Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
s
seph
05/12/2019, 11:16 AMhow did you install launcher? how did you build it? (i can dig more monday, but the "cant open" looks suspicious
s
Stephen
05/14/2019, 9:37 AM@seph I tried to uninstall launcher today and reinstall it (from the same package as before - made by @defensivedepth’s tool. It now gives a different result in debugging
C:\Program Files\Kolide\Launcher-launcher\bin>"C:\Program Files\Kolide\Launcher-launcher\bin\launcher.exe" svc-fg -config "C:\Program Files\Kolide\Launcher-launcher\conf\launcher.flags"
ts=2019-05-14T09:36:41.6522044Z caller=svc_windows.go:58 severity=debug msg="foreground service start requested (debug mode)"
ts=2019-05-14T09:36:41.6522044Z caller=svc_windows.go:79 severity=debug msg="windows service starting"
ts=2019-05-14T09:36:41.655197Z caller=svc_windows.go:88 severity=info msg="runLauncher exited" err="open launcher db: open C:\\Program Files\\Kolide\\Launcher-launcher\\data\\launcher.db: Access is denied." stack="open C:\\Program Files\\Kolide\\Launcher-launcher\\data\\launcher.db: Access is denied.\nopen launcher db\nmain.runLauncher\n\t/Users/seph/go/src/github.com/kolide/launcher/cmd/launcher/launcher.go:227\nmain.(*winSvc).Execute.func1\n\t/Users/seph/go/src/github.com/kolide/launcher/cmd/launcher/svc_windows.go:86\nruntime.goexit\n\t/usr/local/Cellar/go/1.12.2/libexec/src/runtime/asm_amd64.s:1337"
the service isn't running while I'm trying the debug so i don't understand why it can't access its' own files
then as I was testing it I started getting told that "this app can't run on your PC" very weird.
d
defensivedepth
05/14/2019, 10:27 AM@Stephen Have you tried uninstalling and also blowing away the osquery folder that is left behind? And then reinstalling?
s
Stephen
05/14/2019, 10:28 AMActually doing that right now. Will report back when done. Had a lot of trouble deleting the folder. Had to do a reboot to even try as it was locked by system even though launcher was not running
the database folder was locked by system. I took ownership and still couldn't get into it. Only after I removed a bunch of deny permissions on the folder could I delete it and delete the folders back to the level of kolide. Then I'm reinstalling to see if it works now
tried to reinstall. It did not successfully reinstall sliently eg. msiexex /quiet launcher.msi
I've seen this on at least one other computer (though others have no problem with the same package). not yet sure why.
Having completely removed it, by uninstalling it, taking ownership of the folder and removing the "deny" privileges on the folder, and then deleting the folder, I then was able to reinstall and it fixed the problem. I don't know why it broke in the first place, but it appears that something somehow became corrupt in the database folders that are in subdirectories of the kolide\launcher folder in program files.
I hope this information is useful to you Seph
s
seph
05/14/2019, 4:01 PMI don’t know much about how the @defensivedepth tool works. I’ve been finding windows services a bit weird in general, there are lots of points of fragility.
With your comments in https://osquery.slack.com/archives/C1XCLA5DZ/p1557826662395500?thread_ts=1557659809.363300&cid=C1XCLA5DZ this sounds like something changed the user launcher is running at, or the permissions on the folders. And then it all went south
d
defensivedepth
05/14/2019, 4:03 PMCorrect me if I am wrong @Stephen, but it sounds like the osquery install was borked before you used the launcher docker and that you were hoping that the upgrade would fix it? (which it didnt, until you blew away the db folder, etc and reinstalled)
s
Stephen
05/15/2019, 3:30 AMYou are correct @defensivedepth.i needed to use your tool because osquery/launcher had stopped working (immediate fail on starting) and I needed an easy way to get the latest launcher to see if it would fix it. There is nothing wrong with your tool. It is working well.
s
seph
05/15/2019, 3:33 AMDo you still have the original logs? The permissions stuff seems like a function of the re-install
s
Stephen
05/16/2019, 8:33 AMSorry seph. I deleted everything in trying to solve it