Thrift socket connection failures on Windows

[baxitaurus]

Hi, i'm working on a Windows 10 Pro 1909 VM with OSQuery 4.3.0 and trailofbits extensions v1.2.

When I run osqueryi --extensions_require <trailofbits.ext.exe path> I get a lots of log messages:

Thrift: Wed May 20 12:50:54 2020 Client connected.
Wed May 20 12:50:54 2020 TPipe ::GetOverlappedResult errored GLE=errno = 109
Wed May 20 12:50:54 2020 TConnectedClient died: TPipe: GetOverlappedResult failed 

and finally the loading fails with:

W0520 12:50:54.178596  5628 extensions.cpp:780] Required extension not found or not loaded: .\extensions\trailofbits_osquery_extensions.ext.exe
E0520 12:50:54.178596  5628 init.cpp:569] An error occured during extension manager startup: Required extension not found or not loaded: .\extensions\trailofbits_osquery_extensions.ext.exe

If I load the extension with osqueryi --extension <trailofbits.ext.exe path> those annoying log messages still continuously appear but I can see and query the table windows_sync_objects. This is preventing me from programmatically querying the windows_sync_objects table without having to access the interactive shell...does anyone have hints about how what's causing the issue and how to solve it?

Thanks.

[mike-myers-tob]

With Windows 10, osquery 4.5.1, we're also seeing the repeated log messages about GetOverlappedResult errored. @Smjert believes it is another manifestation of this bug in the osquery core: https://github.com/osquery/osquery/issues/6152

If so, a fix is needed in the osquery SDK, possibly around this part of the code: https://github.com/osquery/osquery/blob/224423fb7581b9e7c4d60e084065238a8601e246/osquery/extensions/impl_thrift.cpp#L420

This issue in the osquery repo seems related, so I've added to the discussion there to continue to track this until it gets solved: https://github.com/osquery/osquery/issues/6709#issuecomment-723374435