https://github.com/osquery/osquery logo
Powered by
Title
e

Eva

10/29/2019, 8:19 AM
Hello, I have an issue with Windows permission. I followed the documentation instruction but it hasn't worked. I obtain the following error when executing `osquery_utils.ps1`: 
Exception when calling "RemoveAccessRule" with arguments "1": "Some or all identity references could not be converted."
The code which fails is (lines 73-79): 
$acl = Get-Acl $target

    # First, to ensure success, we remove the entirety of the ACL
    $acl.SetAccessRuleProtection($true, $false)
    foreach ($access in $acl.Access) {
      $acl.RemoveAccessRule($access)
    }
I think it's due to osquery_utils try to remove permission to ALL APPLICATION PACKAGES and it fails. Also, I think the permissions are correct. I have disabled the inheritance and the only ones have permissions are SYSTEM, Administrators and ALL APPLICATION PACKAGES.
I have Windows Server 2019 and Osquery 4.0.2. The fact to change permissions is due I have obtained the error 
osqueryd has unsafe permissions: C:\Program Files\osquery\osqueryd\osqueryd.exe
I already wrote about it: https://osquery.slack.com/archives/C08V7KTJB/p1571911570146100 Could you help me?
b

blaedj

10/29/2019, 1:07 PM
perhaps try asking in #windows , might be some more windows-savvy folks there
e

Eva

10/29/2019, 1:10 PM
okay, thanks!
22 Views
#generalJoin Slack
Powered by