winget install --id osquery.osqueryAbout osquery
SQL powered operating system instrumentation, monitoring, and analytics.
What's new in 5.23.0
What's Changed Features - Add process memory scanning capability to yara table by @brian-mckinney in #8782 - Split yara tables into yara_process and yara_file by @brian-mckinney in #8835 - Add Windows process_open_handles table by @brian-mckinney in #8795 - Add secureboot_certificates table for Linux by @zwass in #8844 - Extend python_packages and npm_packages to cover modern package managers by @ariary in #8801 - Add level filtering to the unified_log table by @directionless in #8788 - Disallow newlines in curl custom headers by @directionless in #8787 - Supplement LaunchServices with directory scanning in apps table (#8789) by @getvictor in #8790 - Command line flags for query input and output by @directionless in #8786 - New header-based authentication mechanism for remote APIs by @juan-fdz-hawa in #8805 - Add recursion to npm_packages by @directionless in #8809 - Make profile.py performance thresholds configurable via CLI flags by @stefanamaerz in #8841 - Add ROOT\default to WMI tables by @directionless in #8810 Build & Dependencies - Update expat to 2.7.4 to fix CVE-2026-25210 by @Sampriti2803 in #8794 - Fix GCC 15 compatibility by @carlsmedstad in #8837 Fixes - Fix macOS keychain corruption when accessing non-SSV keychain files by copying to temporary files first by @lucasmrod in #8840 - Fix incorrect example queries in table specs by @edwardsb in #8791 - Improve network_name detection on macOS wifi_status table by @lucasmrod in #8781 - Fix a bug in apt_sources parsing by @directionless in #8785 - Add NOCASE and VERSION collation to various columns by @directionless i...
Version history
| Version | Updated | Notes |
|---|---|---|
| 5.23.0 | Unknown | What's Changed Features - Add process memory scanning capability to yara table by @brian-mckinney in #8782 - Split yara tables into yara_process and yara_file by @brian-mckinney in #8835 - Add Windows process_open_handle... |
| 5.22.1 | Unknown | 5.22.0 macOS binaries will not execute because the signing certificate is out of sync with the provisioning profile. 5.22.1 replaces it. What's Changed Features - Make escapeNonPrintableBytes UTF-8 aware by @nulmete in #... |
| 5.21.0 | Unknown | What's Changed - Improvements to password_policy table by @zwass in #8705 - Improve file traversal performance and correctness by @Krechals in #8704 - Add support for Login Items and Background Services on modern macOS b... |
| 5.20.0 | Unknown | What's Changed Features/Bugs - Add default path for CA certificate bundle on openSUSE by @iko1 in #8687 - Exclude config views from db migration by @Micah-Kolide in #8678 - Make vscode_extensions more consistently report... |
| 5.19.0 | Unknown | What's Changed Features - Add table deb_package_files by @zwass in #8657 - Add system_profiler table for macOS by @zwass in #8645 - Add version collate to os_version table's version column by @Micah-Kolide in #8659 - Add... |
| 5.18.1 | Unknown | Revert "Update Windows runner version in hosted_runners.yml (#8618)" (#8633) |
| 5.17.0 | Unknown | 5.17.0 Git Commits What's Changed - Add CHANGELOG.md entry for 5.16.0 by @lucasmrod in #8548 - Add symlink_target_path to files tables by @DocEmmetBrown in #8502 - cve: Ignore libarchive CVE-2024-26256 by @Smjert in #854... |
| 5.16.0 | Unknown | 5.16.0 Git Commits Representing commits from 7 contributors! Thank you all. Table Changes - Fix the python_paths table to skip unnecessary code paths when filtering by directory (#8544) - Added python packages in user di... |
| 5.11.0 | Unknown | No notes |
| 5.8.2 | Unknown | No notes |
| 5.6.0 | Unknown | Table Changes - Add firmware_type column to platform_info on macOS (#7727) - Add additional vendor support for the windows wmi_bios_info table (#7631) - Fix docker_container_processes on macOS (#7746) - Fix process_file_... |