https://github.com/osquery/osquery logo
Powered by
#general
Title
# general
n

namali

10/27/2022, 6:39 PM
Hello! While running osquery on windows (osquery ATC) has anyone come across this: "Will not autoload extension with unsafe directory permissions: C:\Program Files\osquery\extensions/macadmins.exe"?
I ran it with a --allow_unsafe flag and it initialized osquery, but then I got a popup "the image file macadmins.exe is valid, but is for machine type other than the current machine". Not sure I understand what is going on here. Can someone help on this please? I am trying to retrieve browser files using osquery_atc on Windows
s

sharvil

10/27/2022, 6:50 PM
macadmins.exe on windows sounds weird..are you trying to load a mac extension on windows?
n

namali

10/27/2022, 6:54 PM
I am trying to use this ATC conf here:
Copy code
"auto_table_construction": {
        "chrome_history": {
            "query":"SELECT datetime(last_visit_time/1000000-11644473600, \"unixepoch\") as last_visited, url, title, visit_count FROM urls",
            "path":"C:\\Users\\%\\AppData\\Local\\Google\\Chrome\\User Data\\%\\History",
            "columns":["last_visited","url","title","visit_count"]
        }
    }
}
s

sharvil

10/27/2022, 7:00 PM
It would see that something in your config is loading that extension, which is why you are seeing 
"Will not autoload extension with unsafe directory permissions: C:\Program Files\osquery\extensions/macadmins.exe"?
I don't think it would impact ATC though
n

namali

10/27/2022, 7:08 PM
That makes sense! I need to check if there is an extension or ATC that exists for windows browser history. By any chance have you come across one? @sharvil?
s

sharvil

10/27/2022, 7:12 PM
ATC is not dependent on any extension and should work on windows too
n

namali

10/27/2022, 7:17 PM
Okay. Nothing in my .conf points to the macadmins extensions. Also I checked the extensions folder in osquery - the only file within that is 'macadmins.exe'
s

sharvil

10/27/2022, 7:17 PM
anything in the flagfile?
n

namali

10/27/2022, 7:21 PM
Where can I find the flagfile? I mean the way I am running this is osqueryi --config_path path\name_atc_history.conf --allow_unsafe
s

sharvil

10/27/2022, 7:26 PM
can you add 
--verbose
to osqueryi and paste the whole output, and also paste the conf file?
n

namali

10/27/2022, 7:30 PM
This is my conf file:
Copy code
"auto_table_construction": {
        "chrome_history": {
            "query":"SELECT datetime(last_visit_time/1000000-11644473600, \"unixepoch\") as last_visited, url, title, visit_count FROM urls",
            "path":"C:\\Users\\%\\AppData\\Local\\Google\\Chrome\\User Data\\%\\History",
            "columns":["last_visited","url","title","visit_count"]
        }
    }
}
verbose output:
Copy code
I1027 12:29:44.617239  3388 init.cpp:357] osquery initialized [version=5.2.2]
I1027 12:29:44.620157  3388 extensions.cpp:438] Found autoloadable extension: C:\Program Files\osquery\extensions/macadmins.exe
I1027 12:29:44.621152  3388 dispatcher.cpp:78] Adding new service: WatcherRunner (000001FEC25738A0) to thread: 3560 (000001FEC25999A0) in process 12556
I1027 12:29:44.625387  3388 dispatcher.cpp:78] Adding new service: ExtensionWatcher (000001FEC250E670) to thread: 11268 (000001FEC2599A80) in process 12556
I1027 12:29:44.625387  3388 dispatcher.cpp:78] Adding new service: ExtensionRunnerCore (000001FEC4419200) to thread: 6224 (000001FEC2599B80) in process 12556
I1027 12:29:44.626385  3388 auto_constructed_tables.cpp:99] Removing stale ATC entries
I1027 12:29:44.626385  6224 interface.cpp:299] Extension manager service starting: \\.\pipe\shell.em
Using a [1mvirtual database[0m. Need help, type '.help'
osquery> E1027 12:29:49.703593  3560 watcher.cpp:702] Cannot create extension process: C:\Program Files\osquery\extensions/macadmins.exe
3 Views
Powered by