If that script isn’t working, I’d probably look at setting the permissions manually. What are they set to now?

Hello Seph, Yes, I do it. But I can't modify permissions for ALL APPLICATIONS PACKAGES, it have special permissions.

I am by no means a windows expert.

I try to remove write and delete permisions but it doesn't work. They are: + Show folder/read data. + Read extended attributes. + Write extended attributes. + Delete. + Read permissions.

Could you please show what you’re doing? I can’t be a second set of eyes, if I can’t see the commands you’re running

These's the groups which have permisions in

osqueryd

directory:

Can you manually remove the ALL APPLICATIONS PACKAGES grant there?

And ALL PACKAGES APPLICATION have the following special permisions are:

From a powershell window, can you run

icacls.exe

with the directory osquery is in?

Can you runn that against the directory, not the binary?

Windows Server 2019

That group has write access. osquery doesn’t like that.

I removed it and it does't work

Removed what? The permissions? What do you mean didn’t work? Windows doesn’t support removing it?

I removed write permissions and osquery report the same error

does icacls.exe show the permissions as gone?

okay, Thanks! And yes, without write permission also doesn't work

Can you show that with icacls?

Can you run that on the enclosing folder, not the binary?

can you also

get-acl

in that directory?

And the directory please.

This is the directory

Thgat looks like

get-acl osqueryd

which is the binary. Can you also

get-acl .

Thank you. Those permissions seem to match the docs