I have some endpoints (they all appear to be Windo...
# fleetp
Paul_B
05/19/2025, 4:30 AMI have some endpoints (they all appear to be Windows 11) where I'm only getting ProcessStop events and not ProcessStart events from the process_etw_events table. Does anyone have any suggestions for troubleshooting?
k
Kathy Satterlee
05/19/2025, 3:10 PMHi @Paul_B! What version of osquery/fleetd are you running? Are you seeing any errors in the osquery status logs?
p
Paul_B
05/19/2025, 9:31 PMHi @Kathy Satterlee thanks:
fleet 4.64.1
osquery 5.17.0
orbit: 1.41.0
The only osqueryd.warnings that I'm seeing are like this:
services.cpp:124] <redacted HEX>: failed to query service description
Paul_B
05/21/2025, 5:40 PM@Kathy Satterlee, after enabling verbose logging for orbit on a test machine we are now seeing these errors:
W0521 183532.505264 8628 etw_user_session.cpp:201] ControlTrace() failed with error code 234
W0521 183532.524417 8628 etw_kernel_session.cpp:223] ControlTrace() failed with error code 234
W0521 183538.141846 8628
Paul_B
05/23/2025, 4:55 AMI've done some more testing and with the exact same orbit binary, we get process start and stop on Win 11 23H2. But on Win 11 24H2 we only get Process Stops.
Paul_B
05/23/2025, 4:55 AMI should have said they are fresh vanilla installs of each OS.
Paul_B
05/24/2025, 4:02 PMHave heard etw in 24H2 has caused some problems with other EDRs too.. is this a known issue?
Paul_B
06/04/2025, 11:48 AMAnyone else seeing this?
d
Duongtt
08/12/2025, 9:52 AMHi im seeing this too, and dont know how to troubleshoot
u
Unthread
08/25/2025, 12:57 PMhey @Duongtt - Looks like we fell off this thread a few months ago! Apologies for that. Can you let us know what Fleet server version you're running? And what version of fleetd/osquery you're running? Do you have fleetd or orbit/osquery logs that you can share (via email or DM) from a host where you're seeing this behavior?
p
Paul B
09/02/2025, 7:04 AMHi @Zay Hanlon, sure.
Server:
ā¢ Fleet 4.64.1 ā¢ Go go1.23.4
Agent:
ā¢ Osquery: 5.18.1
ā¢ Agent: 1.46.0
And yes I could get some logs off a test host - just let me know what you'd like me to collect. And thank you for this š
m
Mason Buettner
09/02/2025, 11:54 PMHi @Paul B! First off, if you could please update to the latest version of Fleet that would help us eliminate any possible edge cases. After that, if you could share the fleetd logs for a couple of the hosts that would be great.
š 1
u
Unthread
09/11/2025, 4:09 PMHI @Paul B! I wanted to follow up on this. Were you able to grab any logs for us?
p
Paul B
09/15/2025, 5:16 AMHi @Kathy Satterlee, I'm just working on getting a change window approved for updating fleet. Once I've updated to the latest version I'll get some logs to you :)
š 1
18 Views