This looks similar to file_events though, which does not include the context of the process
a
alessandrogario
03/16/2020, 9:51 PM
That is true, it is not possible to retrieve it from the NTFS journal
The only ways (that I know of) to get it is to either use a kernel driver (which is a little frowned upon in osquery) or attempt to use the Audit ACL (but that would mean changing system state)
s
sundsta
03/16/2020, 9:54 PM
I’m not super familiar with Windows internals. Is the Audit ACL similar to the audit system on Linux?