speaking of the watchdog. From https://osquery.readthedocs.io/en/stable/installation/cli-flags/#daemon-control-flags under

--watchdog_level=0

---- Performance limit level (0=normal, 1=restrictive, -1=disabled). The watchdog process uses a "level" to configure performance limits. The level limits are as follows: Memory: default 200M, restrictive 100M CPU: default 25% (for 9 seconds), restrictive 18% (for 9 seconds) The normal level allows for 10 restarts if the limits are violated. The restrictive allows for only 4, then the service will be disabled. For both there is a linear backoff of 5 seconds, doubling each retry. ----- Is this saying that after 10 / 4 restarts of the worker process, the osqueryd service will be disabled? I have tested this on a Win10 system and am not seeing this behavior, just the query being put on the blocklist and the worker process being restarted - I am not seeing any kind of backoff either.

I’d have to look at the code to be sure but I think the word “service” is wrong, I’m not sure of code that self-disables at the service level, only the query level.

hmmm, ok. Well, either way, these docs need to be updated. The query is put on the blocklist after just 1 time of violating the perf constraints.