seph

Nosing around a little, I think this is because the osquery implementation looks for programs by enumerating some common [registry locations](https://github.com/osquery/osquery/blob/c4a321fc9be790a75cabd8d7b2107b6b67d830f3/osquery/tables/system/windows/programs.cpp#L95-L106): - `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall` - `HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall` - `HKEY_USERS\%\Software\Microsoft\Windows\CurrentVersion\Uninstall` But, it looks...

I _suspect_ we'll need to encode it. Can we could use base64 and not hex?

Osquery [ships](https://osquery.readthedocs.io/en/stable/introduction/sql/) a `to_base64` and `from_base64`

Huh. So I guess ATC doesn't expose the osquery sql extensions. Naive question, when you did this without the hex, I assume it was a straight join. I'm wondering if...

James and I are revisiting this, and we think we need to rethink it to be less awkward.

This PR is in draft, because I think it needs a bunch more work. I don't think it'll be ready for 5.14

IIRC the way current operating systems handle sleep, is that applications sometimes get some CPU cycles during sleep, sadly the network is usually not operational in this time. This can...

I'm holding off on merging this for a couple reasons -- 1. It sounds like [we could get this data](https://github.com/osquery/osquery/issues/8266#issuecomment-2584394755), so investigation there seems worthwhile 2. Mike's comments above

Osquery isn't very multithreaded -- there'll be one thread for distributed queries, and another thread for the scheduler. I don't think you should have multiple ones together. You should be...

@sharvilshah Any opinons?