Is there a trick to getting windows extensions working with Orbit/Fleet? I have verbose logging on and the orbit-osquery.log shows

Found autoloadable extension: C:\Program Files\Orbit\extensions\test.ext.exe

but it never runs the extension or registers the tables. If I run

.\osqueryi.exe --flagfile="C:\Program Files\Orbit\osquery.flags"

it loads fine. Is there a setting in Fleet I need to toggle to allow extension loading?

Thanks for your question! I’m going to follow up with some of the team and let you know if we have any tips.

Any idea?

Can you provide the contents of

osquery.flags

? And what command are you using to run Orbit?

--verbose
--disable_extensions=false
--extensions_autoload=C:\Program Files\Orbit\extensions.load
--extensions_timeout=3
--extensions_interval=3

Using the windows service

Fleet osquery

to run orbit with command line:

"C:\Program Files\Orbit\bin\orbit\orbit.exe" --root-dir "C:\Program Files\Orbit\." --log-file "C:\Windows\system32\config\systemprofile\AppData\Local\FleetDM\Orbit\Logs\orbit-osquery.log" --fleet-url "<https://198.18.6.2:8412>" --fleet-certificate "C:\Program Files\Orbit\fleet.pem" --enroll-secret-path "C:\Program Files\Orbit\secret.txt"   --update-url "<https://tuf.fleetctl.com>"  --orbit-channel "stable" --osqueryd-channel "stable"

When you run that manual

osqueryi.exe

command, are you in an admin powershell? What happens if you run

"C:\Program Files\Orbit\bin\orbit\orbit.exe" --root-dir "C:\Program Files\Orbit\." --log-file "C:\Windows\system32\config\systemprofile\AppData\Local\FleetDM\Orbit\Logs\orbit-osquery.log" --fleet-url "<https://198.18.6.2:8412>" --fleet-certificate "C:\Program Files\Orbit\fleet.pem" --enroll-secret-path "C:\Program Files\Orbit\secret.txt"   --update-url "<https://tuf.fleetctl.com>"  --orbit-channel "stable" --osqueryd-channel "stable"

in an admin powershell?

Correct, I am running osqueryi.exe in an Administrator powershell. If I run that long command (same as the service) from the same Administrator powershell I get identical log output to the service. This is the orbit command:

2022-02-23T18:36:47-05:00 INF start osqueryd cmd="C:\\Program Files\\Orbit\\bin\\osqueryd\\windows\\stable\\osqueryd.exe --pidfile=C:\\Program Files\\Orbit\\osquery.pid --database_path=C:\\Program Files\\Orbit\\osquery.db --extensions_socket=\\\\.\\pipe\\orbit-osquery-extension --enroll_secret_env ENROLL_SECRET --host_identifier=uuid --tls_hostname=198.18.6.2:8412 --enroll_tls_endpoint=/api/v1/osquery/enroll --config_plugin=tls --config_tls_endpoint=/api/v1/osquery/config --config_refresh=60 --disable_distributed=false --distributed_plugin=tls --distributed_tls_max_attempts=10 --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write --logger_plugin=tls --logger_tls_endpoint=/api/v1/osquery/log --disable_carver=false --carver_disable_function=false --carver_start_endpoint=/api/v1/osquery/carve/begin --carver_continue_endpoint=/api/v1/osquery/carve/block --carver_block_size=2000000 --tls_server_certs C:\\Program Files\\Orbit\\fleet.pem --force --flagfile C:\\Program Files\\Orbit\\osquery.flags"
I0223 18:36:47.816681  2580 init.cpp:357] osquery initialized [version=5.0.1]
I0223 18:36:47.847030  2580 system.cpp:348] Found stale process for osqueryd (11144)
I0223 18:36:47.858825  2580 system.cpp:380] Writing osqueryd pid (2412) to C:\Program Files\Orbit\osquery.pid
I0223 18:36:47.860999  2580 extensions.cpp:438] Found autoloadable extension: C:\Program Files\Orbit\extensions\test.ext.exe
I0223 18:36:47.861635  2580 dispatcher.cpp:78] Adding new service: WatcherRunner (0000028B43B88960) to thread: 9484 (0000028B43B57E70) in process 2412
I0223 18:36:48.115842  9484 watcher.cpp:646] osqueryd watcher (2412) executing worker (8796)
I0223 18:36:48.137840 10172 init.cpp:354] osquery worker initialized [watcher=2412]
I0223 18:36:48.139837 10172 dispatcher.cpp:78] Adding new service: WatcherWatcherRunner (000001C11DC56830) to thread: 1448 (000001C11DC3BFB0) in process 8796
I0223 18:36:48.140833 10172 rocksdb.cpp:132] Opening RocksDB handle: C:\Program Files\Orbit\osquery.db
I0223 18:36:48.318594 10172 dispatcher.cpp:78] Adding new service: ExtensionWatcher (000001C11DB84370) to thread: 10472 (000001C11F87A920) in process 8796
I0223 18:36:48.318594 10172 dispatcher.cpp:78] Adding new service: ExtensionRunnerCore (000001C11F9228C0) to thread: 8248 (000001C11F87A9E0) in process 8796
I0223 18:36:48.318594 10172 auto_constructed_tables.cpp:97] Removing stale ATC entries
I0223 18:36:48.318594  8248 interface.cpp:299] Extension manager service starting: \\.\pipe\orbit-osquery-extension
I0223 18:36:48.318594 10172 dispatcher.cpp:78] Adding new service: ConfigRefreshRunner (000001C11DBEBB50) to thread: 9432 (000001C11F87A980) in process 8796
I0223 18:36:48.318594 10172 tls.cpp:255] TLS/HTTPS POST request to URI: <https://198.18.6.2:8412/api/v1/osquery/config>
I0223 18:36:50.813586 10172 dispatcher.cpp:78] Adding new service: TLSLogForwarder (000001C11FAB4DD0) to thread: 10356 (000001C11F8E7C80) in process 8796
I0223 18:36:50.813881 10172 system.cpp:302] Using host identifier: 9EBCC7D6-E551-4ECE-A1D6-5D771EB89067
I0223 18:36:50.819422 10172 eventfactory.cpp:156] Event publisher not enabled: ntfs_event_publisher: NTFS event publisher disabled via configuration
I0223 18:36:50.820068 10172 events.cpp:70] Skipping subscriber: powershell_events: Required publisher is disabled by configuration
I0223 18:36:50.820068 10172 events.cpp:70] Skipping subscriber: windows_events: Required publisher is disabled by configuration
I0223 18:36:50.820068 10172 dispatcher.cpp:78] Adding new service: DistributedRunner (000001C11FAA0910) to thread: 9976 (000001C11FA76450) in process 8796
I0223 18:36:50.820068 10172 dispatcher.cpp:78] Adding new service: SchedulerRunner (000001C11FAD5210) to thread: 4320 (000001C11FA762B0) in process 8796
I0223 18:36:50.820581 10508 eventfactory.cpp:390] Starting event publisher run loop: WindowsEventLogPublisher
I0223 18:36:50.820581 10508 eventfactory.cpp:410] Event publisher WindowsEventLogPublisher run loop terminated for reason: Publisher disabled by configuration
I0223 18:36:50.820581  9976 tls.cpp:255] TLS/HTTPS POST request to URI: <https://198.18.6.2:8412/api/v1/osquery/distributed/read>
I0223 18:36:50.831984  9976 distributed.cpp:121] Executing distributed query: fleet_label_query_10: select 1 from os_version where platform = 'windows';
...

And this is

.\osqueryi.exe --flagfile="C:\Program Files\Orbit\osquery.flags"

I0223 18:44:07.672705  9776 init.cpp:357] osquery initialized [version=5.1.0]
I0223 18:44:07.672705  9776 extensions.cpp:438] Found autoloadable extension: C:\Program Files\Orbit\extensions\test.ext.exe
I0223 18:44:07.672705  9776 dispatcher.cpp:78] Adding new service: WatcherRunner (0000021882C74950) to thread: 7532 (0000021882CA2C90) in process 6492
I0223 18:44:07.672705  9776 dispatcher.cpp:78] Adding new service: ExtensionWatcher (0000021882BE7720) to thread: 1044 (0000021882CA2C30) in process 6492
I0223 18:44:07.672705  9776 dispatcher.cpp:78] Adding new service: ExtensionRunnerCore (0000021882BFA6D0) to thread: 6040 (0000021882CA2F90) in process 6492
I0223 18:44:07.672705  9776 auto_constructed_tables.cpp:97] Removing stale ATC entries
I0223 18:44:07.672705  6040 interface.cpp:299] Extension manager service starting: \\.\pipe\shell.em
I0223 18:44:08.063410  7532 watcher.cpp:708] Created and monitoring extension child (6060): C:\Program Files\Orbit\extensions\test.ext.exe
I0223 18:44:13.136934 11164 interface.cpp:137] Registering extension (test, 29974, version=, sdk=)
I0223 18:44:13.138113 11164 registry_factory.cpp:107] Extension 29974 registered table plugin test1
I0223 18:44:13.138113 11164 registry_factory.cpp:107] Extension 29974 registered table plugin test2
...

Is your extension hardcoded to connect to the named pipe at

\\.\pipe\shell.em

? Because Orbit opens the pipe at

\\.\pipe\orbit-osquery-extension

.

It reads from the

--socket

flag, I can try hard coding the orbit pipe though

Hmm, that shouldn't be the problem assuming it reads from the flag.

I have some

OutputDebugStringA

calls at the top of the main function and those are never printed to DbgView indicating the process is never even started by Orbit's osqueryd.

Ah very glad to hear that!