Anyone else having 1607 issue when starting osquery service after new V4 MSI install? had to do the below to get it to start (on windows 1903)..

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\osqueryd

ImagePath

from:

C:\Program Files\osquery\osqueryd\osqueryd.exe --flagfile=\Program Files\osquery\osquery.flags

to:

"C:\Program Files\osquery\osqueryd\osqueryd.exe" --flagfile="C:\Program Files\osquery\osquery.flags"

and

ObjectName

from:

NT AUTHORITY\SYSTEM

to:

LocalSystem

Hey Obi - Yes, occasionally. There are a few things it could be. First - keep it in the exact same state you have now, but reinstall. Does it work? Yes? Great No? keep reading... Open a cmd with Admin - type sc.exe stop osqueryd and followed by sc.exe start osqueryd. Same result? Lets move on. launch osqueryd.exe manually via the command line and --debug or --verbose on, what do you get? Somethings I've found are either permissions errors or it can't find something like the flag file and is running like a chicken without its head. It will give you a strong indication of where to go next or at least, what to follow up on. Worst case scenario: sc.exe delete osqueryd from cmd type: sc.exe "create osquery displayName= osqueryd start= auto binPath= ""C:\Program Files\osquery\osqueryd.exe" svc -config ""C:\Program Files\osquery\osquery.flags" and see if it starts that way or gives you an error. The binPath in services should show equal something along the lines of "C:\Program Files\osquery\osqueryd.exe" svc -config "C:\Program Files\osquery\osqueryd.flags" its a matter of getting the quotes right to escape one another correctly. It always takes me a few tries to remember which combination is correct. It's either start quote """ and end quote "" or ""/ and end "/". I forget. (I may be thinking of launcher, so take my config vs flagfile with a grain of salt) Workaround: If you have trouble with V4, but have not had an issue with an earlier installer, use the previous installer and substitute the newer (v4) into where the previous V3.2.2 or 3.4.0 one is. Then restart the service. This should work relatively flawlessly. If anyone navigates here in the future, knowing how to read the verbose and command line functions of osquery, fleet and launcher will help you significantly. Also, knowing how to run/create a service via sc.exe is extremely helpful. Lastly, brush up on your command line quote escapes. 🙂

Found the solution for anyone else that searches historical, The issue is with X version of Windows requiring image path to be in quotes, this protects against side loading attacks etc. With the correct escaping of it should look like this sc.exe create "osquery_b" type= own start= auto error= normal binpath= "\"C:\Program Files\osquery\osqueryd\osqueryd.exe\" --flagfile=\"C:\Program Files\osquery\osquery.flags\"" obj= LocalSystem displayname= "osquery_b"