I don’t think I’ve seen anything yet (not to say there isn’t). But I’d probably go the route of whomping the registry.

Not a bad idea

I’ve been playing with trying to suppress table registration. But having some unclear issue. I should push that code and get help

Definitely. Send me a link and I’ll take a look tonight

I’m playing with https://github.com/osquery/osquery/compare/master...directionless:seph/table-suppression-for-testing (It’s got a lot of random notes for my tracing)

those functions are running during global initialization afaik

Is this https://github.com/osquery/osquery/blob/master/osquery/core/init.cpp#L360-L367

Sorry, what is the question?

Right — I found that via the REGISTER macro.

global init is causing it to run, and the first lines of code I copied are declaring a constructor that gets called by the REGISTER macro, which is constructing an object in global scope in a variable named kclassname

I did not think that code ran in the proprocess stage? It creates those

kAuditEventPublisher

blobs, right?

global initialization or static initialization is a phase of variable initialization that "runs as soon as the program starts"

Ah. this is maybe a c++ thing I haven’t seen before?

well, it's not only in C++

Sure.

well yeah, to be fair it would've been nicer if the only thing that happens in global init is collecting functions that can initialize something, more than actually initializing anything. That been said yes, they get initialized anyway but in theory you could make them unreachable by removing them later from the registry

Moving it out of global init seems nice, but also a deeper change than I think I can do quickly.

ah sure; just saying that global init is a bit finicky, especially in the init and deinit order (which is "unknown")

Yeah.

Yeah, it's a "trick" that uses class constructors as functions to do things.. since initializing a variable, if that variable is a C++ class, means constructing it.