Is the Windows.Forensics.LocalHashes.Usn artifact broken?

35 views
Skip to first unread message

Daniel D'Angeli

unread,
Jan 24, 2025, 8:26:04 PMJan 24
to velociraptor-discuss
Hi,

i added the Windows.Forensics.LocalHashes.Usn in the client monitoring and the logs have this event:
Screenshot 2025-01-24 165705.png

As per documentation, watch_usn has only one argument, the Device, but the  Windows.Forensics.LocalHashes.Usn artifact provides two:
Screenshot 2025-01-24 165805.png

Does this break the artifact? Because i am not seeing any events even without suppression enabled.

Regards,
Daniel D.

Mike Cohen

unread,
Jan 24, 2025, 8:36:16 PMJan 24
to Daniel D'Angeli, velociraptor-discuss
what version are you using?

The current version does not use the accessor parameter to the watch_usn() plugin since it is not possible to watch a usn file with any other accessor anyway. That artifact does not have the accessor parameter in the current version.

You can test the watch_usn plugin like this

velociraptor-v0.73.3-windows-amd64.exe query "SELECT * FROM watch_usn(device='c:')" -v

should see a log like this
[INFO] 2025-01-24T17:35:09-08:00 Registering USN log watcher for \\.\C: with handle 1 and frequency 30 seconds

you should start receiving events after 30 seconds

Thanks
Mike

Mike Cohen 
Digital Paleontologist, 
Velocidex Enterprises
mi...@velocidex.com 


--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/velociraptor-discuss/8c9782e8-e65f-41fe-9ed2-4276b766f971n%40googlegroups.com.

Daniel D'Angeli

unread,
Jan 27, 2025, 4:40:36 AMJan 27
to velociraptor-discuss
Hi,

i've deployed version 0.73.3 on both the server and agent side. Maybe i need to update the artifact somehow?

Regards,
Daniel D.

Mike Cohen

unread,
Jan 27, 2025, 4:55:28 AMJan 27
to Daniel D'Angeli, velociraptor-discuss
Try to disable the event query and then re enable it. You should see the new vql being picked up by the client.

To view this discussion visit https://groups.google.com/d/msgid/velociraptor-discuss/bfc93b45-8461-4789-a8ed-d65323adf588n%40googlegroups.com.

Daniel D'Angeli

unread,
Jan 27, 2025, 10:06:05 AMJan 27
to velociraptor-discuss
Hi,

i've double checked the version and is the latest release available as a package on GitHub:

Screenshot 2025-01-27 160100.png

Looking at the GitHub repository though, i noticed that latest commit for that specific artifact has been made on Nov 21th, 2024, where the artifact has the correct arg configuration for the watch_usn() function, whereas the build time for the package i've deployed is Nov 4th, 2024.

Maybe v0.73.3 of the server has an older artifact? Is there a method to upgrade it?

Thanks for your continuous support,
Daniel D.

Mike Cohen

unread,
Jan 27, 2025, 3:21:20 PMJan 27
to Daniel D'Angeli, velociraptor-discuss
Yeah it's probably worth testing the latest head build

You get one of those but following the getting the latest version in the readme file

To view this discussion visit https://groups.google.com/d/msgid/velociraptor-discuss/2091a7eb-0980-4bb1-887f-8a5cc2b3942bn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages