Hi fellows, when I run my extension without Administrator privileges I get this error, which I expect, cos' the pipe was opened by an elevated process:

Unable to connect to \\.\pipe\osquery.em with uds_windows::UnixStream: Os { code: 10013, kind: PermissionDenied, message: "An attempt was made to access a socket in a way forbidden by its access permissions." }

But when I execute with Admin user or as the user guide explains to manually load an extension it cannot connect to the socket with this error:

Unable to connect to \\.\pipe\osquery.em with uds_windows::UnixStream: Os { code: 10061, kind: ConnectionRefused, message: "No connection could be made because the target machine actively refused it." }

I just checked the flags to include the path and name of the socket and enable the extension loading:

--extensions_socket=\\.\pipe\osquery.em
--disable_extensions=false

I compiled the extension, moved it to the installed folder of osquery (

c:\Programs Files\osquery

) as

myshinny.ext.exe

and executed like this without success:

.\osqueryi.exe --allow-unsafe --extension myshinny.ext.exe

Then I tried to create a Extension folder, move the extensions inside it and apply the

icacls.exe

commands listed on the osquery's extension guide but again with no success. I'm trying to update the (https://github.com/zacbrown/osquery-rs) to support windows through (https://github.com/haraldh/rust_uds_windows/)

It could be a file permissions issue on the extension: https://osquery.readthedocs.io/en/latest/deployment/extensions/#extensions-binary-permissions

the example extension on the osquery-rs repo?

Oh, I meant checking that the example extension in the osquery core repo would load correctly as a sanity test, but I suppose there are several. https://github.com/osquery/osquery/tree/master/external/examples

So the SDK in Windows uses the socket/pipe internally to communicate with osquery? I'll try to build those examples and investigate further, thanks for your time @Mike Myers

building osquery from source should build the example extensions automatically (I think)

the uds_windows is a lib to open a af_linux socket in windows (since it got support in 2017), I dont think this gonna work in this case, do you? I don't have deep understand about those 2, but I think the communication differs between each other, what you think?

I don't think it's the right thing in this case. Is the Rust

thrift

crate trying to use that?

No

A Windows named pipe has its own API. Here I'll find the osquery code that has the conditional stuff for Windows Thrift connections

yes, i infer that with this commit from zac: https://github.com/superluminalzone/osquery-rs/commit/08c19b5742c5c71fcf184db8d26acaa6726178b3

I see. At least on the osquery side, the code is using the Thrift cpp library where

TPipeServer

exists and that's what it uses on Windows

Fantastic mate, thanks again. You cover all the points. So in this point in time I cannot go further with this implementation.