Channels
#windows
Title
# windows
s
Stefano Bonicatti
04/04/2022, 10:50 AMDo you know how it was deployed then? Maybe an administrative install was used?
What is the version of the old agent?
Do you still have the osquery service?
o
Ojas
04/04/2022, 10:50 AM4.8.0 is the version
it was installed with admin privs when host was setup at the very begninng
its running with osqueryd service
s
Stefano Bonicatti
04/04/2022, 10:52 AMWith administrative install I mean something like
msiexec /A osquery-4.8.0.msiOtherwise I'm not sure why it's not in the list of Add/Remove programs.. in any case, you can also remove it manually if there's no reference of it.
From an admin powershell you can
Copy code
Stop-Service -Name osqueryd
Remove-Service -Name osqueryd👀 1
🙌 1
The installer beyond adding a reference to the Add/Remove programs, adding a service and installing the files, doesn't do anything else.
o
Ojas
04/04/2022, 11:08 AMHey thanks for your input i am gonna try to stop the service and remove the folder one.
s
Stefano Bonicatti
04/04/2022, 11:08 AMTo be specific, among the configs, remember that there's also the osquery database which may contain the node identifier if it was enrolled into a fleet manager
You maybe want to carry that over too, so that it's already enrolled and depending on what you've selected as identifier, it doesn't regenerate
There's something I still don't understand though. osquery 4.8.0 MSI should install under
C:\Program Files\osqueryseparate in what way?
o
Ojas
04/04/2022, 11:41 AMSeparate as in i see both the osquery agents there 5.2 and 4.8
s
Stefano Bonicatti
04/04/2022, 11:42 AMCould you clarify where "there" is?
o
Ojas
04/04/2022, 11:48 AMThere as in installed on the machine. If i see installed apps/services on my host it shows both osquery agents
s
Stefano Bonicatti
04/04/2022, 11:48 AMHow are you verifying that?
o
Ojas
04/04/2022, 11:49 AMi can see the device on osquery
and in apps installed it shows both agents
6 Views