#windows - when osquery 5.2.2 (installed

Channels

g
Gregory Storme
3 months ago
when osquery 5.2.2 (installed using the fleet/orbit msi) runs on domain controllers, the LSASS process takes up 100% cpu and remains, until the osqueryd service is stopped couldn't find any known issues on this, has anyone else seen such behaviour?
defensivedepth
3 months ago
Do you have the Software Inventory enabled for FleetDM?
g
Gregory Storme
3 months ago
yes
defensivedepth
3 months ago
https://osquery.slack.com/archives/C01DXJL16D8/p1644254482135739
g
Gregory Storme
3 months ago
great, thanks, disabling the software_inventory fixed it! i'll follow that thread
s
seph
3 months ago
I would guess it’s going to be something crawling the users table
Mike Myers
3 months ago
Yea, Trail of Bits has been working on this problem. It's the number of users on the Domain Controller, that is the challenge. We have a PR here https://github.com/osquery/osquery/pull/7516
Perhaps you can test, or we can get some reviews on it

View count: 10