windows_startup_items
SCHEMA
| cmdline | string | Process command line |
| name | string | Name of the registry value entry |
| path | string | Full path to the value |
| result | string | The authenticode signature of the startup item |
| sha256 | string | SHA256 of the file now |
| source | string | The Windows event source |
| status | string | The reason the logon failed |
-- windows_startup_items INFO SELECT -- Device ID DETAILS meta_hostname, meta_ip_address, -- Query Details query_name, cmdline, name, path, result, sha256, source, status, -- Decoration meta_boot_time, meta_eid, meta_endpoint_type, meta_ip_mask, meta_mac_address, meta_os_name, meta_os_platform, meta_os_type, meta_os_version, meta_public_ip, meta_query_pack_version, meta_username, --- Generic calendar_time, counter, epoch, host_identifier, numerics osquery_action, unix_time, -- Data Lake customer_id, endpoint_id, upload_size FROM xdr_data WHERE query_name = 'windows_startup_items'
RESULTS
+-----------------+-------------------+-----------------------+---------------------------------------------------------------------------------------------------------+-----------------------------------+---------------------------------------------------------------------------------------------------------+----------+------------------------------------------------------------------+---------------+----------+------------------+--------------------------------------+----------------------+----------------+--------------------+--------------------------+--------------------+----------------+-------------------+------------------+---------------------------+-----------------+----------------------+-----------+------------+-------------------+------------------+----------------------+--------------------------------------+--------------------------------------+---------------+ | meta_hostname | meta_ip_address | query_name | cmdline | name | path | result | sha256 | source | status | meta_boot_time | meta_eid | meta_endpoint_type | meta_ip_mask | meta_mac_address | meta_os_name | meta_os_platform | meta_os_type | meta_os_version | meta_public_ip | meta_query_pack_version | meta_username | calendar_time | counter | epoch | host_identifier | osquery_action | unix_time | customer_id | endpoint_id | upload_size | |-----------------+-------------------+-----------------------+---------------------------------------------------------------------------------------------------------+-----------------------------------+---------------------------------------------------------------------------------------------------------+----------+------------------------------------------------------------------+---------------+----------+------------------+--------------------------------------+----------------------+----------------+--------------------+--------------------------+--------------------+----------------+-------------------+------------------+---------------------------+-----------------+----------------------+-----------+------------+-------------------+------------------+----------------------+--------------------------------------+--------------------------------------+---------------| | DESKTOP-RB61UC8 | 192.168.1.173 | windows_startup_items | C:\Program Files (x86)\Microsoft\Edge\Application\86.0.622.38\BHO\ie_to_edge_bho_64.dll | IEToEdge BHO | C:\Program Files (x86)\Microsoft\Edge\Application\86.0.622.38\BHO\ie_to_edge_bho_64.dll | trusted | 4a265fbb95691e9d932651c61ea82d85dc2b019d5a63895cb8a075d3f01c3447 | ie_extensions | none | 1601472788 | eface84e-4db6-344f-a89d-90801856834f | computer | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-12T09:02:37Z | 0 | 1602286841 | DESKTOP-RB61UC8 | False | 2020-10-12T09:02:37Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 1011 | | DESKTOP-RB61UC8 | 192.168.1.173 | windows_startup_items | C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll | Skype for Business Browser Helper | C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll | trusted | d0f974a5af2beee44b7e205622adb0e960ae1b39bf16102992abdc1a75f2fb8e | ie_extensions | none | 1601472788 | eface84e-4db6-344f-a89d-90801856834f | computer | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-12T09:02:37Z | 0 | 1602286841 | DESKTOP-RB61UC8 | False | 2020-10-12T09:02:37Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 1066 | | DESKTOP-RB61UC8 | 192.168.1.173 | windows_startup_items | C:\Program Files (x86)\Microsoft\Edge\Application\86.0.622.38\BHO\ie_to_edge_bho_64.dll | IEToEdge BHO | C:\Program Files (x86)\Microsoft\Edge\Application\86.0.622.38\BHO\ie_to_edge_bho_64.dll | trusted | 4a265fbb95691e9d932651c61ea82d85dc2b019d5a63895cb8a075d3f01c3447 | ie_extensions | none | 1601472788 | eface84e-4db6-344f-a89d-90801856834f | computer | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-12T09:02:37Z | 0 | 1602286841 | DESKTOP-RB61UC8 | False | 2020-10-12T09:02:37Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 1011 | | DESKTOP-RB61UC8 | 192.168.1.173 | windows_startup_items | C:\Windows\System32\ieframe.dll | Microsoft Url Search Hook | C:\Windows\System32\ieframe.dll | missing | 3c95b0507ed729bde94c6887ee473ecac996e67e8028fed0dd81de8ffc283bcd | ie_extensions | none | 1601472788 | eface84e-4db6-344f-a89d-90801856834f | computer | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-12T09:02:37Z | 0 | 1602286841 | DESKTOP-RB61UC8 | False | 2020-10-12T09:02:37Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 904 | | DESKTOP-RB61UC8 | 192.168.1.173 | windows_startup_items | C:\Windows\System32\ieframe.dll | Microsoft Url Search Hook | C:\Windows\System32\ieframe.dll | missing | 3c95b0507ed729bde94c6887ee473ecac996e67e8028fed0dd81de8ffc283bcd | ie_extensions | none | 1601472788 | eface84e-4db6-344f-a89d-90801856834f | computer | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-12T09:02:37Z | 0 | 1602286841 | DESKTOP-RB61UC8 | False | 2020-10-12T09:02:37Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 904 | | DESKTOP-RB61UC8 | 192.168.1.173 | windows_startup_items | C:\Windows\System32\ieframe.dll | Microsoft Url Search Hook | C:\Windows\System32\ieframe.dll | missing | 3c95b0507ed729bde94c6887ee473ecac996e67e8028fed0dd81de8ffc283bcd | ie_extensions | none | 1601472788 | eface84e-4db6-344f-a89d-90801856834f | computer | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-12T09:02:37Z | 0 | 1602286841 | DESKTOP-RB61UC8 | False | 2020-10-12T09:02:37Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 904 | | DESKTOP-RB61UC8 | 192.168.1.173 | windows_startup_items | C:\WINDOWS\System32\AJRouter.dll | AJRouter | C:\WINDOWS\System32\AJRouter.dll | missing | 4e2623243a9bb61f7211e591c24edb70b07974a7fa21e3f14c683f27e975777f | services | none | 1601472788 | eface84e-4db6-344f-a89d-90801856834f | computer | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-12T09:02:37Z | 0 | 1602286841 | DESKTOP-RB61UC8 | False | 2020-10-12T09:02:37Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 884 | | DESKTOP-RB61UC8 | 192.168.1.173 | windows_startup_items | C:\WINDOWS\System32\appidsvc.dll | AppIDSvc | C:\WINDOWS\System32\appidsvc.dll | missing | 2d6be8c0fd620cb4f8316279d7c1b3ad6fce38b027ec9e6eab712ea81ae9f93a | services | none | 1601472788 | eface84e-4db6-344f-a89d-90801856834f | computer | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-12T09:02:37Z | 0 | 1602286841 | DESKTOP-RB61UC8 | False | 2020-10-12T09:02:37Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 884 | | DESKTOP-RB61UC8 | 192.168.1.173 | windows_startup_items | C:\WINDOWS\System32\appinfo.dll | Appinfo | C:\WINDOWS\System32\appinfo.dll | missing | 92f616967c6a362966b4fcaf17290a6989ae1300737cc178e891a5f47f92f653 | services | none | 1601472788 | eface84e-4db6-344f-a89d-90801856834f | computer | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-12T09:02:37Z | 0 | 1602286841 | DESKTOP-RB61UC8 | False | 2020-10-12T09:02:37Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 881 | | DESKTOP-RB61UC8 | 192.168.1.173 | windows_startup_items | C:\WINDOWS\System32\appmgmts.dll | AppMgmt | C:\WINDOWS\System32\appmgmts.dll | missing | 0f142fa2669ba775c0a253cbec8ad81632135b28221c464dde49bc58be9689c3 | services | none | 1601472788 | eface84e-4db6-344f-a89d-90801856834f | computer | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-12T09:02:37Z | 0 | 1602286841 | DESKTOP-RB61UC8 | False | 2020-10-12T09:02:37Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 883 | | DESKTOP-RB61UC8 | 192.168.1.173 | windows_startup_items | C:\WINDOWS\system32\appxdeploymentserver.dll | AppXSvc | C:\WINDOWS\system32\appxdeploymentserver.dll | missing | d379ca8ec812340c0519dd866b084baaed043f775eea216650d0f6424a0f30fc | services | none | 1601472788 | eface84e-4db6-344f-a89d-90801856834f | computer | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-12T09:02:37Z | 0 | 1602286841 | DESKTOP-RB61UC8 | False | 2020-10-12T09:02:37Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 907 | | DESKTOP-RB61UC8 | 192.168.1.173 | windows_startup_items | C:\WINDOWS\System32\assignedaccessmanagersvc.dll | AssignedAccessManagerSvc | C:\WINDOWS\System32\assignedaccessmanagersvc.dll | missing | bb0cfc9c365d7bb25edd1d73467b09a107603cf2d66f5e57f076e1baff3e9d0f | services | none | 1601472788 | eface84e-4db6-344f-a89d-90801856834f | computer | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-12T09:02:37Z | 0 | 1602286841 | DESKTOP-RB61UC8 | False | 2020-10-12T09:02:37Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 932 | | DESKTOP-RB61UC8 | 192.168.1.173 | windows_startup_items | C:\WINDOWS\System32\AudioEndpointBuilder.dll | AudioEndpointBuilder | C:\WINDOWS\System32\AudioEndpointBuilder.dll | missing | c1f5db110f6470150eb4240fd3491b3164e9c25ee9621057ebd15f12de718856 | services | none | 1601472788 | eface84e-4db6-344f-a89d-90801856834f | computer | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-12T09:02:37Z | 0 | 1602286841 | DESKTOP-RB61UC8 | False | 2020-10-12T09:02:37Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 920 | | D
