Hello, is there an option to run osquery on windows without without installing it? E.g. using powershell (winRM) to invoke portable osquery without installing it on target servers.

Yes, the MSI just uncompresses files into a folder, setting some strict ACLs for safety, but that’s it. With recent builds we also provide the base .zip files used to create the MSI, like https://github.com/osquery/osquery/releases/download/5.6.0/osquery-5.6.0.windows_x86_64.zip In there you have the osquery executable, which can run on its own, if you want to extract it from there.

So if I use invoke-command to run it on a remote machine, could I redirect the output of scan to some temporary file to download it?

Sure, you can use it in shell mode with

-S --json "<query>"

and it will output the results in json, which you can then redirect to a file.

thank you

Not exactly; that would be more territory of extensions. osquery tries to avoid to cause network traffic unless is strictly necessary and caused by calling local APIs.

Scanning a server remotely could be a territory of osquery extensions? I'm not sure I understand the scenario.

What I mean is that osquery has some self imposed restrictions for core tables and how osquery should work.

I meant that it would just be used as a one time scanner, meaning it would scan the selected target system, dump the output and forget about it. Then next machine ...

It’s still osquery contacting a remote server and causing work on that, network traffic and so on.

Yes. But no need for taking care of managing multiple servers as after dumping the data from datacollection of particular server to a file, everything would be "forgotten". I understand that this use case is not in line with how osquery is designed to be used. You do local scan.

if you want to "scan hosts remotely" the supported way is to use an orchestration server such as fleet, and have your clients call home to that for tasking. the results can be shipped to your central server.