Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
e
ET
12/20/2020, 4:21 PMHi There,
When I execute "windows_security_products" or "windows_security_center" table on windows server I got "error" values or nothing because the WSCAPI.dll is not present on Windows Server.
I got exit code 0 (success) in both cases, Why in such a situation do I not get a exit code 1 or something (failure)?
t
terracatta
12/20/2020, 4:24 PMHi @ET neither of these tables work on Windows Server. We aren't sure why Microsoft does not allow this API on that specific platform. Even copying the DLL from a normal Windows 10 computer does not work.
As for the exit code, I do not believe osquery will return a non-zero exit code for en errored query when the query is specified on the commany line
Although I agree that is a good idea
e
ET
12/20/2020, 4:40 PMThanks @terracatta !
For example - If the table is not exists I got exit code 1
Error: no such table: windows_security_productssssss
EXIT_CODE: 1So I got non-zero exit code when the query is specified on the command line
t
terracatta
12/20/2020, 4:41 PMYeah it is definitely inconsistent. In this case you have a SQLite error, but in the case of the windows table, no error is thrown and instead a warning is logged and the table returns no results.
There are a number of tables in osquery that will return 0 results when something goes wrong under the hood like tha
I agree though that in an ideal world this specific problem would produce a more explicit error
vs a silent warning
e
ET
12/20/2020, 4:43 PMOh okay, now I understand your intent, thanks again