Morning all, I know there have been issues submitted in the past for the ntfs_journal_events publisher, with regard to errors observed similar to:

ntfs_journal_events.cpp:323] Couldn't open C:\Users\teddoro\AppData\Local\Temporary Internet Files\ while building FRN set

In the case of the file path listed above, i believe the reason that this error occurred is because that path does not actually exist. I figured that osquery was trying to add the directory because the path was listed in my

file_paths

within config. However it does not! So that is odd behavior. Though "C:\\Users\\%\\AppData\\Local\\%" is listed in my config, and so logically osquery enumerates Local and monitors everything within, why would it try to add a directory that is not within local? How does it even know about the directory "Temporary Internet Files" ?

"file_paths": {
    "windows": [
      "C:\\Windows\\%",
      "C:\\Windows\\Temp\\%",
      "C:\\Windows\\System32\\drivers\\%",
      "C:\\Windows\\SysWOW64\\drivers\\%",
      "C:\\Windows\\System32\\Wbem\\%",
      "C:\\Windows\\SysWOW64\\Wbem\\%",
      "C:\\Windows\\System32\\WindowsPowerShell\\%",
      "C:\\Windows\\SysWOW64\\WindowsPowerShell\\%",
      "C:\\Windows\\Tasks\\%",
      "C:\\Windows\\System32\\Tasks\\%",
      "C:\\Windows\\AppPatch\\Custom\\%"
    ],
    "Users": [
      "C:\\Users\\%\\AppData\\Roaming\\%",
      "C:\\Users\\%\\AppData\\Local\\%",
      "C:\\Users\\%\\AppData\\Local\\Temp\\%",
      "C:\\Users\\%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\%",
      "C:\\Users\\%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\%",
      "C:\\Users\\%\\Default\\%"
    ]
  },
  "exclude_paths": {
    "windows": [
      "C:\\Windows\\system32\\DriverStore\\Temp\\%",
      "C:\\Windows\\system32\\wbem\\Performance\\%",
      "C:\\Windows\\System32\\Tasks\\Adobe Acrobat Update Task\\%",
      "C:\\Windows\\System32\\Tasks\\Adobe Flash Player Updater\\%",
      "C:\\Windows\\System32\\Tasks\\OfficeSoftwareProtectionPlatform\\SvcRestartTask\\%"
    ]
  }

I think the entry is there, the entry is hidden and a system protected file, if you enable hidden files and untick the “Hide protected operating system files” in the folder options of the Windows Explorer, you should see it. Or you should be able to see it via the osquery

file

table.

ahh okay