Unpacking Software Livestream

Join our monthly Unpacking Software livestream to hear about the latest news, chat and opinion on packaging, software deployment and lifecycle management!

Learn More
Chocolatey Product Spotlight

Join the Chocolatey Team on our regular monthly stream where we put a spotlight on the most recent Chocolatey product releases. You'll have a chance to have your questions answered in a live Ask Me Anything format.

Learn More
Chocolatey Coding Livestream

Join us for the Chocolatey Coding Livestream, where members of our team dive into the heart of open source development by coding live on various Chocolatey projects. Tune in to witness real-time coding, ask questions, and gain insights into the world of package management. Don't miss this opportunity to engage with our team and contribute to the future of Chocolatey!

Learn More
Calling All Chocolatiers! Whipping Up Windows Automation with Chocolatey Central Management

Webinar from
Wednesday, 17 January 2024

We are delighted to announce the release of Chocolatey Central Management v0.12.0, featuring seamless Deployment Plan creation, time-saving duplications, insightful Group Details, an upgraded Dashboard, bug fixes, user interface polishing, and refined documentation. As an added bonus we'll have members of our Solutions Engineering team on-hand to dive into some interesting ways you can leverage the new features available!

Watch On-Demand
Chocolatey Community Coffee Break

Join the Chocolatey Team as we discuss all things Community, what we do, how you can get involved and answer your Chocolatey questions.

Watch The Replays
Chocolatey and Intune Overview

Webinar Replay from
Wednesday, 30 March 2022

At Chocolatey Software we strive for simple, and teaching others. Let us teach you just how simple it could be to keep your 3rd party applications updated across your devices, all with Intune!

Watch On-Demand
Chocolatey For Business. In Azure. In One Click.

Livestream from
Thursday, 9 June 2022

Join James and Josh to show you how you can get the Chocolatey For Business recommended infrastructure and workflow, created, in Azure, in around 20 minutes.

Watch On-Demand
The Future of Chocolatey CLI

Livestream from
Thursday, 04 August 2022

Join Paul and Gary to hear more about the plans for the Chocolatey CLI in the not so distant future. We'll talk about some cool new features, long term asks from Customers and Community and how you can get involved!

Watch On-Demand
Hacktoberfest Tuesdays 2022

Livestreams from
October 2022

For Hacktoberfest, Chocolatey ran a livestream every Tuesday! Re-watch Cory, James, Gary, and Rain as they share knowledge on how to contribute to open-source projects such as Chocolatey CLI.

Watch On-Demand

Downloads:

1,189,749

Downloads of v 4.9.0:

1,209

Last Update:

15 Sep 2021

Package Maintainer(s):

Software Author(s):

  • osquery

Tags:

infosec tools security

osquery

This is not the latest version of osquery available.

  • 1
  • 2
  • 3

4.9.0 | Updated: 15 Sep 2021

Downloads:

1,189,749

Downloads of v 4.9.0:

1,209

Maintainer(s):

Software Author(s):

  • osquery

Tags:

infosec tools security

osquery 4.9.0

This is not the latest version of osquery available.

  • 1
  • 2
  • 3

All Checks are Passing

3 Passing Tests

Validation Testing Passed

Verification Testing Passed

Details

Scan Testing Successful:

No detections found in any package files

Details
Learn More

Deployment Method: Individual Install, Upgrade, & Uninstall

To install osquery, run the following command from the command line or from PowerShell:

>

To upgrade osquery, run the following command from the command line or from PowerShell:

>

To uninstall osquery, run the following command from the command line or from PowerShell:

>

Deployment Method:

NOTE

This applies to both open source and commercial editions of Chocolatey.

1. Enter Your Internal Repository Url

(this should look similar to https://community.chocolatey.org/api/v2/)

2. Setup Your Environment

1. Ensure you are set for organizational deployment

Please see the organizational deployment guide

2. Get the package into your environment

  • Open Source or Commercial:
    • Proxy Repository - Create a proxy nuget repository on Nexus, Artifactory Pro, or a proxy Chocolatey repository on ProGet. Point your upstream to https://community.chocolatey.org/api/v2/. Packages cache on first access automatically. Make sure your choco clients are using your proxy repository as a source and NOT the default community repository. See source command for more information.
    • You can also just download the package and push it to a repository Download

3. Copy Your Script

choco upgrade osquery -y --source="'INTERNAL REPO URL'" --version="'4.9.0'" [other options]

See options you can pass to upgrade.

See best practices for scripting.

Add this to a PowerShell script or use a Batch script with tools and in places where you are calling directly to Chocolatey. If you are integrating, keep in mind enhanced exit codes.

If you do use a PowerShell script, use the following to ensure bad exit codes are shown as failures:


choco upgrade osquery -y --source="'INTERNAL REPO URL'" --version="'4.9.0'" 
$exitCode = $LASTEXITCODE

Write-Verbose "Exit code was $exitCode"
$validExitCodes = @(0, 1605, 1614, 1641, 3010)
if ($validExitCodes -contains $exitCode) {
  Exit 0
}

Exit $exitCode


- name: Install osquery
  win_chocolatey:
    name: osquery
    version: '4.9.0'
    source: INTERNAL REPO URL
    state: present

See docs at https://docs.ansible.com/ansible/latest/modules/win_chocolatey_module.html.


chocolatey_package 'osquery' do
  action    :install
  source   'INTERNAL REPO URL'
  version  '4.9.0'
end

See docs at https://docs.chef.io/resource_chocolatey_package.html.


cChocoPackageInstaller osquery
{
    Name     = "osquery"
    Version  = "4.9.0"
    Source   = "INTERNAL REPO URL"
}

Requires cChoco DSC Resource. See docs at https://github.com/chocolatey/cChoco.


package { 'osquery':
  ensure   => '4.9.0',
  provider => 'chocolatey',
  source   => 'INTERNAL REPO URL',
}

Requires Puppet Chocolatey Provider module. See docs at https://forge.puppet.com/puppetlabs/chocolatey.

4. If applicable - Chocolatey configuration/installation

See infrastructure management matrix for Chocolatey configuration elements and examples.

Package Approved

This package was approved as a trusted package on 15 Sep 2021.

Description

osquery allows you to easily ask questions about your Linux, macOS, and
Windows infrastructure. Whether your goal is intrusion detection,
infrastructure reliability, or compliance, osquery gives you the ability
to empower and inform a broad set of organizations within your company.

Package Parameters

* /InstallService - This creates a new windows service that will
auto-start the daemon.

These parameters can be passed to the installer with the use of
--params. For example: --params='/InstallService'.

certs\certs.pem
LICENSE.txt 
# License

By contributing to osquery you agree that your contributions will be licensed
under the terms of both the [LICENSE-Apache-2.0](LICENSE-Apache-2.0) and the
[LICENSE-GPL-2.0](LICENSE-GPL-2.0) files in the root of this source tree.

If you're using osquery you are free to choose one of the provided licenses.

`SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-only`
manage-osqueryd.ps1 
# Copyright (c) 2014-present, The osquery authors
#
# This source code is licensed as defined by the LICENSE file found in the
# root directory of this source tree.
#
# SPDX-License-Identifier: (Apache-2.0 OR GPL-2.0-only)

param(
  [string] $startupArgs = "",
  [switch] $install = $false,
  [switch] $uninstall = $false,
  
  [switch] $start = $false,
  [switch] $stop = $false,
  
  [switch] $help = $false,
  [switch] $debug = $false,

  [switch] $installWelManifest = $false,
  [switch] $uninstallWelManifest = $false,
  [string] $welManifestPath = (Join-Path $PSScriptRoot "osquery.man")
)

$kServiceName = "osqueryd"
$kServiceDescription = "osquery daemon service"
$kServiceBinaryPath = Resolve-Path ([System.IO.Path]::Combine($PSScriptRoot, '..', 'osquery', 'osqueryd', 'osqueryd.exe'))

# Adapted from http://www.jonathanmedd.net/2014/01/testing-for-admin-privileges-in-powershell.html
function Test-IsAdmin {
  return ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(
    [Security.Principal.WindowsBuiltInRole] "Administrator"
  )
}

function Do-Help {
  $programName = (Get-Item $PSCommandPath ).Name
  
  Write-Host "Usage: $programName (-install|-uninstall|-start|-stop|-help)" -foregroundcolor Yellow
  Write-Host ""
  Write-Host "  Only one of the following options can be used. Using multiple will result in "
  Write-Host "  options being ignored."
  Write-Host "    -install                  Install the osqueryd service"
  Write-Host "    -startupArgs              Specifies additional arguments for the service (only used with -install)"
  Write-Host "    -uninstall                Uninstall the osqueryd service"
  Write-Host "    -start                    Start the osqueryd service"
  Write-Host "    -stop                     Stop the osqueryd service"
  Write-Host "    -installWelManifest       Installs the Windows Event Log manifest"
  Write-Host "    -uninstallWelManifest     Uninstalls the Windows Event Log manifest"
  Write-Host "    -welManifestPath <path>   The Windows Event Log manifest path"
  Write-Host ""
  Write-Host "    -help                     Shows this help screen"
  
  Exit 1
}

function Do-Service {
  if (-not (Test-Path $kServiceBinaryPath)) {
    Write-Host "'$kServiceBinaryPath' is not a valid file. Did you build the osquery daemon?" -foregroundcolor Red
    Exit -1
  }
  
  $osquerydService = Get-WmiObject -Class Win32_Service -Filter "Name='$kServiceName'"
  
  if ($install) {
    if ($osquerydService) {
      Write-Host "'$kServiceName' is already installed." -foregroundcolor Yellow
      Exit 1
    } else {
      New-Service -BinaryPathName "$kServiceBinaryPath $startupArgs" `
                  -Name $kServiceName `
                  -DisplayName $kServiceName `
                  -Description $kServiceDescription `
                  -StartupType Automatic
      Write-Host "Installed '$kServiceName' system service." -foregroundcolor Cyan
      Exit 0
    }
  } elseif ($uninstall) {
    if ($osquerydService) {
      Stop-Service $kServiceName
      
      Write-Host "Found '$kServiceName', stopping the system service..."
      
      Start-Sleep -s 5
      
      Write-Host "System service should be stopped."
      
      $osquerydService.Delete()
      Write-Host "System service '$kServiceName' uninstalled." -foregroundcolor Cyan
      
      Exit 0
    } else {
      Write-Host "'$kServiceName' is not an installed system service." -foregroundcolor Yellow
      Exit 1
    }
  } elseif ($start) {
    if ($osquerydService) {
      Start-Service $kServiceName
      Write-Host "'$kServiceName' system service is started." -foregroundcolor Cyan
    } else {
      Write-Host "'$kServiceName' is not an installed system service." -foregroundcolor Yellow
      Exit 1
    }
  } elseif ($stop) {
    if ($osquerydService) {
      Stop-Service $kServiceName
      Write-Host "'$kServiceName' system service is stopped." -foregroundcolor Cyan
    } else {
      Write-Host "'$kServiceName' is not an installed system service." -foregroundcolor Yellow
      Exit 1      
    }
  } elseif ($installWelManifest) {
    if (-not (Test-Path $welManifestPath)) {
      Write-Host "[-] Failed to find the osquery Event Log manifest file! ($welManifestPath)" -ForegroundColor Red
      Exit 1
    }

    wevtutil im $welManifestPath
    if ($?) {
      Write-Host "The Windows Event Log manifest has been successfully installed." -foregroundcolor Cyan
    } else {
      Write-Host "Failed to install the Windows Event Log manifest." -foregroundcolor Yellow
    }
  } elseif ($uninstallWelManifest) {
    if (-not (Test-Path $welManifestPath)) {
      Write-Host "[-] Failed to find the osquery Event Log manifest file! ($welManifestPath)" -ForegroundColor Red
      Exit 1
    }

    wevtutil um $welManifestPath
    if ($?) {
      Write-Host "The Windows Event Log manifest has been successfully uninstalled." -foregroundcolor Cyan
    } else {
      Write-Host "Failed to uninstall the Windows Event Log manifest." -foregroundcolor Yellow
    }
  } else {
    Write-Host "Invalid state: this should not exist!" -foregroundcolor Red
    Exit -1
  }
}

function Main {
  if (-not (Test-IsAdmin)) {
    Write-Host "Please run this script with Admin privileges!" -foregroundcolor Red
    Exit -1
  }
  
  if ($help) {
    Do-Help
  } elseif ($debug) {
    $osquerydExists = Test-Path $kServiceBinaryPath
    
    Write-Host "Service Information" -foregroundcolor Cyan
    Write-Host "  kServiceName       = '$kServiceName'" -foregroundcolor Cyan
    Write-Host "  kServiceBinaryPath = '$kServiceBinaryPath'" -foregroundcolor Cyan
    Write-Host "             +exists = $osquerydExists" -foregroundcolor Cyan
    
    Exit 0
  } elseif (($install.ToBool() + $uninstall.ToBool() + $start.ToBool() + $stop.ToBool() + $installWelManifest.ToBool() + $uninstallWelManifest.ToBool()) -Eq 1) {
    # The above is a dirty method of determining if only one of the following booleans are true.
    Do-Service
  } else {
    Write-Host "Invalid option selected: please see -help for usage details." -foregroundcolor Red
    Exit -1
  }
}

$null = Main
osquery.conf 
{
  // Configure the daemon below:
  "options": {
    // Select the osquery config plugin.
    "config_plugin": "filesystem",

    // Select the osquery logging plugin.
    "logger_plugin": "filesystem",

    // The log directory stores info, warning, and errors.
    // If the daemon uses the 'filesystem' logging retriever then the log_dir
    // will also contain the query results.
    //"logger_path": "/var/log/osquery",

    // Set 'disable_logging' to true to prevent writing any info, warning, error
    // logs. If a logging plugin is selected it will still write query results.
    //"disable_logging": "false",

    // Splay the scheduled interval for queries.
    // This is very helpful to prevent system performance impact when scheduling
    // large numbers of queries that run a smaller or similar intervals.
    //"schedule_splay_percent": "10",

    // A filesystem path for disk-based backing storage used for events and
    // query results differentials. See also 'use_in_memory_database'.
    //"database_path": "/var/osquery/osquery.db",

    // Comma-delimited list of table names to be disabled.
    // This allows osquery to be launched without certain tables.
    //"disable_tables": "foo_bar,time",

    // Comma-delimited list of table names to be enabled.
    // This allows osquery to be launched with certain tables only.
    //"enable_tables": "foo_bar,time",

    "utc": "true"
  },

  // Define a schedule of queries:
  "schedule": {
    // This is a simple example query that outputs basic system information.
    "system_info": {
      // The exact query to run.
      "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
      // The interval in seconds to run this query, not an exact interval.
      "interval": 3600
    }
  },

  // Decorators are normal queries that append data to every query.
  "decorators": {
    "load": [
      "SELECT uuid AS host_uuid FROM system_info;",
      "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
    ]
  },

  // Add default osquery packs or install your own.
  //
  // There are several 'default' packs installed with 'make install' or via
  // packages and/or Homebrew.
  //
  // Linux:        /usr/share/osquery/packs
  // OS X:         /var/osquery/packs
  // Homebrew:     /usr/local/share/osquery/packs
  // make install: {PREFIX}/share/osquery/packs
  //
  "packs": {
    // "osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf",
    // "incident-response": "/usr/share/osquery/packs/incident-response.conf",
    // "it-compliance": "/usr/share/osquery/packs/it-compliance.conf",
    // "osx-attacks": "/usr/share/osquery/packs/osx-attacks.conf",
    // "vuln-management": "/usr/share/osquery/packs/vuln-management.conf",
    // "hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf",
    // "ossec-rootkit": "/usr/share/osquery/packs/ossec-rootkit.conf",
    // "windows-hardening": "C:\\Program Files\\osquery\\packs\\windows-hardening.conf",
    // "windows-attacks": "C:\\Program Files\\osquery\\packs\\windows-attacks.conf"
  },

  // Provides feature vectors for osquery to leverage in simple statistical 
  // analysis of results data. 
  //
  // Currently this configuration is only used by Windows in the Powershell
  // Events table, wherein character_frequencies is a list of doubles 
  // representing the aggregate occurrence of character values in Powershell 
  // Scripts. A default configuration is provided which was adapated from 
  // Lee Holmes cobbr project: 
  // https://gist.github.com/cobbr/acbe5cc7a186726d4e309070187beee6
  // 
  "feature_vectors": {
    "character_frequencies": [
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.00045,  0.01798,
      0.0,      0.03111,  0.00063,  0.00027,   0.0,      0.01336,  0.0133,
      0.00128,  0.0027,   0.00655,  0.01932,   0.01917,  0.00432,  0.0045,
      0.00316,  0.00245,  0.00133,  0.001029,  0.00114,  0.000869, 0.00067,
      0.000759, 0.00061,  0.00483,  0.0023,    0.00185,  0.01342,  0.00196,
      0.00035,  0.00092,  0.027875, 0.007465,  0.016265, 0.013995, 0.0490895,
      0.00848,  0.00771,  0.00737,  0.025615,  0.001725, 0.002265, 0.017875,
      0.016005, 0.02533,  0.025295, 0.014375,  0.00109,  0.02732,  0.02658,
      0.037355, 0.011575, 0.00451,  0.005865,  0.003255, 0.005965, 0.00077,
      0.00621,  0.00222,  0.0062,   0.0,       0.00538,  0.00122,  0.027875,
      0.007465, 0.016265, 0.013995, 0.0490895, 0.00848,  0.00771,  0.00737,
      0.025615, 0.001725, 0.002265, 0.017875,  0.016005, 0.02533,  0.025295,
      0.014375, 0.00109,  0.02732,  0.02658,   0.037355, 0.011575, 0.00451,
      0.005865, 0.003255, 0.005965, 0.00077,   0.00771,  0.002379, 0.00766,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0
    ]
  }    
}
osquery.flags
osquery.man
osquery.png
osqueryd\osqueryd.exe 
md5: FF18B2A93DB6DF4FCDBC5F8614ED3DF7 | sha1: 81BBCD4DEFDB82176B12E461B0A3AA563C86EFB6 | sha256: B1E50B4D033351C48FD9E5CB356C0171CC02CD8B2DCDAE37EF41969A4F107C5B | sha512: 9C02B49FA0467C5069D68B89DCEB932B81FFB00F8358297ABB830D09111B3806A50B6C14078DE245197954F55A3A66584DB96D309DFDD0B24F9EDDE98958ACCD
osqueryi.exe 
md5: 6910754D8EA5094D52CCE3A045F69020 | sha1: FB577FB3B959C3D1E7C3E798A67D37156BBFFD2D | sha256: C92435D906D52EADD61B8C8D25E104F0DB01CF0BA36A6C799C8F480999FD65B9 | sha512: 3E9C0EFE9978271BFCB4E6E2A82DAE51433F8702E4CF6BCFBE77D3B735A77B07B5789C2FD3CEF7EF1A4BA2D78D6327BF78DFA08F97EF6B522594B27F0716AADD
osquery_utils.ps1 
# Copyright (c) 2014-present, The osquery authors
#
# This source code is licensed as defined by the LICENSE file found in the
# root directory of this source tree.
#
# SPDX-License-Identifier: (Apache-2.0 OR GPL-2.0-only)

# Force Powershell to use TLS 1.2
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12

# The osquery installation happens in Program Files
$progFiles =  [System.Environment]::GetEnvironmentVariable('ProgramFiles')
$targetFolder = Join-Path $progFiles 'osquery'

# Maintain the daemon and extension folders for "safe" permissions management
$daemonFolder = Join-Path $targetFolder 'osqueryd'
$extensionsFolder = Join-Path $targetFolder 'extensions'
$logFolder = Join-Path $targetFolder 'log'

# Maintain the binary paths for creating the system service and extraction
$targetDaemonBin = Join-Path $targetFolder "osqueryd.exe"
$destDaemonBin = Join-Path $daemonFolder "osqueryd.exe"

# Meta data for the system service installation
$serviceName = 'osqueryd'
$serviceDescription = 'osquery daemon service'

# Track the old installation paths for removal
$progData = [System.Environment]::GetEnvironmentVariable('ProgramData')
$legacyInstall = Join-Path $progData "osquery"

# Helper function to add an explicit Deny-Write ACE for the Everyone group
function Set-DenyWriteAcl {
  [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = "Medium")]
  [OutputType('System.Boolean')]
  param(
    [string] $targetDir = '',
    [string] $action = ''
  )
  if (($action -ine 'Add') -and ($action -ine 'Remove')) {
    Write-Debug '[-] Invalid action in Set-DenyWriteAcl.'
    return $false
  }
  if ($PSCmdlet.ShouldProcess($targetDir)) {
    $acl = Get-Acl $targetDir
    $inheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
    $propagationFlag = [System.Security.AccessControl.PropagationFlags]::None
    $permType = [System.Security.AccessControl.AccessControlType]::Deny

    $worldSIDObj = New-Object System.Security.Principal.SecurityIdentifier ('S-1-1-0')
    $worldUser = $worldSIDObj.Translate([System.Security.Principal.NTAccount])
    $permission = $worldUser.Value, "write", $inheritanceFlag, $propagationFlag, $permType
    $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
    # We only support adding or removing the ACL
    if ($action -ieq 'add') {
      $acl.SetAccessRule($accessRule)
    } else {
      $acl.RemoveAccessRule($accessRule)
    }
    Set-Acl $targetDir $acl
    return $true
  }
  return $false
}

# A helper function to set "safe" permissions for osquery binaries
function Set-SafePermissions {
  [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = "Medium")]
  [OutputType('System.Boolean')]
  param(
    [string] $target = ''
  )
  if ($PSCmdlet.ShouldProcess($target)) {
    $acl = Get-Acl $target

    # First, to ensure success, we remove the entirety of the ACL
    $acl.SetAccessRuleProtection($true, $false)
    foreach ($access in $acl.Access) {
      $acl.RemoveAccessRule($access)
    }
    Set-Acl $target $acl

    $acl = Get-Acl $target
    $inheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
    $propagationFlag = [System.Security.AccessControl.PropagationFlags]::None
    $permType = [System.Security.AccessControl.AccessControlType]::Allow

    # "Safe" permissions in osquery entail the containing folder and binary both
    # are owned by the Administrators group, as well as no account has Write
    # permissions except for the Administrators group and SYSTEM account
    $systemSid = New-Object System.Security.Principal.SecurityIdentifier('S-1-5-18')
    $systemUser = $systemSid.Translate([System.Security.Principal.NTAccount])

    $adminsSid = New-Object System.Security.Principal.SecurityIdentifier('S-1-5-32-544')
    $adminsGroup = $adminsSid.Translate([System.Security.Principal.NTAccount])

    $usersSid = New-Object System.Security.Principal.SecurityIdentifier('S-1-5-32-545')
    $usersGroup = $usersSid.Translate([System.Security.Principal.NTAccount])

    $permGroups = @($systemUser, $adminsGroup, $usersGroup)
    foreach ($accnt in $permGroups) {
      $grantedPerm = ''
      if ($accnt -eq $usersGroup) {
        $grantedPerm = 'ReadAndExecute'
      } else {
        $grantedPerm = 'FullControl'
      }
      $permission = $accnt.Value, $grantedPerm, $inheritanceFlag, $propagationFlag, $permType
      $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
      $acl.SetAccessRule($accessRule)
    }
    $acl.SetOwner($adminsGroup)
    Set-Acl $target $acl

    # Finally set the Administrators group as the owner for all items
    $items = Get-ChildItem -Recurse -Path $target
    foreach ($item in $items) {
      $acl = Get-Acl -Path $item.FullName
      $acl.SetOwner($adminsGroup)
      Set-Acl $item.FullName $acl
    }

    return $true
  }
  return $false
}

# Helper function for running a .bat file from powershell
function Invoke-BatchFile {
  param(
    [string]$path,
    [string]$parameters
  )
  $tempFile = [IO.Path]::GetTempFileName()
  cmd.exe /c " `"$path`" $parameters && set > `"$tempFile`" "
  Get-Content $tempFile | Foreach-Object {
    if ($_ -match '^(.*?)=(.*)$') {
      Set-Content "env:\$($matches[1])" $matches[2]
    }
  }
  Remove-Item $tempFile
}

# Constructs a chocolatey .nuspec file in the current directory
function Write-NuSpec {
  param(
    [string] $packageName,
    [string] $version,
    [string] $authors,
    [string] $owners,
    [string] $projectSource,
    [string] $packageSourceUrl,
    [string] $copyright,
    [string] $license
  )
  $nuspec = @"
<?xml version="1.0" encoding="utf-8"?>
<!-- Do not remove this test for UTF-8: if “Ω” doesn’t appear as greek uppercase omega letter enclosed in quotation marks, you should use an editor that supports UTF-8, not this one. -->
<package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
  <metadata>
    <id>$packageName</id>
    <title>$packageName</title>
    <version>$version</version>
    <authors>$authors</authors>
    <owners>$owners</owners>
    <summary>$packageName</summary>
    <description>$packageName</description>
    <projectUrl>$projectSource</projectUrl>
    <packageSourceUrl>$packageSourceUrl</packageSourceUrl>
    <tags>$packageName</tags>
    <copyright>$copyright</copyright>
    <licenseUrl>$license</licenseUrl>
    <requireLicenseAcceptance>false</requireLicenseAcceptance>
  </metadata>
  <files>
    <file src="local\**" target="local" />
  </files>
</package>
"@
  Out-File -Encoding "UTF8" -FilePath "$packageName.nuspec" -InputObject $nuspec
}

# Derive the location of the osquery build location
function Get-OsqueryBuildPath {
  [OutputType('System.String')]
  param()
  $loc = Get-Location
  $toks = $loc -Split '\\'
  $ret = ''
  0..$toks.length | ForEach-Object {
    if (Test-Path "$($toks[0..$_] -Join '\')\tools\provision.ps1") {
      $ret = "$($toks[0..$_] -Join '\')\build"
    }
  }
  return $ret
}

# Helper function to add to the SYSTEM path
function Add-ToSystemPath {
  param(
    [string] $targetFolder = ''
  )

  $oldPath = [System.Environment]::GetEnvironmentVariable('Path', 'Machine')
  if (-not ($oldPath -imatch [regex]::escape($targetFolder))) {
    $newPath = $oldPath
    if ($oldPath[-1] -eq ';') {
      $newPath = $newPath + $targetFolder
    } else {
      $newPath = $newPath + ';' + $targetFolder
    }
    [System.Environment]::SetEnvironmentVariable('Path', $newPath, 'Machine')
  }
}

# A helper function for starting and waiting on processes in powershell
function Start-OsqueryProcess {
  param(
    [string] $binaryPath = '',
    [array] $binaryArgs = @(),
    [bool] $redirectOutput = $true
  )
  $pinfo = New-Object System.Diagnostics.ProcessStartInfo
  $pinfo.FileName = $binaryPath
  $pinfo.RedirectStandardError = $redirectOutput
  $pinfo.RedirectStandardOutput = $redirectOutput
  $pinfo.UseShellExecute = $false
  $pinfo.Arguments = $binaryArgs
  $pinfo.WorkingDirectory = Get-Location
  $p = New-Object System.Diagnostics.Process
  $p.StartInfo = $pinfo
  $p.Start()
  $p.WaitForExit()

  if ($redirectOutput) {
    $stdout = $p.StandardOutput.ReadToEnd()
    $stderr = $p.StandardError.ReadToEnd()
    $exit = $p.ExitCode
    [PSCustomObject] @{
      stdout = $stdout
      stderr = $stderr
      exitcode = $exit
    }
  } else {
    $exit = $p.ExitCode
    [PSCustomObject] @{
      exitcode = $exit
    }
  }
}

# A helper function to derive the latest VS install
function Get-VSInfo {

  # Attempt to make use of vswhere to derive the build tools scripts
  $vswhere = (Get-Command 'vswhere').Source
  $vswhereArgs = @('-latest', '-legacy')
  $vswhereOut = (Start-OsqueryProcess $vswhere $vswhereArgs).stdout
  $vsinfo = New-Object -TypeName psobject
  $vsinfo | Add-Member -MemberType NoteProperty -Name version -Value ''
  $vsinfo | Add-Member -MemberType NoteProperty -Name location -Value ''
  foreach ($l in $vswhereOut.split([environment]::NewLine)) {
    $toks = $l.split(":")
    if ($toks.Length -lt 2) {
      continue
    }
    if ($toks[0].trim() -like 'installationVersion') {
      $vsinfo.version = $toks[1].Split(".")[0]
    }
    if ($toks[0].trim() -like 'installationPath') {
      $vsinfo.location = [System.String]::Join(":", $toks[1..$toks.Length])
    }
  }
  $vsinfo.location = $vsinfo.location.trim()
  $vsinfo.version = $vsinfo.version.trim()
  return $vsinfo
}

# A helper function to derive the latest VS install and call vcvarsall.bat
function Invoke-VcVarsAll {
  $vsinfo = Get-VSInfo
  $vsLoc = $vsinfo.location
  $vsVersion = $vsinfo.version

  if ($vsLoc -ne '') {
    $vcvarsall = Join-Path $vsLoc 'VC'
    if ($vsVersion -eq '15') {
      $vcvarsall = Join-Path $vcvarsall '\Auxiliary\Build\vcvarsall.bat'
    } else {
      $vcvarsall = Join-Path $vcvarsall 'vcvarsall.bat'
    }

    # Lastly invoke the environment provisioning script
    $null = Invoke-BatchFile "$vcvarsall" "amd64"
    return $true
  }

  # As a last ditch effort, attempt to find the env variables set by VS2015
  # in order to derive the location of vcvarsall
  $vsComnTools = [environment]::GetEnvironmentVariable("VS140COMNTOOLS")
  if ($vsComnTools -eq '') {
    return $false
  }
  $vcvarsall = Resolve-Path $(Join-Path "$vsComnTools" "..\..\VC")
  $vcvarsall = Join-Path $vcvarsall 'vcvarsall.bat'
  $null = Invoke-BatchFile "$vcvarsall" "amd64"
  return $true
}
tools\chocolateyBeforeModify.ps1 
# Copyright (c) 2014-present, The osquery authors
#
# This source code is licensed as defined by the LICENSE file found in the
# root directory of this source tree.
#
# SPDX-License-Identifier: (Apache-2.0 OR GPL-2.0-only)

# This library file contains constant definitions and helper functions

#Requires -Version 3.0

. (Join-Path "$PSScriptRoot" "osquery_utils.ps1")

# Ensure the service is stopped and processes are not running if exists.
if ((Get-Service $serviceName -ErrorAction SilentlyContinue) -and `
  (Get-Service $serviceName).Status -eq 'Running') {
  Stop-Service $serviceName
  # If we find zombie processes, ensure they're termintated
  $proc = Get-Process | Where-Object { $_.ProcessName -eq 'osqueryd' }
  if ($null -ne $proc) {
    Stop-Process -Force $proc -ErrorAction SilentlyContinue
  }
}

# Lastly, ensure that the Deny Write ACLs have been removed before modifying
if (Test-Path $daemonFolder) {
  Set-DenyWriteAcl $daemonFolder 'Remove'
}
if (Test-Path $extensionsFolder) {
  Set-DenyWriteAcl $extensionsFolder 'Remove'
}
tools\chocolateyinstall.ps1 
# Copyright (c) 2014-present, The osquery authors
#
# This source code is licensed as defined by the LICENSE file found in the
# root directory of this source tree.
#
# SPDX-License-Identifier: (Apache-2.0 OR GPL-2.0-only)

# This library file contains constant definitions and helper functions

#Requires -Version 3.0

. (Join-Path "$PSScriptRoot" "osquery_utils.ps1")

$packageParameters = $env:chocolateyPackageParameters
$arguments = @{}

# Ensure the service is stopped and processes are not running if exists.
$svc = Get-WmiObject -ClassName Win32_Service -Filter "Name='osqueryd'"
if ($svc -and $svc.State -eq 'Running') {
  Stop-Service $serviceName
  # If we find zombie processes, ensure they're termintated
  $proc = Get-Process | Where-Object { $_.ProcessName -eq 'osqueryd' }
  if ($null -ne $proc) {
    Stop-Process -Force $proc -ErrorAction SilentlyContinue
  }
  
  # If the service was installed using the legacy path in ProgramData, remove
  # it and allow the service creation below to fix it up.
  if ([regex]::escape($svc.PathName) -like [regex]::escape("${legacyInstall}*")) {
    Get-CimInstance -ClassName Win32_Service -Filter "Name='osqueryd'" |
    Invoke-CimMethod -MethodName Delete
  }
}

# Lastly, ensure that the Deny Write ACLs have been removed before modifying
if (Test-Path $daemonFolder) {
  Set-DenyWriteAcl $daemonFolder 'Remove'
}
if (Test-Path $extensionsFolder) {
  Set-DenyWriteAcl $extensionsFolder 'Remove'
}

# Now parse the packageParameters using good old regular expression
if ($packageParameters) {
  $match_pattern = "\/(?<option>([a-zA-Z]+)):(?<value>([`"'])?([a-zA-Z0-9- _\\:\.]+)([`"'])?)|\/(?<option>([a-zA-Z]+))"
  $option_name = 'option'
  $value_name = 'value'

  if ($packageParameters -match $match_pattern ) {
    $results = $packageParameters | Select-String $match_pattern -AllMatches
    $results.matches | ForEach-Object {
      $arguments.Add(
        $_.Groups[$option_name].Value.Trim(),
        $_.Groups[$value_name].Value.Trim())
    }
  } else {
    Throw "Package Parameters were found but were invalid (REGEX Failure)"
  }
  if ($arguments.ContainsKey("InstallService")) {
    $installService = $true
  }
} else {
  Write-Debug "No Package Parameters Passed in"
}

# Install the package

# Create a log directory in case one doesn't already exist
New-Item -Force -Type directory -Path $logFolder

# Grab the primary folders
$packageRoot = (Join-Path "$PSScriptRoot" "..")
Copy-Item -Force -Recurse (Join-Path "$packageRoot" "certs") $targetFolder
Copy-Item -Force -Recurse (Join-Path "$packageRoot" "osqueryd") $targetFolder

# Grab the individual files
Copy-Item -Force (Join-Path "$packageRoot" "manage-osqueryd.ps1") $targetFolder
Copy-Item -Force (Join-Path "$packageRoot" "osquery.man") $targetFolder
Copy-Item -Force (Join-Path "$PSScriptRoot" "osquery_utils.ps1") $targetFolder
Copy-Item -Force (Join-Path "$packageRoot" "osqueryi.exe") $targetFolder

# We intentionally do not replace configuration and flags files from previous
# installations, as these often dictate the osquery configuration and may not
# change through upgrades.
$currConf = (Join-Path "$targetFolder" "osquery.conf")
if (-not (Test-Path $currConf)) {
  Copy-Item -Force (Join-Path "$packageRoot" "osquery.conf") $targetFolder
}
$currFlags = (Join-Path "$targetFolder" "osquery.flags")
if (-not (Test-Path $currFlags)) {
  Copy-Item -Force (Join-Path "$packageRoot" "osquery.flags") $targetFolder
}

# The osquery daemon requires no low privileged users have write access to run
Set-SafePermissions $daemonFolder

if ($installService) {
  if (-not (Get-Service $serviceName -ErrorAction SilentlyContinue)) {
    Write-Debug 'Installing osquery daemon service.'
    # If the 'install' parameter is passed, we create a Windows service with
    # the flag file in the default location, 'C:\Program Files\osquery'
    $cmd = '"{0}" --flagfile="{1}\osquery.flags"' -f $destDaemonBin, $targetFolder

    $svcArgs = @{
      Name = $serviceName
      BinaryPathName = $cmd
      DisplayName = $serviceName
      Description = $serviceDescription
      StartupType = "Automatic"
    }
    New-Service @svcArgs

    # If the osquery.flags file doesn't exist, we create a blank one.
    if (-not (Test-Path "$targetFolder\osquery.flags")) {
      Add-Content "$targetFolder\osquery.flags" $null
    }
  }
  Start-Service $serviceName
}

# Add osquery binary path to machines path for ease of use.
Install-ChocolateyPath $targetFolder -PathType 'Machine'
tools\chocolateyuninstall.ps1 
# Copyright (c) 2014-present, The osquery authors
#
# This source code is licensed as defined by the LICENSE file found in the
# root directory of this source tree.
#
# SPDX-License-Identifier: (Apache-2.0 OR GPL-2.0-only)

# This library file contains constant definitions and helper functions

#Requires -Version 3.0

. (Join-Path "$PSScriptRoot" "osquery_utils.ps1")

# Remove the osquery path from the System PATH variable. Note: Here
# we don't make use of our local vars, as Regex requires escaping the '\'
$oldPath = [System.Environment]::GetEnvironmentVariable('Path', 'Machine')
if ($oldPath -imatch [regex]::escape($targetFolder)) {
  $newPath = $oldPath -replace [regex]::escape($targetFolder), $NULL
  [System.Environment]::SetEnvironmentVariable('Path', $newPath, 'Machine')
}

if ((Get-Service $serviceName -ErrorAction SilentlyContinue)) {
  Stop-Service $serviceName

  # If we find zombie processes, ensure they're termintated
  $proc = Get-Process | Where-Object { $_.ProcessName -eq 'osqueryd' }
  if ($null -ne $proc) {
    Stop-Process -Force $proc -ErrorAction SilentlyContinue
  }

  Set-Service $serviceName -startuptype 'manual'
  Get-CimInstance -ClassName Win32_Service -Filter "Name='osqueryd'" | Invoke-CimMethod -methodName Delete
}

if (Test-Path $targetFolder) {
  Remove-Item -Force -Recurse $targetFolder
} else {
  Write-Debug 'osquery was not found on the system. Nothing to do.'
}
tools\osquery_utils.ps1 
# Copyright (c) 2014-present, The osquery authors
#
# This source code is licensed as defined by the LICENSE file found in the
# root directory of this source tree.
#
# SPDX-License-Identifier: (Apache-2.0 OR GPL-2.0-only)

# Force Powershell to use TLS 1.2
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12

# The osquery installation happens in Program Files
$progFiles =  [System.Environment]::GetEnvironmentVariable('ProgramFiles')
$targetFolder = Join-Path $progFiles 'osquery'

# Maintain the daemon and extension folders for "safe" permissions management
$daemonFolder = Join-Path $targetFolder 'osqueryd'
$extensionsFolder = Join-Path $targetFolder 'extensions'
$logFolder = Join-Path $targetFolder 'log'

# Maintain the binary paths for creating the system service and extraction
$targetDaemonBin = Join-Path $targetFolder "osqueryd.exe"
$destDaemonBin = Join-Path $daemonFolder "osqueryd.exe"

# Meta data for the system service installation
$serviceName = 'osqueryd'
$serviceDescription = 'osquery daemon service'

# Track the old installation paths for removal
$progData = [System.Environment]::GetEnvironmentVariable('ProgramData')
$legacyInstall = Join-Path $progData "osquery"

# Helper function to add an explicit Deny-Write ACE for the Everyone group
function Set-DenyWriteAcl {
  [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = "Medium")]
  [OutputType('System.Boolean')]
  param(
    [string] $targetDir = '',
    [string] $action = ''
  )
  if (($action -ine 'Add') -and ($action -ine 'Remove')) {
    Write-Debug '[-] Invalid action in Set-DenyWriteAcl.'
    return $false
  }
  if ($PSCmdlet.ShouldProcess($targetDir)) {
    $acl = Get-Acl $targetDir
    $inheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
    $propagationFlag = [System.Security.AccessControl.PropagationFlags]::None
    $permType = [System.Security.AccessControl.AccessControlType]::Deny

    $worldSIDObj = New-Object System.Security.Principal.SecurityIdentifier ('S-1-1-0')
    $worldUser = $worldSIDObj.Translate([System.Security.Principal.NTAccount])
    $permission = $worldUser.Value, "write", $inheritanceFlag, $propagationFlag, $permType
    $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
    # We only support adding or removing the ACL
    if ($action -ieq 'add') {
      $acl.SetAccessRule($accessRule)
    } else {
      $acl.RemoveAccessRule($accessRule)
    }
    Set-Acl $targetDir $acl
    return $true
  }
  return $false
}

# A helper function to set "safe" permissions for osquery binaries
function Set-SafePermissions {
  [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = "Medium")]
  [OutputType('System.Boolean')]
  param(
    [string] $target = ''
  )
  if ($PSCmdlet.ShouldProcess($target)) {
    $acl = Get-Acl $target

    # First, to ensure success, we remove the entirety of the ACL
    $acl.SetAccessRuleProtection($true, $false)
    foreach ($access in $acl.Access) {
      $acl.RemoveAccessRule($access)
    }
    Set-Acl $target $acl

    $acl = Get-Acl $target
    $inheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
    $propagationFlag = [System.Security.AccessControl.PropagationFlags]::None
    $permType = [System.Security.AccessControl.AccessControlType]::Allow

    # "Safe" permissions in osquery entail the containing folder and binary both
    # are owned by the Administrators group, as well as no account has Write
    # permissions except for the Administrators group and SYSTEM account
    $systemSid = New-Object System.Security.Principal.SecurityIdentifier('S-1-5-18')
    $systemUser = $systemSid.Translate([System.Security.Principal.NTAccount])

    $adminsSid = New-Object System.Security.Principal.SecurityIdentifier('S-1-5-32-544')
    $adminsGroup = $adminsSid.Translate([System.Security.Principal.NTAccount])

    $usersSid = New-Object System.Security.Principal.SecurityIdentifier('S-1-5-32-545')
    $usersGroup = $usersSid.Translate([System.Security.Principal.NTAccount])

    $permGroups = @($systemUser, $adminsGroup, $usersGroup)
    foreach ($accnt in $permGroups) {
      $grantedPerm = ''
      if ($accnt -eq $usersGroup) {
        $grantedPerm = 'ReadAndExecute'
      } else {
        $grantedPerm = 'FullControl'
      }
      $permission = $accnt.Value, $grantedPerm, $inheritanceFlag, $propagationFlag, $permType
      $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
      $acl.SetAccessRule($accessRule)
    }
    $acl.SetOwner($adminsGroup)
    Set-Acl $target $acl

    # Finally set the Administrators group as the owner for all items
    $items = Get-ChildItem -Recurse -Path $target
    foreach ($item in $items) {
      $acl = Get-Acl -Path $item.FullName
      $acl.SetOwner($adminsGroup)
      Set-Acl $item.FullName $acl
    }

    return $true
  }
  return $false
}

# Helper function for running a .bat file from powershell
function Invoke-BatchFile {
  param(
    [string]$path,
    [string]$parameters
  )
  $tempFile = [IO.Path]::GetTempFileName()
  cmd.exe /c " `"$path`" $parameters && set > `"$tempFile`" "
  Get-Content $tempFile | Foreach-Object {
    if ($_ -match '^(.*?)=(.*)$') {
      Set-Content "env:\$($matches[1])" $matches[2]
    }
  }
  Remove-Item $tempFile
}

# Constructs a chocolatey .nuspec file in the current directory
function Write-NuSpec {
  param(
    [string] $packageName,
    [string] $version,
    [string] $authors,
    [string] $owners,
    [string] $projectSource,
    [string] $packageSourceUrl,
    [string] $copyright,
    [string] $license
  )
  $nuspec = @"
<?xml version="1.0" encoding="utf-8"?>
<!-- Do not remove this test for UTF-8: if “Ω” doesn’t appear as greek uppercase omega letter enclosed in quotation marks, you should use an editor that supports UTF-8, not this one. -->
<package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
  <metadata>
    <id>$packageName</id>
    <title>$packageName</title>
    <version>$version</version>
    <authors>$authors</authors>
    <owners>$owners</owners>
    <summary>$packageName</summary>
    <description>$packageName</description>
    <projectUrl>$projectSource</projectUrl>
    <packageSourceUrl>$packageSourceUrl</packageSourceUrl>
    <tags>$packageName</tags>
    <copyright>$copyright</copyright>
    <licenseUrl>$license</licenseUrl>
    <requireLicenseAcceptance>false</requireLicenseAcceptance>
  </metadata>
  <files>
    <file src="local\**" target="local" />
  </files>
</package>
"@
  Out-File -Encoding "UTF8" -FilePath "$packageName.nuspec" -InputObject $nuspec
}

# Derive the location of the osquery build location
function Get-OsqueryBuildPath {
  [OutputType('System.String')]
  param()
  $loc = Get-Location
  $toks = $loc -Split '\\'
  $ret = ''
  0..$toks.length | ForEach-Object {
    if (Test-Path "$($toks[0..$_] -Join '\')\tools\provision.ps1") {
      $ret = "$($toks[0..$_] -Join '\')\build"
    }
  }
  return $ret
}

# Helper function to add to the SYSTEM path
function Add-ToSystemPath {
  param(
    [string] $targetFolder = ''
  )

  $oldPath = [System.Environment]::GetEnvironmentVariable('Path', 'Machine')
  if (-not ($oldPath -imatch [regex]::escape($targetFolder))) {
    $newPath = $oldPath
    if ($oldPath[-1] -eq ';') {
      $newPath = $newPath + $targetFolder
    } else {
      $newPath = $newPath + ';' + $targetFolder
    }
    [System.Environment]::SetEnvironmentVariable('Path', $newPath, 'Machine')
  }
}

# A helper function for starting and waiting on processes in powershell
function Start-OsqueryProcess {
  param(
    [string] $binaryPath = '',
    [array] $binaryArgs = @(),
    [bool] $redirectOutput = $true
  )
  $pinfo = New-Object System.Diagnostics.ProcessStartInfo
  $pinfo.FileName = $binaryPath
  $pinfo.RedirectStandardError = $redirectOutput
  $pinfo.RedirectStandardOutput = $redirectOutput
  $pinfo.UseShellExecute = $false
  $pinfo.Arguments = $binaryArgs
  $pinfo.WorkingDirectory = Get-Location
  $p = New-Object System.Diagnostics.Process
  $p.StartInfo = $pinfo
  $p.Start()
  $p.WaitForExit()

  if ($redirectOutput) {
    $stdout = $p.StandardOutput.ReadToEnd()
    $stderr = $p.StandardError.ReadToEnd()
    $exit = $p.ExitCode
    [PSCustomObject] @{
      stdout = $stdout
      stderr = $stderr
      exitcode = $exit
    }
  } else {
    $exit = $p.ExitCode
    [PSCustomObject] @{
      exitcode = $exit
    }
  }
}

# A helper function to derive the latest VS install
function Get-VSInfo {

  # Attempt to make use of vswhere to derive the build tools scripts
  $vswhere = (Get-Command 'vswhere').Source
  $vswhereArgs = @('-latest', '-legacy')
  $vswhereOut = (Start-OsqueryProcess $vswhere $vswhereArgs).stdout
  $vsinfo = New-Object -TypeName psobject
  $vsinfo | Add-Member -MemberType NoteProperty -Name version -Value ''
  $vsinfo | Add-Member -MemberType NoteProperty -Name location -Value ''
  foreach ($l in $vswhereOut.split([environment]::NewLine)) {
    $toks = $l.split(":")
    if ($toks.Length -lt 2) {
      continue
    }
    if ($toks[0].trim() -like 'installationVersion') {
      $vsinfo.version = $toks[1].Split(".")[0]
    }
    if ($toks[0].trim() -like 'installationPath') {
      $vsinfo.location = [System.String]::Join(":", $toks[1..$toks.Length])
    }
  }
  $vsinfo.location = $vsinfo.location.trim()
  $vsinfo.version = $vsinfo.version.trim()
  return $vsinfo
}

# A helper function to derive the latest VS install and call vcvarsall.bat
function Invoke-VcVarsAll {
  $vsinfo = Get-VSInfo
  $vsLoc = $vsinfo.location
  $vsVersion = $vsinfo.version

  if ($vsLoc -ne '') {
    $vcvarsall = Join-Path $vsLoc 'VC'
    if ($vsVersion -eq '15') {
      $vcvarsall = Join-Path $vcvarsall '\Auxiliary\Build\vcvarsall.bat'
    } else {
      $vcvarsall = Join-Path $vcvarsall 'vcvarsall.bat'
    }

    # Lastly invoke the environment provisioning script
    $null = Invoke-BatchFile "$vcvarsall" "amd64"
    return $true
  }

  # As a last ditch effort, attempt to find the env variables set by VS2015
  # in order to derive the location of vcvarsall
  $vsComnTools = [environment]::GetEnvironmentVariable("VS140COMNTOOLS")
  if ($vsComnTools -eq '') {
    return $false
  }
  $vcvarsall = Resolve-Path $(Join-Path "$vsComnTools" "..\..\VC")
  $vcvarsall = Join-Path $vcvarsall 'vcvarsall.bat'
  $null = Invoke-BatchFile "$vcvarsall" "amd64"
  return $true
}
VERIFICATION.txt 
VERIFICATION

Verification is intended to assist the Chocolatey moderators and community
in verifying that this package's contents are trustworthy.

Package can be verified like this:

  - Check that the file signing certificate is valid:
  ```
  PS C:\\Users\\thor> Get-AuthenticodeSignature 'C:\\Program Files\\osquery\\osqueryd\\osqueryd.exe'
    Directory: C:\\Program Files\\osquery\\osqueryd

    SignerCertificate                         Status          Path
    -----------------                         ------          ----
    EEA3330A4F0FAC86A3FE01F1E7D72E7A9808AC86  Valid           osqueryd.exe
  ```

  - Check that the file hash of the osqueryd.exe binary is correct:
  ```
  PS C:\\Users\\thor> (Get-FileHash -Algorithm sha256 'C:\\Program Files\\osquery\\osqueryd\\osqueryd.exe').Hash
  ```

  - Alternatively pull the MSI package from https://osquery.io and verify the osqueryd.exe hashes match

Log in or click on link to see number of positives.

In cases where actual malware is found, the packages are subject to removal. Software sometimes has false positives. Moderators do not necessarily validate the safety of the underlying software, only that a package retrieves software from the official distribution point and/or validate embedded software against official distribution point (where distribution rights allow redistribution).

Chocolatey Pro provides runtime protection from possible malware.

Add to Builder Version Downloads Last Updated Status
osquery 5.11.0 37123 Thursday, January 25, 2024 Approved
osquery 5.10.2 190 Thursday, January 25, 2024 Approved
osquery 5.9.1 39 Thursday, January 25, 2024 Approved
osquery 5.8.2 116579 Friday, May 12, 2023 Approved
osquery 5.7.0 22936 Tuesday, March 28, 2023 Approved
osquery 5.6.0 549 Tuesday, March 28, 2023 Approved
osquery 5.5.1 46029 Saturday, January 7, 2023 Approved
osquery 5.4.0 95088 Thursday, September 8, 2022 Approved
osquery 5.3.0 878 Thursday, September 8, 2022 Approved
osquery 5.2.3 265 Thursday, September 8, 2022 Approved
osquery 5.2.2 144646 Tuesday, March 15, 2022 Approved
osquery 5.2.1 40067 Tuesday, January 25, 2022 Approved
osquery 5.2.0 17291 Thursday, January 6, 2022 Approved
osquery 5.1.0 322 Thursday, January 6, 2022 Approved
osquery 5.0.1 122432 Thursday, September 16, 2021 Approved
osquery 4.9.0 1209 Wednesday, September 15, 2021 Approved
osquery 4.8.0 32287 Monday, May 3, 2021 Approved
osquery 4.7.0 4231 Tuesday, April 20, 2021 Approved
osquery 4.6.0.2 16230 Friday, February 12, 2021 Approved
osquery 4.5.1 20313 Monday, November 9, 2020 Approved
osquery 4.5.0 10261 Thursday, October 1, 2020 Approved
osquery 4.4.0 13110 Friday, July 31, 2020 Approved
osquery 4.3.0 20983 Saturday, May 9, 2020 Approved
osquery 4.2.0 29316 Tuesday, February 25, 2020 Approved
osquery 4.0.2 58610 Friday, September 13, 2019 Approved
osquery 4.0.1 598 Wednesday, September 11, 2019 Approved
osquery 3.4.0 9878 Thursday, May 23, 2019 Approved
osquery 3.3.2 120391 Monday, January 28, 2019 Approved
osquery 3.3.1 43667 Tuesday, October 2, 2018 Approved
osquery 3.3.0 3339 Monday, August 20, 2018 Approved
osquery 3.2.9 74810 Monday, July 2, 2018 Approved
osquery 3.2.6 52855 Monday, July 2, 2018 Approved
osquery 3.2.4 3134 Friday, May 4, 2018 Approved
osquery 2.11.2 5771 Monday, February 5, 2018 Approved
osquery 2.11.0 2078 Friday, January 12, 2018 Approved
osquery 2.10.4 1892 Sunday, December 3, 2017 Approved
osquery 2.10.2 1148 Thursday, November 16, 2017 Approved
osquery 2.9.0 2550 Friday, October 20, 2017 Approved
osquery 2.8.0 1396 Wednesday, September 27, 2017 Approved
osquery 2.7.0 1507 Wednesday, August 23, 2017 Approved
osquery 2.6.1 953 Sunday, August 6, 2017 Approved
osquery 2.6.0 662 Friday, July 28, 2017 Approved
osquery 2.5.0 4677 Tuesday, June 20, 2017 Approved
osquery 2.4.2 1486 Tuesday, May 9, 2017 Approved
osquery 2.4.0 886 Saturday, April 15, 2017 Approved
osquery 2.3.2 1562 Thursday, February 16, 2017 Approved
osquery 2.2.1 836 Thursday, December 22, 2016 Approved
osquery 2.2.1-gd6630be 484 Tuesday, December 27, 2016 Exempted
osquery 2.2.0 533 Tuesday, December 13, 2016 Approved
osquery 2.1.1 706 Thursday, November 3, 2016 Approved
osquery 2.0.0 763 Tuesday, October 11, 2016 Approved

This package has no dependencies.

Discussion for the osquery Package

Ground Rules:

  • This discussion is only about osquery and the osquery package. If you have feedback for Chocolatey, please contact the Google Group.
  • This discussion will carry over multiple versions. If you have a comment about a particular version, please note that in your comments.
  • The maintainers of this Chocolatey Package will be notified about new comments that are posted to this Disqus thread, however, it is NOT a guarantee that you will get a response. If you do not hear back from the maintainers after posting a message below, please follow up by using the link on the left side of this page or follow this link to contact maintainers. If you still hear nothing back, please follow the package triage process.
  • Tell us what you love about the package or osquery, or tell us what needs improvement.
  • Share your experiences with the package, or extra configuration or gotchas that you've found.
  • If you use a url, the comment will be flagged for moderation until you've been whitelisted. Disqus moderated comments are approved on a weekly schedule if not sooner. It could take between 1-5 days for your comment to show up.
comments powered by Disqus