system_info table reporting -1 as physical memory on Windows Server

Open Kunal5103 opened this issue 2 years ago • 9 comments

Bug report

What operating system and version are you using?

Windows Server

What version of osquery are you using?

osqueri 5.7.0

What steps did you take to reproduce the issue?

select physical_memory from system_info;

What did you expect to see?

actual ram value

What did you see instead?

-1

Jun 19 '23 07:06 Kunal5103

Hello @Kunal5103, would it be possible to:

Know which version of Windows Server
Know if this is bare metal or a VM. If a VM which virtualization software
Run the query via osqueryi enabling verbose mode with --verbose and posting the logs. The table should log a message like "Got error trying to determine the physically installed memory: "

Thank you!

Jun 19 '23 10:06 Smjert

Hi @Smjert this problem is coming on VMware Virtual Platform (windows server 2016 standard and windows server 2019 standard)

Jun 19 '23 12:06 Kunal5103

VMware Workstation Pro is the name of the virtualization software

what is the solution to this issue

Jun 19 '23 12:06 Kunal5103

Do I need to Enable any property?

Jun 19 '23 13:06 Kunal5103

Hi @Smjert

Awaiting for your response.

Jun 21 '23 03:06 Kunal5103

image_2023_06_21T10_25_17_685Z

Jun 21 '23 12:06 Kunal5103

I'm getting the issue today (5.12.1) on Virtualbox Windows Screenshot 2024-06-12 at 10 39 07 AM

Jun 12 '24 17:06 rjdunlap

Screenshot 2024-06-12 at 10 42 31 AM

Jun 12 '24 17:06 rjdunlap

This seems to be a limitation of the Windows API used more than a bug: https://github.com/osquery/osquery/blob/fae29d081af4998823571e0ecc6d4e0c5b8d52eb/osquery/tables/system/windows/system_info.cpp#L73-L87

It needs SMBIOS data; for Virtual Box make sure that's enabled. I found this, not sure if it's still relevant: https://forums.virtualbox.org/viewtopic.php?p=444280&sid=b9e63362892d3cd231ee833d4a619068#p444280

Jun 12 '24 18:06 Smjert