Is there anyone that can shed some light on why when I execute SELECT * FROM processes WHERE LOWER(name)='conhost.exe' AND LOWER(path)!='c:\\windows\\system32\\conhost.exe' AND path!=''; on a host using osqueryi or through Kolide, I only get results for processes named conhost.exe and are located in C:\Windows\System32\conhost.exe even though I would be expecting it to be doing the opposite? This query came right from the osquery packs directory on a Windows install of 3.3.2. It seems to be doing the exact opposite of what I want it to do, but I can't seem to figure out why.

LOWER(name)='conhost.exe'

ensures you will only get processes named

conhost.exe

That was what I was thinking.. this came from the osquery packs that are installed via the msi and are supposed to be for finding incorrect paths of conhost.exe processes

I suspect your double backslashes are causing problems

isnt that how you need to escape windows paths?

it looks like that was the issue. im a little confused as to why though. were you saying you only need the \\ in JSON and not when executing directly in osquery?

Yes, exactly. The packs are parsed from JSON.

im seeing that now. makes a lot more sense.

Glad you are enjoying. Thanks 🙂