https://github.com/osquery/osquery logo
Powered by
#kolide
Title
# kolide
s

seph

05/12/2019, 11:16 AM
how did you install launcher? how did you build it? (i can dig more monday, but the "cant open" looks suspicious
s

Stephen

05/14/2019, 9:37 AM
@seph I tried to uninstall launcher today and reinstall it (from the same package as before - made by @defensivedepth’s tool. It now gives a different result in debugging
C:\Program Files\Kolide\Launcher-launcher\bin>"C:\Program Files\Kolide\Launcher-launcher\bin\launcher.exe" svc-fg -config "C:\Program Files\Kolide\Launcher-launcher\conf\launcher.flags" ts=2019-05-14T093641.6522044Z caller=svc_windows.go:58 severity=debug msg="foreground service start requested (debug mode)" ts=2019-05-14T093641.6522044Z caller=svc_windows.go:79 severity=debug msg="windows service starting" ts=2019-05-14T093641.655197Z caller=svc_windows.go:88 severity=info msg="runLauncher exited" err="open launcher db: open C:\\Program Files\\Kolide\\Launcher-launcher\\data\\launcher.db: Access is denied." stack="open C:\\Program Files\\Kolide\\Launcher-launcher\\data\\launcher.db: Access is denied.\nopen launcher db\nmain.runLauncher\n\t/Users/seph/go/src/github.com/kolide/launcher/cmd/launcher/launcher.go:227\nmain.(*winSvc).Execute.func1\n\t/Users/seph/go/src/github.com/kolide/launcher/cmd/launcher/svc_windows.go86\nruntime.goexit\n\t/usr/local/Cellar/go/1.12.2/libexec/src/runtime/asm amd64.s1337"
the service isn't running while I'm trying the debug so i don't understand why it can't access its' own files
then as I was testing it I started getting told that "this app can't run on your PC" very weird.
d

defensivedepth

05/14/2019, 10:27 AM
@Stephen Have you tried uninstalling and also blowing away the osquery folder that is left behind? And then reinstalling?
s

Stephen

05/14/2019, 10:28 AM
Actually doing that right now. Will report back when done. Had a lot of trouble deleting the folder. Had to do a reboot to even try as it was locked by system even though launcher was not running
the database folder was locked by system. I took ownership and still couldn't get into it. Only after I removed a bunch of deny permissions on the folder could I delete it and delete the folders back to the level of kolide. Then I'm reinstalling to see if it works now
tried to reinstall. It did not successfully reinstall sliently eg. msiexex /quiet launcher.msi I've seen this on at least one other computer (though others have no problem with the same package). not yet sure why.
Having completely removed it, by uninstalling it, taking ownership of the folder and removing the "deny" privileges on the folder, and then deleting the folder, I then was able to reinstall and it fixed the problem. I don't know why it broke in the first place, but it appears that something somehow became corrupt in the database folders that are in subdirectories of the kolide\launcher folder in program files.
I hope this information is useful to you Seph
s

seph

05/14/2019, 4:01 PM
I don’t know much about how the @defensivedepth tool works. I’ve been finding windows services a bit weird in general, there are lots of points of fragility.
With your comments in https://osquery.slack.com/archives/C1XCLA5DZ/p1557826662395500?thread_ts=1557659809.363300&cid=C1XCLA5DZ this sounds like something changed the user launcher is running at, or the permissions on the folders. And then it all went south
d

defensivedepth

05/14/2019, 4:03 PM
Correct me if I am wrong @Stephen, but it sounds like the osquery install was borked before you used the launcher docker and that you were hoping that the upgrade would fix it? (which it didnt, until you blew away the db folder, etc and reinstalled)
s

Stephen

05/15/2019, 3:30 AM
You are correct @defensivedepth.i needed to use your tool because osquery/launcher had stopped working (immediate fail on starting) and I needed an easy way to get the latest launcher to see if it would fix it. There is nothing wrong with your tool. It is working well.
s

seph

05/15/2019, 3:33 AM
Do you still have the original logs? The permissions stuff seems like a function of the re-install
s

Stephen

05/16/2019, 8:33 AM
Sorry seph. I deleted everything in trying to solve it
2 Views
Powered by