https://github.com/osquery/osquery logo
Join Slack
Powered by
Is there anyone that can shed some light on why wh...
# general
d
Is there anyone that can shed some light on why when I execute SELECT * FROM processes WHERE LOWER(name)='conhost.exe' AND LOWER(path)!='c:\\windows\\system32\\conhost.exe' AND path!=''; on a host using osqueryi or through Kolide, I only get results for processes named conhost.exe and are located in C:\Windows\System32\conhost.exe even though I would be expecting it to be doing the opposite? This query came right from the osquery packs directory on a Windows install of 3.3.2. It seems to be doing the exact opposite of what I want it to do, but I can't seem to figure out why.
z
LOWER(name)='conhost.exe'
ensures you will only get processes named 
conhost.exe
But it does seem like the second clause should filter out the ones you don't want
d
That was what I was thinking.. this came from the osquery packs that are installed via the msi and are supposed to be for finding incorrect paths of conhost.exe processes
z
I suspect your double backslashes are causing problems
d
isnt that how you need to escape windows paths?
z
double
try single backslashes
unless it's in JSON when (iirc) you need a \\ to get a \ after escaping
d
it looks like that was the issue. im a little confused as to why though. were you saying you only need the \\ in JSON and not when executing directly in osquery?
interesting
i guess that would be the difference from where I was pulling from in the packs.
Thanks for the work through!
z
Yes, exactly. The packs are parsed from JSON.
It's an unfortunate side effect of the packs being in JSON that the queries don't directly translate.
d
im seeing that now. makes a lot more sense.
BTW. Kolide is awesome. Nice work with it!
z
Glad you are enjoying. Thanks 🙂
3 Views
Open in Slack
PreviousNext
Powered by