Title
#windows
AoS

AoS

12/04/2019, 11:20 AM
No problem 🙂
j

Jean M

12/04/2019, 12:07 PM
Now it shows
E1204 04:06:18.140079 11196 watcher.cpp:567] [Ref #1382] osqueryd has unsafe permissions: C:\osquery\osqueryd\osqueryd.exe
12:07 PM
and then quits from what I understood
12:10 PM
but if I launch it in shell “--S” it seems to work
AoS

AoS

12/04/2019, 12:12 PM
So basically osquery wants all of the binaries it executes (itself and it's extensions) to be owned by system and is supposed to do that automatically when installing.
12:13 PM
You can run
--allow_unsafe
to fix but it is somewhat not recommended
j

Jean M

12/04/2019, 12:16 PM
12:17 PM
maybe it’s checking for another adminstrator user
12:17 PM
yeah I saw that option but also didn’t want to use it : (
AoS

AoS

12/04/2019, 12:26 PM
In this photo the owner is Administrators, try and change that to System
j

Jean M

12/04/2019, 12:32 PM
Not working yet : / changed recursively also
12:36 PM
I also get a stale process message, but I don’t see any other osquery process running in task manager details
PS C:\osquery> .\osqueryd\osqueryd.exe --verbose --config_path osquery.conf --logtostderr --force
I1204 04:34:45.896339  8756 init.cpp:418] osquery initialized [version=4.1.1]
I1204 04:34:45.933342  8756 system.cpp:330] Found stale process for osqueryd (12908)
I1204 04:34:45.938354  8756 system.cpp:362] Writing osqueryd pid (5308) to \Program Files\osquery\osqueryd.pidfile
I1204 04:34:45.954347  8756 extensions.cpp:349] Could not autoload extensions: Failed reading: \Program Files\osquery\extensions.load
E1204 04:34:45.987377  9984 watcher.cpp:567] [Ref #1382] osqueryd has unsafe permissions: C:\osquery\osqueryd\osqueryd.exe
PS C:\osquery>
12:41 PM
its really this permission issue, if I use that bypass option it works
12:56 PM
ok. I think I found another problem, it seems to be sensible to json configuration file encoding
12:57 PM
since I generated the file through powershell script, it set the encoding to something strange. changing to utf8 fixes that other issue, it’s not a osquery problem in this case