It keeps the queries it’s received in memory, this is done to prevent bad guys landing on your box from seeing what queries you’re running. The DB is owned by SYSTEM as this is considered equivalent to root on posix systems, and the DB contains the results of your queries, so non-privileged users shouldn’t be capable of modifying the DB

in this case, I think you mean the installation types may completed in different result ? (with choco, after the installation I can access the folder but not after osquery.msi package installation)

Neither chocolatey nor the MSI installer touch the database, only the folder in which the daemon lives. Though the MSI might turn off permission inheritance on the DB from the ProgramData, however this shouldn’t be entirely relevant as one should never really touch the DB unless you’re troubleshooting things. What are you hoping to do with the DB?

@thor after msi installation, related to permissions, the osquery.db folder’s owner is setted as SYSTEM so the folder isn’t accessible by the admins but with choco method, I don’t encounter a permission problem with accessing. I just wondered that why choco method was different from msi method.

Hrm ok. We did modify the permission requirements recently and the MSI might not even been updated. We can open an issue to get that fixed up, but being owned by the Administrators group is considered sufficient for the daemon to think it’s safe and run.

@thor if i dont wrong not only admin groups are permitted also users group so i will open an issue. thanks for your help

User groups should be removed with the MSI. Can you tell me what problem you’re experiencing?