https://github.com/osquery/osquery logo
#sql
Title
# sql
a

alessandrogario

07/30/2018, 4:21 PM
Copy code
SELECT *
FROM authenticode
WHERE path = (
  SELECT substr(path, 0, 21)
  FROM processes
  WHERE path LIKE "%winlogon%"
) || "procexp.exe";
m

Mustafa

07/31/2018, 1:10 PM
thanks for your supports @terracatta @alessandrogario this gives ..Windows\System32 instead of ..Windows
a

alessandrogario

07/31/2018, 1:16 PM
You can adjust the substr parameters (21) to cut away the System32 portion
m

Mustafa

07/31/2018, 1:29 PM
it works thank you very much.
4 Views