As of osquery 1.8.2+ the Windows builds are feature-complete but provide a limited set of tables compared to OS X and Linux.
Each osquery tag (release) is published to chocolatey for our supported versions: https://chocolatey.org/packages/osquery/
By default Chocolatey will install the binaries, example packs, example configuration, and an openssl certs bundle to
C:\ProgramData\osquery and nothing more. You can pass Chocolatey the
--params='/InstallService' flag or make use of osquery's
--install flag with
C:\ProgramData\osquery\osqueryd\osqueryd.exe --install to install a Windows system service for the osqueryd daemon.
Out of the box osquery is runnable via the Chocolatey installation. More commonly however the daemon is configured to be a system service. To set this up, you'll need to install the daemon via the service installation flags as detailed in the steps above, and then provide the daemon with a config file. The simplest way to get osqueryd up and running is to rename the
C:\ProgramData\osquery\osquery.example.conf file provided to
osquery.conf. Once the configuration file is in place, you can start the Windows service:
Start-Service osqueryd if you're using Powershell
sc.exe start osqueryd if you're using cmd.exe
We recommend configuring large fleets with Chef or SCCM.
Managing the daemon service
osquery provides a helper script for managing the osquery daemon service, which is installed to
If you'd like to create your own osquery Chocolatey package you can run
.\tools\deployment\make_windows_package.ps1. This script will grab the built binaries, the
packs directory, the
osquery.example.conf, and attempt to find the OpenSSL