im trying to build a new table to osquery, when i try to build my osquery table i get that error msg: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Microsoft\VC\v160\Microsoft.CppCommon.targets(241 ,5): warning MSB8064: Custom build for item "C:\osquery\build\CMakeFiles\9a254ea57f62bdae9b095277680f26d7\yara_process. cpp.rule" succeeded, but specified dependency "c:\osquery\specs\yara\yara_process" does not exist. This may cause incre mental build to work incorrectly. [C:\osquery\build\specs\codegen_native_tables.vcxproj] C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Microsoft\VC\v160\Microsoft.CppCommon.targets(241 ,5): warning MSB8065: Custom build for item "C:\osquery\build\CMakeFiles\9a254ea57f62bdae9b095277680f26d7\yara_process. cpp.rule" succeeded, but specified output "c:\osquery\build\specs\native\yara_process.cpp" has not been created. This m ay cause incremental build to work incorrectly. [C:\osquery\build\specs\codegen_native_tables.vcxproj] C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Microsoft\VC\v160\Microsoft.CppCommon.targets(241 ,5): warning MSB8064: Custom build for item "C:\osquery\build\CMakeFiles\b7853e62b244e8f5e1536b003bd6bfa3\amalgamated_n ative_tables.cpp.rule" succeeded, but specified dependency "c:\osquery\build\specs\native\yara_process.cpp" does not ex ist. This may cause incremental build to work incorrectly. [C:\osquery\build\specs\codegen_native_tables.vcxproj]

Well, it depends on how the CMake looks like but it’s likely that you haven’t added all the necessary information to let the build system know about your new table. You need to have a spec file with the .table extension be located under the specs folder and you need to inform CMake of where it is and on which platforms it has to be generated on https://github.com/osquery/osquery/blob/fa48b83b312ceec9a5d3a9e24de1519301acf888/specs/CMakeLists.txt#L32 Then you need to provide the actual implementation that the wrapper automatically created by the .table processing will call. You would’ve specified the function name in the

implementation()

function in the .table. Then you would add your .cpp that contains the logic under a subdirectory in

osquery/tables

and choose the most appropriate one depending on what you’re doing and the platform. Finally you would have to add that .cpp file to build to one of the existing targets in the CMakeLists.txt present either in the folder you’ve chosen or one of the most immediate parent which contains the other .cpp files which were next to yours.

i mean i did 1. first put my table at C:\osquery\specs\yara and named it yara_process.table that have the implapation: implementation("yara@genYaraProcess") 2. than i edit the file C:\osquery\specs\CMakeLists.txt and added to it "yara/yara_process:windows" 3. then i added to cpp file C:\osquery\osquery\tables\yara file the function: QueryData genYaraProcess(QueryContext& context)

In step 2 you're missing the extension .table

thanks

Windows implements locks on files, if you are using in some way that file (you have that executable being executed in some other terminal) it cannot write it. You need to close the process first.

thanks alot! it worked!