I've commented on the existing ticket to add support for enumerating named mutex objects on Windows. The ticket is at https://github.com/facebook/osquery/issues/2754 I put the following comment in the ticket just now: --BEGIN-- I have created an entirely uninteresting proof-of-concept on HANDLE enumeration across all processes. This is done in usermode (no custom kernel module) using a series of reasonably well-known techniques, man of which date back well over a decade. The proof-of-concept can be found on github at https://github.com/scottlundgren/objects/blob/master/objects/objects/objects.cpp I have provided example output below. The proof-of-concept does no filtering by itself - it simply enumerate all HANDLEs across the system, looks up the name associated with the object the HANDLE references, and outputs several interesting fields including the PID, the HANDLE value, the object type number and name (mutex, file, registry key, window station, etc.) and the object name itself (the filename, the mutex name, the registry key name). By running the proof-of-concept and piping to grep, it is easy to see how the results could be filtered down to just mutexes with a name matching a certain pattern. The next step is to implement a proof-of-concept in osquery itself. --END--