Is anyone aware of something in osquery (4.5.0) that could be making this WMI call?

SELECT * FROM Win32_Process WHERE ProcessId=2500

I can't find anything that refers to

Win32_Process

except within one of the WMI tests.

It looks like it may be the watchdog? https://osquery.slack.com/archives/C0FHNQ2N6/p1548362518179800

That thread references a PR that merged in 2019

Thank you both for the info. Wonder if we're unintentionally running a super old version of osquery?

That really seems a version <= 3.3.2

Any extensions?

What process name is associated with PID 2500?

My suspicion is that 2500 is osquery and it's the watchdog in an older version.

I feel like there's missing info... Where does this report come from? What's the process listing? Why is this assumed to be osquery, and is there a path associated with the report? I think your theory is solid -- I'm sure there are vendors shopping osquery from that long ago

This was shared to me privately, so I can only report limited details. My understanding is that WMIMon was used to determine that the osquery process is issuing the query.

FWIW I've debugged a handful of things that ended either being reporting errors, or people running multiple osquery daemons and attributing things to the wrong one.

Yeah, it seems likely. Thank you everyone, this was super helpful! I'll report on what I learn.