Do I have to do anything in particular to get the program li

Question

Do I have to do anything in particular to get the program list updated SELECT FROM programs It seems like it s not updating very often

blaedj · Answer

You shouldn t need to do anything special but seeing updates that match changes on the device really depends on how you re running the query Is it from the interactive osqueryi is it running on a schedule If so where are the results being sent recorded and how often is the query scheduled to run If you re running the query interactively via `osqueryi` the query results should represent a real time view into the programs installed on the device

Mike Myers · Answer

If you meant to get the running process list the table you want is `select from processes ` because `programs` gets the installed applications

seph · Answer

When ever the query runs osquery will fetch the data Osquery should be thought of as a api translation layer not a storage system

Adam S · Answer

< blaedj> The query is ran about every 15 minutes or so in conjunction with other queires it s being run as osqueryi json SELECT FROM programs

Adam S · Answer

< Mike Myers> I did mean programs not processes Thanks though

Adam S · Answer

< seph> Then I must be running into a bug or something because I updated the chocolatey package on several machines and to confirm I m trying to verify it through this query but it s still reporting the old version

seph · Answer

osquery has no caching and is not really a database This is extra true for osqueryi Programs is implemented in <https github com osquery osquery blob master osquery tables system windows programs cpp> which looks like it s probably calling the registry

seph · Answer

Aside from that there s a whole conversation about repeatedly invoking `osqueryi` vs using osqueryd But that seems like a distraction just now