{"id":14191,"date":"2022-09-28T00:27:10","date_gmt":"2022-09-27T21:27:10","guid":{"rendered":"https:\/\/kifarunix.com\/?p=14191"},"modified":"2024-03-09T21:17:20","modified_gmt":"2024-03-09T18:17:20","slug":"install-osquery-on-windows-system","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-osquery-on-windows-system\/","title":{"rendered":"Install Osquery on Windows system"},"content":{"rendered":"\n

In this guide, you will learn how to install osquery on Windows system. Osquery<\/a> is an instrumentation framework that exposes an operating system as a high-performance relational database. This allows you to write SQL queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes<\/em>.<\/p>\n\n\n\n

Install Osquery on Windows system<\/h2>\n\n\n\n

In this tutorial, we are using Windows 10 system.<\/p>\n\n\n\n

Download Osquery Windows Installer<\/h3>\n\n\n\n

Navigate to osquery downloads page<\/a> and grab the latest stable Windows installer.<\/p>\n\n\n\n

As of this writing, osquery 5.5.1 is the current stable release.<\/p>\n\n\n\n

You can simply get the download link and pull it using Powershell;<\/p>\n\n\n\n

Invoke-WebRequest -URI https:\/\/pkg.osquery.io\/windows\/osquery-5.5.1.msi -OutFile $env:userprofile\/Downloads\/osquery-5.5.1.msi<\/code><\/pre>\n\n\n\n
Run Osquery Installation Package<\/h3>\n\n\n\n
Once the download is complete, run the installer, either by double clicking on the downloads page or  by just using Powershell (launched as Administrator);<\/p>\n\n\n\n
cd  $env:userprofile\\Downloads<\/code><\/pre>\n\n\n\n
.\\osquery-5.5.1.msi<\/code><\/pre>\n\n\n\n
Go through the installer wizards;<\/p>\n\n\n\n
\"Install<\/figure><\/a><\/div>\n\n\n\n
Accept End User License Agreement;<\/p>\n\n\n\n
\"Install<\/figure><\/a><\/div>\n\n\n\n
Custom setup;<\/p>\n\n\n\n
\"\"<\/figure><\/a><\/div>\n\n\n\n
Ready to install;<\/p>\n\n\n\n
\"\"<\/figure><\/a><\/div>\n\n\n\n
Windows Osquery install finish;<\/p>\n\n\n\n
\"\"<\/figure><\/a><\/div>\n\n\n\n
Osquery Windows Service<\/h3>\n\n\n\n
You can control the osquery service from service app or from powershell\/cmd.<\/p>\n\n\n\n
Get-Service osqueryd<\/code><\/pre>\n\n\n\n
Querying Windows Systems with Osquery<\/h3>\n\n\n\n
You can now query your windows system using osqueryi<\/code><\/strong>, an osquery interactive shell.<\/p>\n\n\n\n
To launch osqueryi, execute command below or just navigate to C:\\Program Files\\osquery<\/code><\/strong> and double click osqueryi<\/code><\/strong> program.<\/p>\n\n\n\n
 & 'C:\\Program Files\\osquery\\osqueryi.exe'<\/code><\/pre>\n\n\n\n
Getting help from osquery shell;<\/p>\n\n\n\n
.help<\/code><\/pre>\n\n\n\n
sample output;<\/p>\n\n\n\n
\nosquery> .help\nWelcome to the osquery shell. Please explore your OS!\nYou are connected to a transient 'in-memory' virtual database.\n\n.all [TABLE]     Select all from a table\n.bail ON|OFF     Stop after hitting an error\n.connect PATH    Connect to an osquery extension socket\n.disconnect      Disconnect from a connected extension socket\n.echo ON|OFF     Turn command echo on or off\n.exit            Exit this program\n.features        List osquery's features and their statuses\n.headers ON|OFF  Turn display of headers on or off\n.help            Show this message\n.mode MODE       Set output mode where MODE is one of:\n                   csv      Comma-separated values\n                   column   Left-aligned columns see .width\n                   line     One value per line\n                   list     Values delimited by .separator string\n                   pretty   Pretty printed SQL results (default)\n.nullvalue STR   Use STRING in place of NULL values\n.print STR...    Print literal STRING\n.quit            Exit this program\n.schema [TABLE]  Show the CREATE statements\n.separator STR   Change separator used by output mode\n.socket          Show the local osquery extensions socket path\n.show            Show the current values for various settings\n.summary         Alias for the show meta command\n.tables [TABLE]  List names of tables\n.types [SQL]     Show result of getQueryColumns for the given query\n.width [NUM1]+   Set column widths for \"column\" mode\n.timer ON|OFF      Turn the CPU timer measurement on or off\n<\/code><\/pre>\n\n\n\n
List available tables;<\/p>\n\n\n\n
.tables<\/code><\/pre>\n\n\n\n
\nosquery> .tables\n  => appcompat_shims\n  => arp_cache\n  => atom_packages\n  => authenticode\n  => autoexec\n  => azure_instance_metadata\n  => azure_instance_tags\n  => background_activities_moderator\n  => bitlocker_info\n  => carbon_black_info\n  => carves\n  => certificates\n  => chassis_info\n  => chocolatey_packages\n  => chrome_extension_content_scripts\n  => chrome_extensions\n  => connectivity\n  => cpu_info\n  => cpuid\n  => curl\n  => curl_certificate\n  => default_environment\n  => device_file\n  => device_hash\n  => device_partitions\n  => disk_info\n  => dns_cache\n  => drivers\n  => ec2_instance_metadata\n  => ec2_instance_tags\n  => etc_hosts\n  => etc_protocols\n  => etc_services\n  => file\n  => firefox_addons\n  => groups\n  => hash\n  => hvci_status\n  => ie_extensions\n  => intel_me_info\n  => interface_addresses\n  => interface_details\n  => kernel_info\n  => kva_speculative_info\n  => listening_ports\n  => logged_in_users\n  => logical_drives\n  => logon_sessions\n  => memory_devices\n  => npm_packages\n  => ntdomains\n  => ntfs_acl_permissions\n  => ntfs_journal_events\n  => office_mru\n  => os_version\n  => osquery_events\n  => osquery_extensions\n  => osquery_flags\n  => osquery_info\n  => osquery_packs\n  => osquery_registry\n  => osquery_schedule\n  => patches\n  => physical_disk_performance\n  => pipes\n  => platform_info\n  => powershell_events\n  => prefetch\n  => process_memory_map\n  => process_open_sockets\n  => processes\n  => programs\n  => python_packages\n  => registry\n  => routes\n  => scheduled_tasks\n  => secureboot\n  => services\n  => shared_resources\n  => shellbags\n  => shimcache\n  => ssh_configs\n  => startup_items\n  => system_info\n  => time\n  => tpm_info\n  => uptime\n  => user_groups\n  => user_ssh_keys\n  => userassist\n  => users\n  => video_info\n  => winbaseobj\n  => windows_crashes\n  => windows_eventlog\n  => windows_events\n  => windows_firewall_rules\n  => windows_optional_features\n  => windows_security_center\n  => windows_security_products\n  => windows_update_history\n  => wmi_bios_info\n  => wmi_cli_event_consumers\n  => wmi_event_filters\n  => wmi_filter_consumer_binding\n  => wmi_script_event_consumers\n  => yara\n  => ycloud_instance_metadata\nosquery>\n<\/code><\/pre>\n\n\n\n
Running queries against available tables, e.g user;<\/p>\n\n\n\n
select uid,gid,username,description,directory from users;<\/code><\/pre>\n\n\n\n
\n+------+-----+--------------------+-------------------------------------------------------------------------------------------------+---------------------------------------------+\n| uid  | gid | username           | description                                                                                     | directory                                   |\n+------+-----+--------------------+-------------------------------------------------------------------------------------------------+---------------------------------------------+\n| 500  | 544 | Administrator      | Built-in account for administering the computer\/domain                                          |                                             |\n| 503  | 581 | DefaultAccount     | A user account managed by the system.                                                           |                                             |\n| 501  | 546 | Guest              | Built-in account for guest access to the computer\/domain                                        |                                             |\n| 1001 | 544 | kifarunix          |                                                                                                 | C:\\Users\\kifarunix                          |\n| 504  | 513 | WDAGUtilityAccount | A user account managed and used by the system for Windows Defender Application Guard scenarios. |                                             |\n| 18   | 18  | SYSTEM             |                                                                                                 | %systemroot%\\system32\\config\\systemprofile  |\n| 19   | 19  | LOCAL SERVICE      |                                                                                                 | %systemroot%\\ServiceProfiles\\LocalService   |\n| 20   | 20  | NETWORK SERVICE    |                                                                                                 | %systemroot%\\ServiceProfiles\\NetworkService |\n+------+-----+--------------------+-------------------------------------------------------------------------------------------------+---------------------------------------------+\n<\/code><\/pre>\n\n\n\n
select name,service_type,display_name,status,pid,user_account from services limit 10;<\/code><\/pre>\n\n\n\n
\n+--------------------------+---------------+-----------------------------------+---------+------+---------------------------+\n| name                     | service_type  | display_name                      | status  | pid  | user_account              |\n+--------------------------+---------------+-----------------------------------+---------+------+---------------------------+\n| AJRouter                 | SHARE_PROCESS | AllJoyn Router Service            | STOPPED | 0    | NT AUTHORITY\\LocalService |\n| ALG                      | OWN_PROCESS   | Application Layer Gateway Service | STOPPED | 0    | NT AUTHORITY\\LocalService |\n| AppIDSvc                 | SHARE_PROCESS | Application Identity              | STOPPED | 0    | NT Authority\\LocalService |\n| Appinfo                  | SHARE_PROCESS | Application Information           | RUNNING | 68   | LocalSystem               |\n| AppMgmt                  | SHARE_PROCESS | Application Management            | STOPPED | 0    | LocalSystem               |\n| AppReadiness             | SHARE_PROCESS | App Readiness                     | STOPPED | 0    | LocalSystem               |\n| AppVClient               | OWN_PROCESS   | Microsoft App-V Client            | STOPPED | 0    | LocalSystem               |\n| AppXSvc                  | SHARE_PROCESS | AppX Deployment Service (AppXSVC) | RUNNING | 7352 | LocalSystem               |\n| AssignedAccessManagerSvc | SHARE_PROCESS | AssignedAccessManager Service     | STOPPED | 0    | LocalSystem               |\n| AudioEndpointBuilder     | SHARE_PROCESS | Windows Audio Endpoint Builder    | RUNNING | 1164 | LocalSystem               |\n+--------------------------+---------------+-----------------------------------+---------+------+---------------------------+\n<\/code><\/pre>\n\n\n\n
You can go ahead and enroll your hosts to Osquery Fleet manager for easy querying.<\/p>\n\n\n\n
Other Tutorials<\/h3>\n\n\n\n
Install and Enroll Elastic Agents to Fleet Manager in Linux<\/a><\/p>\n\n\n\n
Enroll Osquery Hosts on Fleet Manager<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
In this guide, you will learn how to install osquery on Windows system. Osquery is an instrumentation framework that exposes an operating system as a<\/p>\n","protected":false},"author":1,"featured_media":10042,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121],"tags":[5867,5865,5866],"class_list":["post-14191","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","tag-installing-osquery-on-windows","tag-osquery-windows","tag-windows-osquery-agent","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/14191"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=14191"}],"version-history":[{"count":4,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/14191\/revisions"}],"predecessor-version":[{"id":20613,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/14191\/revisions\/20613"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/10042"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=14191"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=14191"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=14191"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}