@Mystery Incorporated Beware that osquery on macOS does not uninstall 4.9.0 when installing version 5.x. SO you have version 5.x in a new place and the 4.9.0 binary stays in /usr/local/bin next to the linked osqueryi and osqueryctl which map back to 5.X in /opt/.

Thanks yea I think I saw you mention this before so i did my macos ones ok based on your lesson. This was a windows host. It's possible because they change what msi various endpoints give my script pulled the wrong one, I dunno.

Interesting, I hadn’t thought about windows hosts. I’ll make sure to pass that on to my windows admin team to make sure they check.

Actually it's still happening i found another windows host that doesn't have a pack and it only sees osquery 5.0.1 hmmm

Awesome, hopefully it won’t crop up again.