Osqueryd Windows
Install on Windows – osquery
As of osquery 1. 8. 2+ the Windows builds are feature-complete but provide a limited set of tables compared to macOS and Linux.
Installing osquery on Windows
We recommend installing Windows via the Chocolatey package system however a helper script for generating an MSI installer is available at toolsdeployment1 by invoking with an ‘msi’ parameter. Further manual installation instructions are detailed below for those needing more custom deployment options.
Installing with Chocolatey
Each osquery tag (stable release) is published to chocolatey for our supported versions: By default Chocolatey will install the binaries, example packs, example configuration, and an OpenSSL certificate bundle to C:ProgramDataosquery and nothing more. You can pass Chocolatey the –params=’/InstallService’ flag or make use of osquery’s –install flag with C:ProgramDataosqueryosqueryd –install to install a Windows SYSTEM level service for the osqueryd daemon.
Installing osquery via the MSI package
While we currently are not hosting any MSI packages, we’ve included a small script that will generate for you an MSI package capable of installing osquery on hosts as mentioned above. Running. toolsdeployment1 ‘msi’ from the source root will generate you a standalone MSI package along with the example packs, configuration, and OpenSSL cert bundle.
Installing Manually
To get osquery running as a SYSTEM level service on Windows, one must ensure two things:
is running with safe permissions
The Windows service control manager has all of the correct information for running the daemon
The daemon is considered safe if the binary and the directory in which the binary resides do not allow non-privileged write accesses and both are owned by either the Administrators group or the SYSTEM account.
The recommended way to set these ACLs is with Powershell and we’ve written a helper function to handle these permissions. To do so,. source the file and call the function as follows:
C:UsersThorworkrepososquery [master ≡]
λ.. toolsprovisionchocolatey1
λ Set-SafePermissions C:ProgramDataosqueryosqueryd
True
If you’d prefer to manually set the permissions check the C:ProgramDataosqueryosqueryd directory and ensure that no users or groups have write permissions with the exception of the Administrators group or the SYSTEM account. Read and execute permissions are expected and safe so also ensure the Users group has both.
Now that osquery is properly laid out on disk we need to create a new Windows service to launch and manage the daemon. If you’re using Chocolatey you can pass the –params=’/InstallService’ flag during installation to have Chocolatey setup the Windows service for you. In general any method to install a Windows system service will suffice, one simply needs to ensure to specify the –flagfile option in the service binary path and give the full paths for the daemon binary and flag file both. Some examples follow:
To install the service using Powershell we bundle a helper function living in the repo at. tools1 which can be invoked as follows:
C:ProgramDataosquery
λ. 1 -install -startupArgs C:ProgramDataosquery
If you’d rather use Powershell to manually create the service you can run:
λ New-Service -Name “osqueryd” -BinaryPathName “C:ProgramDataosqueryosqueryd –flagfile=C:ProgramDataosquery”