Does anyone know why osquery reports inflated numbers when querying physical_memory from system_info and size from logical_drives? Comparing the output of osquery and powershell, the osquery numbers are higher. For example, a disk is reporting 255GB of total size in Windows/Powershell but 274GB in osquery.

For the memory, it’s most likely because osquery uses an API to get the total amount of memory the RAM sticks will give you. Other APIs normally give you the available memory to the OS which is different (less) because, quoting from the MSDN docs, “The amount of memory available to the operating system can be less than the amount of memory physically installed in the computer because the BIOS and some drivers may reserve memory as I/O regions for memory-mapped devices”: https://docs.microsoft.com/en-us/windows/win32/api/sysinfoapi/nf-sysinfoapi-getphysicallyinstalledsystemmemory As for the disk size I’m not sure but we are using a WMI query to get it. I wonder if the disk you’re talking about is an SSD that has an Host Protected Area (HPA) which is seen by the WMI query but not the APIs used from powershell. Could you share the command that you’ve used?

On the RAM, osquery is reporting more RAM than I actually have installed on the physical machine. For example, I have 16GB of physical RAM installed but osquery is saying I have 17.18GB. The query is this for RAM:

SELECT hostname, cpu_type, cpu_brand, cpu_physical_cores, cpu_logical_cores, physical_memory FROM system_info;

For the disk space, I use this query:

SELECT device_id, ROUND(free_space * 10e-10) AS free_gb, ROUND(size * 10e-10) AS size_gb, boot_partition AS boot FROM logical_drives WHERE file_system = 'NTFS';

@Adam S For the disk size, what powershell command are you using to get the it?

Just, Get-Disk

Hrm. What osquery version? Somewhere around 4.8.0 I fixed the memory calculation. Previously, it had used a WMI query that got the amount available to the OS. (excludes the bios holdback) Now it's a fairly simple win32 api call:

if (GetPhysicallyInstalledSystemMemory(&physicallyInstallMemory)) {
    r["physical_memory"] = BIGINT(physicallyInstallMemory * 1024);

See https://github.com/osquery/osquery/pull/7028

Thanks for the response, I’m using version 5.0.1. So for example, on RAM, running the query that I posted above I’m getting this output for physical_memory 4294967296, which I’m understanding is bytes. Converting that to GB it’s 4.29GB which is more than the 4GB of RAM that’s installed. Windows is reporting 4.00GB of RAM.

Just to be sure, are you running osquery on a VM or a physical machine? Because, I'm using osquery inside a Windows VM via Linux KVM/qemu, and from its libvirt UI it clearly uses MiB for RAM and disk size is GiB, so it's the power of 2 variant, while obviously if they are the actual physical ram and disk, they use the power of 10 variation. But it's to say that the amount of bytes that shows seems correct to me; the WMI query is

Get-WmiObject -Query  select DeviceID, Description, FreeSpace, Size, FileSystem from Win32_LogicalDisk

, via powershell.

I’ve tried on both a VM and physical machine. Running the same query for RAM on a physical machine with 16GB of RAM and it’s reporting 17179869184 still.

That’s because RAM is sold in GiB even though they call it GB.

17179869184 is 16gb. This is a giga vs gibi thing. These are not SI powers of 10

Well I learn something new every day. Thank you guys for the explanation. I'll adjust my formulas.