Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
j
Jean M
09/13/2021, 9:11 AMHello, (about the same extension) I’m having problems running the extension in Windows I was wondering if the problem had happened before with someone else… if I load the extension manually (1st the osquery --nodisable_extensions then ./extension --socket …) it works fine. However, if I use osquery --extension or the extensions.load file, an error message shows when trying to create extension process, osqueryd seems to be booting… but then it quits in a strange way. I’m using --allow_nosafe option but I don’t think it is related. Any idea?
PS C:\Program Files\osquery> .\osqueryd\osqueryd.exe --flagfile osquery.flags --verbose
I0913 01:37:43.778841 4896 init.cpp:342] osquery initialized [version=4.7.0]
I0913 01:37:43.825711 4896 system.cpp:342] Found stale process for osqueryd (10920)
I0913 01:37:43.825711 4896 system.cpp:374] Writing osqueryd pid (5116) to \Program Files\osquery\osqueryd.pidfile
I0913 01:37:43.825711 4896 extensions.cpp:438] Found autoloadable extension: C:\Program Files\osquery\extensions\myosquery.ext
I0913 01:37:43.825711 4896 dispatcher.cpp:78] Adding new service: WatcherRunner (000001AB7BFC9F30) to thread: 13760 (000001AB7DB4FCC0) in process 5116
I0913 01:37:43.841331 13760 watcher.cpp:613] osqueryd watcher (5116) executing worker (10352)
E0913 01:37:43.856961 13760 watcher.cpp:653] Cannot create extension process: C:\Program Files\osquery\extensions\myosquery.ext
I0913 01:37:43.856961 4896 dispatcher.cpp:149] Thread: 4896 requesting a stop
...
I0913 01:37:46.891346 13672 watcher.cpp:667] osqueryd worker (10352) detected killed watcher (5116)
I0913 01:37:46.891346 12320 dispatcher.cpp:149] Thread: 12320 requesting a stop
I0913 01:37:46.891346 12320 dispatcher.cpp:156] Service: 0000021774EF2CB0 has been interrupted
...procmonFaulting application name: osqueryd.exe, version: 4.7.0.0, time stamp: 0x6050e93f
Faulting module name: osqueryd.exe, version: 4.7.0.0, time stamp: 0x6050e93f
Exception code: 0xc0000005
Fault offset: 0x00000000009da964
Faulting process id: 0x37c0
Faulting application start time: 0x01d7a87be147ff10
Faulting application path: C:\Program Files\osquery\osqueryd\osqueryd.exe
Faulting module path: C:\Program Files\osquery\osqueryd\osqueryd.exe
Report Id: e7704eb3-e66d-439b-aa1f-331f195cb88c
Faulting package full name:
Faulting package-relative application ID:It seems that it has to do with the file extension used. Using “.exe” in Windows fixes the problem… I thought it was necessary to use .ext (as exemplified in the documentation).
s
seph
09/13/2021, 7:53 PMWindows requires executables to be .exe files. The other platforms have no such requirements and the .ext is customary but not required.
Other platforms require the binary to have the executable but set
m
Mike Myers
09/13/2021, 8:42 PMGood to know that there was a quick workaround, but would you mind filing an issue about this on GitHub? If this crashes
osqueryd