Hi all, I was checking how osquery gets events from windows. I found that it is getting events with EVT_SUBSCRIBE_CALLBACK. But I also saw some wmi codes in osquery. But I cannot see any use of these wmi codes for event subscription. Only using stringToWstring(confusing #include of wmi?) Am I right about: there is no wmi event subscription but only EVT_SUBSCRIBE_CALLBACK? Or am I missing something? Thanks 🙂

That’s right, we only have two event subscribers on Windows, both of which use the evt subscribe api

☺️