Title
#general
d

Dschm2055

03/01/2019, 9:18 PM
Is there anyone that can shed some light on why when I execute SELECT * FROM processes WHERE LOWER(name)='conhost.exe' AND LOWER(path)!='c:\windows\system32\conhost.exe' AND path!=''; on a host using osqueryi or through Kolide, I only get results for processes named conhost.exe and are located in C:\Windows\System32\conhost.exe even though I would be expecting it to be doing the opposite? This query came right from the osquery packs directory on a Windows install of 3.3.2. It seems to be doing the exact opposite of what I want it to do, but I can't seem to figure out why.
zwass

zwass

03/01/2019, 9:19 PM
LOWER(name)='conhost.exe'
ensures you will only get processes named
conhost.exe
9:20 PM
But it does seem like the second clause should filter out the ones you don't want
d

Dschm2055

03/01/2019, 9:21 PM
That was what I was thinking.. this came from the osquery packs that are installed via the msi and are supposed to be for finding incorrect paths of conhost.exe processes
zwass

zwass

03/01/2019, 9:22 PM
I suspect your double backslashes are causing problems
d

Dschm2055

03/01/2019, 9:22 PM
isnt that how you need to escape windows paths?
zwass

zwass

03/01/2019, 9:22 PM
double
9:22 PM
try single backslashes
9:22 PM
unless it's in JSON when (iirc) you need a \ to get a \ after escaping
d

Dschm2055

03/01/2019, 9:25 PM
it looks like that was the issue. im a little confused as to why though. were you saying you only need the \ in JSON and not when executing directly in osquery?
9:25 PM
interesting
9:25 PM
i guess that would be the difference from where I was pulling from in the packs.
9:25 PM
Thanks for the work through!
zwass

zwass

03/01/2019, 9:27 PM
Yes, exactly. The packs are parsed from JSON.
9:28 PM
It's an unfortunate side effect of the packs being in JSON that the queries don't directly translate.
d

Dschm2055

03/01/2019, 9:28 PM
im seeing that now. makes a lot more sense.
9:31 PM
BTW. Kolide is awesome. Nice work with it!
zwass

zwass

03/01/2019, 9:31 PM
Glad you are enjoying. Thanks 🙂