1

It turns out that OSQuery cannot query the CURRENT_USER hives. As a workaround, it is recommended to use a specific user's SID and then query the users table or HKEY_USERS.

But I can't find any examples of someone actually implementing this workaround. My question is, can someone point me or help me do this?

My current idea is to grab the SID from logged_in_users but I'm not sure if I'm making the assumption that the user that installed the OSQuery will be the only one logged in?

My WIP queries:

# take this query
SELECT sid FROM logged_in_users;

# and get all this user's registry entries
# I'm using bash/zsh/cli syntax to demonstrate what I want

SELECT * FROM registry WHERE key LIKE '%$(SELECT sid FROM logged_in_users)%'
Andrew Zick
  • 582
  • 7
  • 23

1 Answers1

0

I'm not sure I understand this question.

Osquery generally runs as a system service, not as a user service. Why would you assume that the logged in user was the one who installed it?

And what does this have to do with the registry?

The question in the title is "how to tell what user installed osquery". As far as I know, osquery does not record that data anywhere. I do not know whether or not Windows (or msi tooling) records it for you.

seph
  • 813
  • 6
  • 16
  • "Osquery generally runs as a system service, not as a user service." Ah, because I don't know any better The registry part is because I'm using osquery to look for some values for the currently logged in user, if it's the same user that installed osquery. As for your answer to the actual question. Darn. – Andrew Zick Sep 28 '22 at 03:45
  • The Kolide Launcher installer adds some functionality to their MSI to record the user who installs it. But that is a larger product that uses osquery. Not really the same. – seph Sep 30 '22 at 23:57