vscode_extension and chrome_extensions doesn't return anything using osqueryd but does using osqueryi
Closed this issue · 4 comments
Bug report
What operating system and version are you using?
version = 10.0.22631
build = 22631
platform = windows
What version of osquery are you using?
version = 5.11.0
What steps did you take to reproduce the issue?
When running (with osqueryi) the following, I got result :
osqueryi --line "SELECT * from chrome_extensions;"
When running the same (using osqueryd from fleetdm), I got no result.
What did you expect to see?
I would expect to see the same result on osqueryd (over fleetdm) than osqueryi
What did you see instead?
I see no result on my query.
Those tables need to know which user you're trying to query the extensions for. By default it uses whatever user is running osquery, so I would assume that when osquery is running as a daemon on Windows it's SYSTEM, which won't have extensions installed.
osquery also writes a warning in the logs when you attempt to query similar tables without an explicit user:
"The <table name> table returns data based on the current user by default, consider JOINing against the users table"
Thanks for the answer @Smjert
However, indeed my "osqueryd" (was) running as SYSTEM user, but if I create a new service, using "Local System" and the result remains the same (empty/no warning).
Is there a way to run excplicitly osqueryd with the current user, locally (not via fleetdm) ?
Thanks for the answer @Smjert
However, indeed my "osqueryd" (was) running as SYSTEM user, but if I create a new service, using "Local System" and the result remains the same (empty/no warning).
If osquery is running as LocalSystem and you don't specify a user in the query, it will search for vscode and chrome extensions for that user, but I don't think you have those installed with such user.
The warning should be visible in the osquery logs, depending on how you're getting them (on file, through TLS, AWS, etc).
Is there a way to run excplicitly osqueryd with the current user, locally (not via fleetdm) ?
It's not really a matter of locally or via fleetdm, it's a matter of the query itself. SELECT * FROM chrome_extensions WHERE uid = <id of the user you're interested in> should work. If you want to check all users you would JOIN that column with the users table, as the warning suggests.
You can see here: https://osquery.io/schema/5.11.0/#chrome_extensions that the table has a uid column.