I have some endpoints (they all appear to be Windo...
# fleetp
Paul_B
05/19/2025, 4:30 AMI have some endpoints (they all appear to be Windows 11) where I'm only getting ProcessStop events and not ProcessStart events from the process_etw_events table. Does anyone have any suggestions for troubleshooting?
k
Kathy Satterlee
05/19/2025, 3:10 PMHi @Paul_B! What version of osquery/fleetd are you running? Are you seeing any errors in the osquery status logs?
p
Paul_B
05/19/2025, 9:31 PMHi @Kathy Satterlee thanks:
fleet 4.64.1
osquery 5.17.0
orbit: 1.41.0
The only osqueryd.warnings that I'm seeing are like this:
services.cpp:124] <redacted HEX>: failed to query service description
Paul_B
05/21/2025, 5:40 PM@Kathy Satterlee, after enabling verbose logging for orbit on a test machine we are now seeing these errors:
W0521 183532.505264 8628 etw_user_session.cpp:201] ControlTrace() failed with error code 234
W0521 183532.524417 8628 etw_kernel_session.cpp:223] ControlTrace() failed with error code 234
W0521 183538.141846 8628
Paul_B
05/23/2025, 4:55 AMI've done some more testing and with the exact same orbit binary, we get process start and stop on Win 11 23H2. But on Win 11 24H2 we only get Process Stops.
Paul_B
05/23/2025, 4:55 AMI should have said they are fresh vanilla installs of each OS.