Seeing some weird behavior from the `scheduled tasks` table

Question

Seeing some weird behavior from the `scheduled tasks` table when doing JOIN s against other tables such as `file` and `hash` ```osquery gt SELECT count FROM scheduled tasks | 162 |``` When joining we get an empty set response ```osquery gt SELECT count FROM scheduled tasks JOIN file USING path | 0 | osquery gt SELECT count FROM scheduled tasks JOIN hash USING path | 0 |``` I ll capture it in a GitHub issue just wondering if this is know or others have encountered similiar

zwass · Answer

The problem is `scheduled tasks` path does not seem to be a filesystem path

zwass · Answer

When you do a JOIN any rows that have a null value in the joined table get dropped So you could still get 162 results if you did a LEFT JOIN but you wouldn t get the file table info

zwass · Answer

I m trying to understand what the path actually represents The docs sure make it look like it would be a filesystem path

zwass · Answer

Okay so I m not sure exactly why this is but the path actually seems to be relative

Eoin Miller · Answer

Hrmmm yea it doesn t look like path means a filesystem path like it means with other tables This looks like something relative to the scheduled task ```osquery> SELECT path FROM scheduled tasks WHERE path LIKE testing + + | path | + + | testing | + +``` A bit confusing but also maybe more importantly if it can t hash file with a JOIN should that create an empty set

zwass · Answer

Yes that should create an empty set

zwass · Answer

Okay I found it s relative to DRIVE NAME Windows Tasks

Eoin Miller · Answer

It would seem that doing a join should hopefully never cause you to lose data you would be collecting otherwise and all that

zwass · Answer

This is for MySQL but answer applies <https stackoverflow com a 9770404 491710>

Eoin Miller · Answer

Ah okay So maybe it is just the description or what is being collected for `path` that is misleading or incorrect The location of the task is what is being set to `path` but the docs say > Path to the executable to be run If `path` were the path to the executable for this task then it should be reporting back the value of C Windows System32 cmd exe

zwass · Answer

`path` is the relative path to the task definition A query like `select from scheduled tasks s JOIN file f ON f path = Windows System32 Tasks || s path ` may be what you want

zwass · Answer

Now it sounds like what you want is the path to the `action` column but that is more tricky

zwass · Answer

Because for `action` may not be a simple path Here s a value from running on my VM ` windir system32 ProvTool exe turn 5 source LogonIdleTask`

zwass · Answer

Some actions are blank etc

zwass · Answer

I even see a weird one like this `$ Arg1 windir system32 gatherNetworkInfo vbs`

zwass · Answer

What you could probably do is use a regex to extract the relevant portion and then join the path It would likely be somewhat brittle so you d want to use `LEFT JOIN` to ensure you aren t dropping results

seph · Answer

gt It would seem that doing a join should hopefully never cause you to lose data you would be collecting otherwise and all that That doesn t seem write JOIN is a sql pragma It does what join does You might want a LEFT JOIN or a JOIN but fundamentally permuting data changes it

zwass · Answer

< seph> < Eoin Miller> regarding that comment the linked SO post explains well what the semantics of the JOIN are It s clear to me that a LEFT JOIN is to be used when we want to ensure data from the table on the left of the JOIN is not dropped when there is no corresponding data on the right

Eoin Miller · Answer

This is very true the shame is my own on the JOIN vs LEFT JOIN facepalm

seph · Answer

No shame There s a lot to learn

seph · Answer

TBH I google it anytime I start digging into the weds There are some great illustrations

seph · Answer

I like the venn diagrams in <https www lexo ch blog wp content uploads 2012 06 Visual SQL JOINS orig jpg>