No problem :slightly_smiling_face:
# windows
No problem 🙂
Now it shows
Copy code
E1204 04:06:18.140079 11196 watcher.cpp:567] [Ref #1382] osqueryd has unsafe permissions: C:\osquery\osqueryd\osqueryd.exe
and then quits from what I understood
but if I launch it in shell “--S” it seems to work
So basically osquery wants all of the binaries it executes (itself and it's extensions) to be owned by system and is supposed to do that automatically when installing.
You can run
to fix but it is somewhat not recommended
maybe it’s checking for another adminstrator user
yeah I saw that option but also didn’t want to use it : (
In this photo the owner is Administrators, try and change that to System
Not working yet : / changed recursively also
I also get a stale process message, but I don’t see any other osquery process running in task manager details
Copy code
PS C:\osquery> .\osqueryd\osqueryd.exe --verbose --config_path osquery.conf --logtostderr --force
I1204 04:34:45.896339  8756 init.cpp:418] osquery initialized [version=4.1.1]
I1204 04:34:45.933342  8756 system.cpp:330] Found stale process for osqueryd (12908)
I1204 04:34:45.938354  8756 system.cpp:362] Writing osqueryd pid (5308) to \Program Files\osquery\osqueryd.pidfile
I1204 04:34:45.954347  8756 extensions.cpp:349] Could not autoload extensions: Failed reading: \Program Files\osquery\extensions.load
E1204 04:34:45.987377  9984 watcher.cpp:567] [Ref #1382] osqueryd has unsafe permissions: C:\osquery\osqueryd\osqueryd.exe
PS C:\osquery>
its really this permission issue, if I use that bypass option it works
ok. I think I found another problem, it seems to be sensible to json configuration file encoding
since I generated the file through powershell script, it set the encoding to something strange. changing to utf8 fixes that other issue, it’s not a osquery problem in this case