Do I have to do anything in particular to get the ...
# windowsa
Adam S
03/08/2022, 10:21 PMDo I have to do anything in particular to get the program list updated? "SELECT * FROM programs" It seems like it's not updating very often
b
blaedj
03/09/2022, 2:26 PMYou shouldn't need to do anything special, but seeing updates that match changes on the device really depends on how you're running the query. Is it from the interactive osqueryi? is it running on a schedule? If so, where are the results being sent/recorded, and how often is the query scheduled to run?
If you're running the query interactively (via
osqueryim
Mike Myers
03/09/2022, 5:19 PMIf you meant to get the running process list, the table you want is
select * from processes;programss
seph
03/11/2022, 11:37 AM
When ever the query runs, osquery will fetch the data. Osquery should be thought of as a api translation layer not a storage system.
a
Adam S
03/11/2022, 1:40 PM@blaedj The query is ran about every 15 minutes or so in conjunction with other queires, it's being run as osqueryi -json "SELECT * FROM programs"
Adam S
03/11/2022, 1:40 PM@Mike Myers I did mean programs, not processes. Thanks though.
Adam S
03/11/2022, 1:41 PM@seph Then I must be running into a bug or something because I updated the chocolatey package on several machines and to confirm, I'm trying to verify it through this query but it's still reporting the old version.
s
seph
03/11/2022, 1:43 PM
osquery has no caching and is not really a database. This is extra true for osqueryi. Programs is implemented in https://github.com/osquery/osquery/blob/master/osquery/tables/system/windows/programs.cpp which looks like it’s probably calling the registry
seph
03/11/2022, 1:43 PM
Aside from that, there’s a whole conversation about repeatedly invoking
osqueryi4 Views