greetings all 2 part question 1 when stopping osqueryd servi

Question

greetings all 2 part question 1 when stopping osqueryd service there still remains an osqueryd exe process which I assume is the watchdog process this looks to keep a lock on osquery db which prevents a clean uninstall is that expected behavior 2 I m trying to build a custom msi with the WiX toolset and using a custom action to taskkill osqueryd exe but that doesn t work anyone have some experience there I m using 3 3 1 from git as my source and testing on Windows 10

thor · Answer

1 Not expected behavior If you can reliable repro this would you mind cutting an issue for us We had issues with this previously and we ve seen it happening in our environment but specifically it s only when we have extensions running with the watchdog process disabled Osquery on it s own no extensions with watchdog enabled doesn t seem to have this issue from what I ve seen on 3 3 1

thor · Answer

2 For the custom WiX script we have a `tools deployment make windows package ps1` I think which renders the XML for a WiX script to create an MSI for deployment It s pretty basic and generic but you should be able to follow what that script is doing and make changes as needed to get your custom logic Aside from that I think < groob> had some experience messing with WiX scripts for deployment

Shawn · Answer

1 We are running with the watchdog process enabled with extensions I can reliably reproduce this so I ll file a bug for you

Shawn · Answer

2 I have a WiX template in play that s working This should really become irrelevant if we can solve 1

Shawn · Answer

5341

thor · Answer

Thanks