That's disappointing to hear š¢
The raw registry table is probably the most important of the PRs I've opened
Mainly from an investigation perspective, its one of the 3 artifacts that r pretty much required in order to do a comprehensive investigation
Ual adding a WHERE clause makes sense it does return alot (maybe a WHERE clause for log level and/or timestamp?)
I'm not sure if fsevents should require a WHERE clause?
If using osquery for investigations it needs to be able to pull back large amounts of data (full file listing, all event logs/UAL, all registry keys for all users
So from an investigation perspective u would want to pull back everything
It would be great if all of the PRs could get merged
Especially raw registry parsing
There r many EDR tools available that can already parse jumplist/raw registry so it would be great if osquery can also do it to