Hello I m trying to understand how the FIM works on windows

Question

Hello I m trying to understand how the FIM works on windows How works the journal cache on windows Are the files cached only at the start Let s say I m watching `C Users vagrant Documents ` and no file exists at the moment osquery starts If I create a file named `test txt` and a few minutes later I delete that file Will I get an event What if I also watch the folder and the folder exists previously What if I also watch the folder and the folder does not exists previously

Mike Myers · Answer

< yossarian> I know it has been a long time but would you recall answers to any of these questions

yossarian · Answer

the files should not be cached only at the start the cache is continually updated based on events

yossarian · Answer

i e if you monitor a directory and create a new file within it after starting osquery it should catch it

Daniel Bretón Suárez · Answer

< yossarian> thank you

Daniel Bretón Suárez · Answer

After some tests I think we have a bug of some kind around this I ve opened an issue <https github com osquery osquery issues 7642> If I misunderstood how it should work feel free to close it directly