I have two tables file & users, I want to see the file info for each user for C:Users%USERNAME%Documents
So e.g. this would get the info from ‘example’ documents:
SELECT * FROM file WHERE path LIKE 'C:UsersexampleDocuments%%';But the username is coming from the users
SELECT username FROM users;returns
+--------------------+| username |+--------------------+| Administrator || DefaultAccount || example || Guest || WDAGUtilityAccount || SYSTEM || LOCAL SERVICE || NETWORK SERVICE |+--------------------+Alternatively, there’s:
SELECT directory FROM users;+---------------------------------------------+| directory |+---------------------------------------------+| || || C:Usersexample || || || %systemroot%system32configsystemprofile || %systemroot%ServiceProfilesLocalService || %systemroot%ServiceProfilesNetworkService |+---------------------------------------------+Which provides the first part of the path, but still can’t get to join ‘Documents’ to end of query and also run the file query.
So, how do I loop through the each of the usernames.
I’ve tried modifying but neither table can be modified
Advertisement
Answer
This is a great opportunity to use a JOIN query:
SELECT f.*FROM file f JOIN users uWHERE f.path LIKE 'C:Users' || u.username || 'Documents%%'When you run this query, osquery will first generate the list of users, then substitute the username into the path provided to the file table.
JOIN is a really powerful way to combine the results of various tables, and it’s well worth taking some time to experiment and learn how to use this power.