Windows.Detection.Usn not reporting anything?

1 view
Skip to first unread message

Xavier Mertens

unread,
Aug 29, 2022, 1:00:22 PM8/29/22
to velociraptor-discuss
Hello *,

How do I debug this?

I've a "Windows.Detection.Usn" client_event script linked to a label.
This label is applied to many clients but I don't get any event!?

Params are set to:
Drive: C:\\
PathRegex: \.(pf|exe|ps1|bat)$

Any idea about what could go wrong? (It worked a few weeks ago)

/x

Mike Cohen

unread,
Aug 29, 2022, 9:46:35 PM8/29/22
to Xavier Mertens, velociraptor-discuss
Thanks for reporting this - the query event logs indicate a problem with the VQL
watch_usn: Unexpected arg accessor

The watch_usn plugin used to take an accessor but now does not (because it has to use the ntfs accessor - there is no other option).

you can fix the artifact by just removing the accessor in the plugin call - save as a different name and collect that one.

Thanks
Mike

Mike Cohen 
Digital Paleontologist, 
Velocidex Enterprises
mi...@velocidex.com 


--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/be7c44a7-4065-4bcd-b1d6-84e375c30795n%40googlegroups.com.

Mike Cohen

unread,
Aug 30, 2022, 12:52:56 AM8/30/22
to Xavier Mertens, velociraptor-discuss
Looking more into this I think it's a real bug.

Xavier Mertens

unread,
Aug 30, 2022, 2:46:58 AM8/30/22
to Mike Cohen, velociraptor-discuss
Tx Mike!
I saw also your bug report on GitHub.
In the mean time, I’m applying your recommendation below, let’s see how it goes!

/x

Mike Cohen

unread,
Aug 30, 2022, 4:15:24 AM8/30/22
to Xavier Mertens, velociraptor-discuss
You should be able to test the fix with the latest ci build.

Thanks
Mike
Reply all
Reply to author
Forward
0 new messages