greetings all 2 part question 1 when stopping osqueryd servi osquery #windows

greetings all, 2 part question. 1) when stopping ...

Shawn

01/09/2019, 12:25 AM

greetings all, 2 part question. 1) when stopping osqueryd service, there still remains an osqueryd.exe process, which I assume is the watchdog process. this looks to keep a lock on osquery.db/, which prevents a clean uninstall. is that expected behavior? 2) I'm trying to build a custom msi with the WiX toolset and using a custom action to taskkill osqueryd.exe, but that doesn't work. anyone have some experience there? I'm using 3.3.1 from git as my source and testing on Windows 10.

thor

01/09/2019, 9:08 PM

1.) Not expected behavior. If you can reliable repro this would you mind cutting an issue for us? We had issues with this previously, and we've seen it happening in our environment, but specifically it's only when we have extensions running with the watchdog process disabled. Osquery on it's own, no extensions, with watchdog enabled doesn't seem to have this issue from what I've seen on 3.3.1

thor

01/09/2019, 9:09 PM

2.) For the custom WiX script -- we have a

tools\deployment\make_windows_package.ps1

I think, which renders the XML for a WiX script to create an MSI for deployment. It's pretty basic and generic, but you should be able to follow what that script is doing and make changes as needed to get your custom logic. Aside from that I think @groob had some experience messing with WiX scripts for deployment?

Shawn

01/09/2019, 11:44 PM

1) We are running with the watchdog process enabled with extensions. I can reliably reproduce this, so I'll file a bug for you.

Shawn

01/09/2019, 11:45 PM

2) I have a WiX template in play that's working. This should really become irrelevant if we can solve #1.

👍 1

Shawn

01/09/2019, 11:58 PM

#5341

thor

01/10/2019, 12:06 AM

Thanks!

4 Views

Open in Slack

Previous Next