could someone confirm that the backslashes in windows file paths need to be the escaped in the yaml config in agent settings? I just did a config_dump=true and it looks like backslashes are already being escaped, so now they're being double escaped.

C:\Program Files\osquery>"C:\Program Files\osquery\osqueryd\osqueryd.exe" --flagfile="C:\Program Files\osquery\osquery.flags" --config_dump=true
{"tls_plugin": {"decorators":{"load":["SELECT COALESCE((select instance_id FROM ec2_instance_metadata), hostname) as hostname FROM system_info;"]},"exclude_paths":{"Windows":["C:\\\\Windows\\\\Prefetch\\\\%"]},"file_paths":{"ProgramData":["C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\%","C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\%"],"Users":["C:\\\\Users\\\\%\\\\AppData\\\\Roaming\\\\%","C:\\\\Users\\\\%\\\\AppData\\\\Local\\\\%","C:\\\\Users\\\\%\\\\AppData\\\\Local\\\\temp\\\\%","C:\\\\Users\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%","C:\\\\Users\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\%","C:\\\\Users\\\\%\\\\Default\\\\%"],"Windows":["C:\\\\Windows\\\\%","C:\\\\Windows\\\\Temp\\\\%","C:\\\\Windows\\\\System32\\\\Drivers\\\\%","C:\\\\Windows\\\\SysWOW64\\\\Drivers\\\\%","C:\\\\Windows\\\\System32\\\\GroupPolicy\\\\Machine\\\\Scripts\\\\%","C:\\\\Windows\\\\System32\\\\GroupPolicy\\\\User\\\\Scripts\\\\%","C:\\\\Windows\\\\System32\\\\Wbem\\\\%","C:\\\\Windows\\\\SysWOW64\\\\Wbem\\\\%","C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\%","C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\%","C:\\\\Windows\\\\Tasks\\\\%","C:\\\\Windows\\\\System32\\\\Tasks\\\\%","C:\\\\Windows\\\\AppPatch\\\\Custom\\\\%","C:\\\\Windows\\\\system32\\\\DriverStore\\\\Temp\\\\%","C:\\\\Windows\\\\system32\\\\wbem\\\\Performance\\\\%","C:\\\\Windows\\\\System32\\\\Tasks\\\\Adobe Acrobat Update Task\\\\%","C:\\\\Windows\\\\System32\\\\Tasks\\\\Adobe Flash Player Updater\\\\%","C:\\\\Windows\\\\System32\\\\Tasks\\\\OfficeSoftwareProtectionPlatform\\\\SvcRestartTask\\\\%"]},"options":{"disable_distributed":false,"disable_events":false,"distributed_interval":60,"enable_ntfs_event_publisher":true,"enable_powershell_events_subscriber":true,"enable_windows_events_publisher":true,"enable_windows_events_subscriber":true},"packs":{"Endpoints_Windows10":{"queries":{"win_end_bios_diff":{"query":"SELECT * FROM wmi_bios_info;","interval":3600,"platform":"windows","removed":false},"win_end_file_events_diff":{"query":"SELECT action, category, old_path, path, file_attributes, time FROM ntfs_journal_events;","interval":60,"platform":"windows"},"win_end_firmware_snapshot":{"query":"SELECT vendor, version, date, address, extra FROM platform_info;","interval":86400,"platform":"windows","snapshot":true},"win_end_hardware_events_diff":{"query":"SELECT hardware_vendor, hardware_model, hardware_version, hardware_serial FROM system_info;","interval":60,"platform":"windows"}}}}}}

tl;dr They don't generally need to be escaped in yaml For way more than you could ever want to know... http://blogs.perl.org/users/tinita/2018/03/strings-in-yaml---to-quote-or-not-to-quote.html

im just wondering if it has any negative effect on the client, i guess not since events are coming from those directories listed. however, im still seeing events from the one directory i added to exclude_paths. Is there some kind of event caching on the clients?

I'm surprised that it works with the double-escaping. Maybe Windows ignores multiple backslashes in paths? Events are cached in osquery, so it may be possible to still see older events. You shouldn't be getting any new events in excluded paths though.