I'm attempting to install osquery in a custom location by placing the osqueryd.exe file from my default osquery installation into C:\Program Files\Test\foo\testosqueryd.exe. However, when I install it at this location with the flag --database_path="C:\Program Files\Test\foo\osquery.db", it generates an error when attempting to start osquery:
Windows could not start the osqueryd service on the local computer.
Error 1067: The process terminates unexpectedly.
On the other hand, when I don't use the --database_path flag, osquery works, but it creates the osquery folder at the default location C:\Program Files\osquery\osquery.db.
My intention is to have the database at a custom location using the --database_path flag.How can I achieve this without encountering the error?
Osquery does support running with an alternate database path and pidfile. And those options are
--database_pathand--pidfile. It also supports the--verboseargument to increase log output.The error you provided is not from osquery. That is an error from windows saying osquery did not start. If you want to diagnose the issue, you need to find the osquery logs.
But, your example is
--database_path= C:\Program Files\Test\foo\osquery.db, and I suspect there are two issues. First, you should not have a space after the=. Second, you need to quote the path becauseProgram Fileshas a space in it. The syntax for quoting paths on windows is different in powershell, cmd.exe, and service manager configuration.Lastly, it looks like you renamed
osqueryd.exetotestosqueryd.exe. Osquery can be sensitive to it's file naming, this is not recommended.