\%"
    ],
    "Users": [
      "C:\\Users\\%\\AppData\\Roaming\\%",
      "C:\\Users\\%\\AppData\\Local\\%",
      "C:\\Users\\%\\AppData\\Local\\Temp\\%",
      "C:\\Users\\%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\%",
      "C:\\Users\\%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\%",
      "C:\\Users\\%\\Default\\%"
    ]
  },
  "exclude_paths": {
    "windows": [
      "C:\\Windows\\system32\\DriverStore\\Temp\\%",
      "C:\\Windows\\system32\\wbem\\Performance\\%",
      "C:\\Windows\\System32\\Tasks\\Adobe Acrobat Update Task\\%",
      "C:\\Windows\\System32\\Tasks\\Adobe Flash Player Updater\\%",
      "C:\\Windows\\System32\\Tasks\\OfficeSoftwareProtectionPlatform\\SvcRestartTask\\%"
    ]
  }
Stefano Bonicatti

Stefano Bonicatti

02/04/2022, 3:16 PM
I think the entry is there, the entry is hidden and a system protected file, if you enable hidden files and untick the “Hide protected operating system files” in the folder options of the Windows Explorer, you should see it. Or you should be able to see it via the osquery
file
table.
3:18 PM
It’s also not a standard folder, so osquery might have some issues handling it
t

Ted Dorosheff

02/04/2022, 5:44 PM
ahh okay