In this guide, you will learn how to install osquery on Windows system. Osquery is an instrumentation framework that exposes an operating system as a high-performance relational database. This allows you to write SQL queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.
Install Osquery on Windows system
In this tutorial, we are using Windows 10 system.
Download Osquery Windows Installer
Navigate to osquery downloads page and grab the latest stable Windows installer.
As of this writing, osquery 5.5.1 is the current stable release.
You can simply get the download link and pull it using Powershell;
Invoke-WebRequest -URI https://pkg.osquery.io/windows/osquery-5.5.1.msi -OutFile $env:userprofile/Downloads/osquery-5.5.1.msiRun Osquery Installation Package
Once the download is complete, run the installer, either by double clicking on the downloads page or by just using Powershell (launched as Administrator);
cd $env:userprofile\Downloads.\osquery-5.5.1.msiGo through the installer wizards;
Accept End User License Agreement;
Custom setup;
Ready to install;
Windows Osquery install finish;
Osquery Windows Service
You can control the osquery service from service app or from powershell/cmd.
Get-Service osquerydQuerying Windows Systems with Osquery
You can now query your windows system using osqueryi, an osquery interactive shell.
To launch osqueryi, execute command below or just navigate to C:\Program Files\osquery and double click osqueryi program.
& 'C:\Program Files\osquery\osqueryi.exe'Getting help from osquery shell;
.helpsample output;
osquery> .help
Welcome to the osquery shell. Please explore your OS!
You are connected to a transient 'in-memory' virtual database.
.all [TABLE] Select all from a table
.bail ON|OFF Stop after hitting an error
.connect PATH Connect to an osquery extension socket
.disconnect Disconnect from a connected extension socket
.echo ON|OFF Turn command echo on or off
.exit Exit this program
.features List osquery's features and their statuses
.headers ON|OFF Turn display of headers on or off
.help Show this message
.mode MODE Set output mode where MODE is one of:
csv Comma-separated values
column Left-aligned columns see .width
line One value per line
list Values delimited by .separator string
pretty Pretty printed SQL results (default)
.nullvalue STR Use STRING in place of NULL values
.print STR... Print literal STRING
.quit Exit this program
.schema [TABLE] Show the CREATE statements
.separator STR Change separator used by output mode
.socket Show the local osquery extensions socket path
.show Show the current values for various settings
.summary Alias for the show meta command
.tables [TABLE] List names of tables
.types [SQL] Show result of getQueryColumns for the given query
.width [NUM1]+ Set column widths for "column" mode
.timer ON|OFF Turn the CPU timer measurement on or off
List available tables;
.tables
osquery> .tables
=> appcompat_shims
=> arp_cache
=> atom_packages
=> authenticode
=> autoexec
=> azure_instance_metadata
=> azure_instance_tags
=> background_activities_moderator
=> bitlocker_info
=> carbon_black_info
=> carves
=> certificates
=> chassis_info
=> chocolatey_packages
=> chrome_extension_content_scripts
=> chrome_extensions
=> connectivity
=> cpu_info
=> cpuid
=> curl
=> curl_certificate
=> default_environment
=> device_file
=> device_hash
=> device_partitions
=> disk_info
=> dns_cache
=> drivers
=> ec2_instance_metadata
=> ec2_instance_tags
=> etc_hosts
=> etc_protocols
=> etc_services
=> file
=> firefox_addons
=> groups
=> hash
=> hvci_status
=> ie_extensions
=> intel_me_info
=> interface_addresses
=> interface_details
=> kernel_info
=> kva_speculative_info
=> listening_ports
=> logged_in_users
=> logical_drives
=> logon_sessions
=> memory_devices
=> npm_packages
=> ntdomains
=> ntfs_acl_permissions
=> ntfs_journal_events
=> office_mru
=> os_version
=> osquery_events
=> osquery_extensions
=> osquery_flags
=> osquery_info
=> osquery_packs
=> osquery_registry
=> osquery_schedule
=> patches
=> physical_disk_performance
=> pipes
=> platform_info
=> powershell_events
=> prefetch
=> process_memory_map
=> process_open_sockets
=> processes
=> programs
=> python_packages
=> registry
=> routes
=> scheduled_tasks
=> secureboot
=> services
=> shared_resources
=> shellbags
=> shimcache
=> ssh_configs
=> startup_items
=> system_info
=> time
=> tpm_info
=> uptime
=> user_groups
=> user_ssh_keys
=> userassist
=> users
=> video_info
=> winbaseobj
=> windows_crashes
=> windows_eventlog
=> windows_events
=> windows_firewall_rules
=> windows_optional_features
=> windows_security_center
=> windows_security_products
=> windows_update_history
=> wmi_bios_info
=> wmi_cli_event_consumers
=> wmi_event_filters
=> wmi_filter_consumer_binding
=> wmi_script_event_consumers
=> yara
=> ycloud_instance_metadata
osquery>
Running queries against available tables, e.g user;
select uid,gid,username,description,directory from users;
+------+-----+--------------------+-------------------------------------------------------------------------------------------------+---------------------------------------------+
| uid | gid | username | description | directory |
+------+-----+--------------------+-------------------------------------------------------------------------------------------------+---------------------------------------------+
| 500 | 544 | Administrator | Built-in account for administering the computer/domain | |
| 503 | 581 | DefaultAccount | A user account managed by the system. | |
| 501 | 546 | Guest | Built-in account for guest access to the computer/domain | |
| 1001 | 544 | kifarunix | | C:\Users\kifarunix |
| 504 | 513 | WDAGUtilityAccount | A user account managed and used by the system for Windows Defender Application Guard scenarios. | |
| 18 | 18 | SYSTEM | | %systemroot%\system32\config\systemprofile |
| 19 | 19 | LOCAL SERVICE | | %systemroot%\ServiceProfiles\LocalService |
| 20 | 20 | NETWORK SERVICE | | %systemroot%\ServiceProfiles\NetworkService |
+------+-----+--------------------+-------------------------------------------------------------------------------------------------+---------------------------------------------+
select name,service_type,display_name,status,pid,user_account from services limit 10;
+--------------------------+---------------+-----------------------------------+---------+------+---------------------------+
| name | service_type | display_name | status | pid | user_account |
+--------------------------+---------------+-----------------------------------+---------+------+---------------------------+
| AJRouter | SHARE_PROCESS | AllJoyn Router Service | STOPPED | 0 | NT AUTHORITY\LocalService |
| ALG | OWN_PROCESS | Application Layer Gateway Service | STOPPED | 0 | NT AUTHORITY\LocalService |
| AppIDSvc | SHARE_PROCESS | Application Identity | STOPPED | 0 | NT Authority\LocalService |
| Appinfo | SHARE_PROCESS | Application Information | RUNNING | 68 | LocalSystem |
| AppMgmt | SHARE_PROCESS | Application Management | STOPPED | 0 | LocalSystem |
| AppReadiness | SHARE_PROCESS | App Readiness | STOPPED | 0 | LocalSystem |
| AppVClient | OWN_PROCESS | Microsoft App-V Client | STOPPED | 0 | LocalSystem |
| AppXSvc | SHARE_PROCESS | AppX Deployment Service (AppXSVC) | RUNNING | 7352 | LocalSystem |
| AssignedAccessManagerSvc | SHARE_PROCESS | AssignedAccessManager Service | STOPPED | 0 | LocalSystem |
| AudioEndpointBuilder | SHARE_PROCESS | Windows Audio Endpoint Builder | RUNNING | 1164 | LocalSystem |
+--------------------------+---------------+-----------------------------------+---------+------+---------------------------+
You can go ahead and enroll your hosts to Osquery Fleet manager for easy querying.
