fleet icon indicating copy to clipboard operation
fleet copied to clipboard

Published 20 hours ago verified publisher icon fleetdm

Cannot run the osqueryi shell on Windows (works only after a reboot following installation)

Open polak785 opened this issue 2 years ago • 2 comments

Orbit version:

C:\Program Files\Orbit\bin\orbit\windows\stable>orbit.exe version
orbit 1.0.0
commit - 3838ae3a7e90c618ddf7c9b8677c944ed0624ac4
date - 2022-07-15T01:11:47Z

Operating system:

Windows 10
version 21H2

🧑‍💻  Expected behavior

I want to have prompt from osqueryi shell

💥  Actual behavior

An unexpected exit happened.

C:\Program Files\Orbit\bin\orbit\windows\stable>orbit.exe osqueryi
{"level":"error","error":"remove \\\\.\\pipe\\orbit-osquery-extension: All pipe instances are busy.","time":"2022-07-28T10:05:51+02:00","message":"clean-up extension socket"}
{"level":"info","cmd":"C:\\Program Files\\Orbit\\bin\\osqueryd\\windows\\stable\\osqueryd.exe -S --pidfile=C:\\Program Files\\Orbit\\shell\\osquery.pid --database_path=C:\\Program Files\\Orbit\\shell\\osquery.db --extensions_socket=\\\\.\\pipe\\orbit-osquery-extension","time":"2022-07-28T10:05:51+02:00","message":"start osqueryd"}
Using a [1mvirtual database[0m. Need help, type '.help'
osquery> {"level":"error","error":"status 1 deregistering extension: No extension UUID found","time":"2022-07-28T10:05:51+02:00","message":"unexpected exit"}

C:\Program Files\Orbit\bin\orbit\windows\stable>orbit.exe shell
{"level":"error","error":"remove \\\\.\\pipe\\orbit-osquery-extension: All pipe instances are busy.","time":"2022-07-28T10:06:16+02:00","message":"clean-up extension socket"}
{"level":"info","cmd":"C:\\Program Files\\Orbit\\bin\\osqueryd\\windows\\stable\\osqueryd.exe -S --pidfile=C:\\Program Files\\Orbit\\shell\\osquery.pid --database_path=C:\\Program Files\\Orbit\\shell\\osquery.db --extensions_socket=\\\\.\\pipe\\orbit-osquery-extension","time":"2022-07-28T10:06:16+02:00","message":"start osqueryd"}
Using a [1mvirtual database[0m. Need help, type '.help'
osquery> {"level":"error","error":"status 1 deregistering extension: No extension UUID found","time":"2022-07-28T10:06:16+02:00","message":"unexpected exit"}

More info

Fresh install of Windows 10, I didn't test on Windows 11 yet Terminal is run as Administrator Orbit/osquery runs successfully as application

polak785 avatar Jul 28 '22 08:07 polak785

Ok, It works after a reboot.

C:\Program Files\Orbit\bin\orbit\windows\stable>orbit.exe shell
{"level":"error","error":"remove \\\\.\\pipe\\orbit-osquery-extension: All pipe instances are busy.","time":"2022-07-28T10:19:34+02:00","message":"clean-up extension socket"}
{"level":"info","cmd":"C:\\Program Files\\Orbit\\bin\\osqueryd\\windows\\stable\\osqueryd.exe -S --pidfile=C:\\Program Files\\Orbit\\shell\\osquery.pid --database_path=C:\\Program Files\\Orbit\\shell\\osquery.db --extensions_socket=\\\\.\\pipe\\orbit-osquery-extension","time":"2022-07-28T10:19:34+02:00","message":"start osqueryd"}
Using a [1mvirtual database[0m. Need help, type '.help'
osquery>

I let you decide if there is something to fix or not ;)

polak785 avatar Jul 28 '22 08:07 polak785

@polak785 Thanks for reporting this issue!

I was able to reproduce. It's sporadic.

Theory: The running orbit Windows Service might be using the same pipe as the orbit osqueryi invocation. It seems we might need to set a different pipe on Windows (that uses r.dataPath, similar to what we already do for Unix): https://github.com/fleetdm/fleet/blob/52e22014a9396ba5477d6e2cec2521c5fca1d948/orbit/pkg/osquery/osquery.go#L188-L197

lucasmrod avatar Jul 28 '22 14:07 lucasmrod

Reboot relief for users,
Smooth sailing for Fleet.
Safely in the clouds.

fleet-release avatar Feb 06 '23 16:02 fleet-release