Skip to content

[Osquerybeat] Jumplists - Custom #47759

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
brian-mckinney wants to merge 153 commits into
base: main
Choose a base branch
from
Open

[Osquerybeat] Jumplists - Custom #47759

brian-mckinney wants to merge 153 commits into from

Conversation

@brian-mckinney
Copy link
Contributor

@brian-mckinney brian-mckinney commented Nov 21, 2025
edited
Loading

Proposed commit message

Note

Please see this reference if you are not familiar with jumplists, it is a quick read and you will be able to understand this PR better

This PR adds an elastic_jumplists table to the osquery extension. This PR only adds support for custom jumplists. A follow on PR will add support for automatic jumplists, and will add some new columns to the table. For that reason, I will update documentation in the follow on PR.

#48032

Currently, the columns for custom jumplists looks like this

+-----+---------------------------+---------+---------+------------+----+
| cid | name                      | type    | notnull | dflt_value | pk |
+-----+---------------------------+---------+---------+------------+----+
| 0   | application_id            | TEXT    | 0       |            | 0  |
| 1   | application_name          | TEXT    | 0       |            | 0  |
| 2   | username                  | TEXT    | 0       |            | 0  |
| 3   | domain                    | TEXT    | 0       |            | 0  |
| 4   | sid                       | TEXT    | 0       |            | 0  |
| 5   | jumplist_type             | INTEGER | 0       |            | 0  |
| 6   | source_file_path          | TEXT    | 0       |            | 0  |
| 7   | hostname                  | TEXT    | 0       |            | 0  |
| 8   | entry_number              | INTEGER | 0       |            | 0  |
| 9   | AccessCount               | DOUBLE  | 0       |            | 0  |
| 10  | last_modified_time        | TEXT    | 0       |            | 0  |
| 11  | is_pinned                 | INTEGER | 0       |            | 0  |
| 12  | interaction_count         | INTEGER | 0       |            | 0  |
| 13  | dest_entry_path           | TEXT    | 0       |            | 0  |
| 14  | dest_entry_path_resolved  | TEXT    | 0       |            | 0  |
| 15  | mac_address               | TEXT    | 0       |            | 0  |
| 16  | creation_time             | TEXT    | 0       |            | 0  |
| 17  | local_path                | TEXT    | 0       |            | 0  |
| 18  | file_size                 | INTEGER | 0       |            | 0  |
| 19  | hot_key                   | TEXT    | 0       |            | 0  |
| 20  | icon_index                | INTEGER | 0       |            | 0  |
| 21  | show_window               | TEXT    | 0       |            | 0  |
| 22  | icon_location             | TEXT    | 0       |            | 0  |
| 23  | command_line_arguments    | TEXT    | 0       |            | 0  |
| 24  | target_modification_time  | BIGINT  | 0       |            | 0  |
| 25  | target_last_accessed_time | BIGINT  | 0       |            | 0  |
| 26  | target_creation_time      | BIGINT  | 0       |            | 0  |
| 27  | volume_serial_number      | TEXT    | 0       |            | 0  |
| 28  | volume_type               | TEXT    | 0       |            | 0  |
| 29  | volume_label              | TEXT    | 0       |            | 0  |
| 30  | volume_label_offset       | INTEGER | 0       |            | 0  |
| 31  | name                      | TEXT    | 0       |            | 0  |
+-----+---------------------------+---------+---------+------------+----+

Example Output

I am including sample output for our extension, alongside output from a known good jumplist tool JLECmd

Filename: ff99ba2fb2e34b73.customDestinations-ms

JLECmd Output 
{
    "SourceFile": "C:\\git\\beats\\x-pack\\osquerybeat\\ext\\osquery-extension\\pkg\\jumplists\\testdata\\custom\\ff99ba2fb2e34b73.customDestinations-ms",
    "AppId": {
        "AppId": "ff99ba2fb2e34b73",
        "Description": "Windows Calculator"
    },
    "Entries": [
        {
            "Name": "",
            "Unknown0": 2,
            "Rank": 7.006492E-45,
            "Unknown2": 136193,
            "HeaderType": 0,
            "LnkFiles": [
                {
                    "TargetIDs": [
                        {
                            "__type": "Lnk.ShellItems.ShellBag0X32, Lnk",
                            "FileSize": 0,
                            "ShortName": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
                            "FriendlyName": "File",
                            "Value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
                            "ExtensionBlocks": [
                                {
                                    "__type": "ExtensionBlocks.Beef0004, ExtensionBlocks",
                                    "Identifier": 46,
                                    "MFTInformation": {
                                        "MFTEntryNumber": 0,
                                        "Note": "Network/special item"
                                    },
                                    "LongName": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
                                    "LocalisedName": "",
                                    "Message": "",
                                    "Size": 140,
                                    "Version": 9,
                                    "Signature": 3203334148,
                                    "VersionOffset": 60
                                }
                            ]
                        }
                    ],
                    "ExtraBlocks": [
                        {
                            "__type": "Lnk.ExtraData.PropertyStoreDataBlock, Lnk",
                            "PropertyStore": {
                                "Sheets": [
                                    {
                                        "Size": 462,
                                        "Version": "31-53-50-53",
                                        "GUID": "9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3",
                                        "PropertyNames": {
                                            "28": "ms-resource:///Resources/StandardModeText",
                                            "27": "ms-resource:///Resources/StandardModeText",
                                            "30": "",
                                            "29": "ms-appx:///Assets/Standard.png",
                                            "5": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
                                            "20": "0"
                                        },
                                        "PropertySheetType": "Numeric"
                                    },
                                    {
                                        "Size": 253,
                                        "Version": "31-53-50-53",
                                        "GUID": "f29f85e0-4ff9-1068-ab91-08002b27b3d9",
                                        "PropertyNames": {
                                            "2": "@{Microsoft.WindowsCalculator_11.2411.1.0_x64__8wekyb3d8bbwe?ms-resource:///Resources/StandardModeText}"
                                        },
                                        "PropertySheetType": "Numeric"
                                    },
                                    {
                                        "Size": 49,
                                        "Version": "31-53-50-53",
                                        "GUID": "436f2667-14e2-4feb-b30a-146c53b5b674",
                                        "PropertyNames": {
                                            "100": "0"
                                        },
                                        "PropertySheetType": "Numeric"
                                    }
                                ]
                            }
                        }
                    ],
                    "SourceFile": "C:\\git\\beats\\Offset_0x18.lnk",
                    "RawBytes": "TAAAAAEUAgAAAAAAwAAAAAAAAEaFAKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAMoAyAAyAAAAAAAAAAAAAABNaWNyb3NvZnQuV2luZG93c0NhbGN1bGF0b3JfOHdla3liM2Q4YmJ3ZSFBcHAAjAAJAAQA774AAAAAAAAAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE0AaQBjAHIAbwBzAG8AZgB0AC4AVwBpAG4AZABvAHcAcwBDAGEAbABjAHUAbABhAHQAbwByAF8AOAB3AGUAawB5AGIAMwBkADgAYgBiAHcAZQAhAEEAcABwAAAAPAAAAGcAQAB7AE0AaQBjAHIAbwBzAG8AZgB0AC4AVwBpAG4AZABvAHcAcwBDAGEAbABjAHUAbABhAHQAbwByAF8AMQAxAC4AMgA0ADEAMQAuADEALgAwAF8AeAA2ADQAXwBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAPwBtAHMALQByAGUAcwBvAHUAcgBjAGUAOgAvAC8ALwBSAGUAcwBvAHUAcgBjAGUAcwAvAFMAdABhAG4AZABhAHIAZABNAG8AZABlAFQAZQB4AHQAfQAIAwAACQAAoM4BAAAxU1BTVShMn3mfOUuo0OHULeHV82UAAAAcAAAAAB8AAAAqAAAAbQBzAC0AcgBlAHMAbwB1AHIAYwBlADoALwAvAC8AUgBlAHMAbwB1AHIAYwBlAHMALwBTAHQAYQBuAGQAYQByAGQATQBvAGQAZQBUAGUAeAB0AAAAZQAAABsAAAAAHwAAACoAAABtAHMALQByAGUAcwBvAHUAcgBjAGUAOgAvAC8ALwBSAGUAcwBvAHUAcgBjAGUAcwAvAFMAdABhAG4AZABhAHIAZABNAG8AZABlAFQAZQB4AHQAAAAVAAAAHgAAAAAfAAAAAQAAAAAAAABRAAAAHQAAAAAfAAAAHwAAAG0AcwAtAGEAcABwAHgAOgAvAC8ALwBBAHMAcwBlAHQAcwAvAFMAdABhAG4AZABhAHIAZAAuAHAAbgBnAAAAAABtAAAABQAAAAAfAAAALgAAAE0AaQBjAHIAbwBzAG8AZgB0AC4AVwBpAG4AZABvAHcAcwBDAGEAbABjAHUAbABhAHQAbwByAF8AOAB3AGUAawB5AGIAMwBkADgAYgBiAHcAZQAhAEEAcABwAAAAFQAAABQAAAAAHwAAAAIAAAAwAAAAAAAAAP0AAAAxU1BT4IWf8vlPaBCrkQgAKyez2eEAAAACAAAAAAgAAADQAAAAQAB7AE0AaQBjAHIAbwBzAG8AZgB0AC4AVwBpAG4AZABvAHcAcwBDAGEAbABjAHUAbABhAHQAbwByAF8AMQAxAC4AMgA0ADEAMQAuADEALgAwAF8AeAA2ADQAXwBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAPwBtAHMALQByAGUAcwBvAHUAcgBjAGUAOgAvAC8ALwBSAGUAcwBvAHUAcgBjAGUAcwAvAFMAdABhAG4AZABhAHIAZABNAG8AZABlAFQAZQB4AHQAfQAAAAAAAAAxAAAAMVNQU2cmb0PiFOtPswoUbFO1tnQVAAAAZAAAAAAfAAAAAgAAADAAAAAAAAAAAAAAAAAAAAABFAIAAAAAAMAAAAAAAABG",
                    "Header": {
                        "Signature": "0002140100000000c000000000000046",
                        "DataFlags": 10485893,
                        "FileAttributes": 0,
                        "TargetCreationDate": "\/Date(-11644473600000)\/",
                        "TargetModificationDate": "\/Date(-11644473600000)\/",
                        "TargetLastAccessedDate": "\/Date(-11644473600000)\/",
                        "FileSize": 0,
                        "IconIndex": 0,
                        "HotKey": "",
                        "ShowWindow": "SwNormal",
                        "Reserved0": 0,
                        "Reserved1": 0,
                        "Reserved2": 0
                    },
                    "Name": "@{Microsoft.WindowsCalculator_11.2411.1.0_x64__8wekyb3d8bbwe?ms-resource:///Resources/StandardModeText}",
                    "LocationFlags": 0
                },
                {
                    "TargetIDs": [
                        {
                            "__type": "Lnk.ShellItems.ShellBag0X32, Lnk",
                            "FileSize": 0,
                            "ShortName": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
                            "FriendlyName": "File",
                            "Value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
                            "ExtensionBlocks": [
                                {
                                    "__type": "ExtensionBlocks.Beef0004, ExtensionBlocks",
                                    "Identifier": 46,
                                    "MFTInformation": {
                                        "MFTEntryNumber": 0,
                                        "Note": "Network/special item"
                                    },
                                    "LongName": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
                                    "LocalisedName": "",
                                    "Message": "",
                                    "Size": 140,
                                    "Version": 9,
                                    "Signature": 3203334148,
                                    "VersionOffset": 60
                                }
                            ]
                        }
                    ],
                    "ExtraBlocks": [
                        {
                            "__type": "Lnk.ExtraData.PropertyStoreDataBlock, Lnk",
                            "PropertyStore": {
                                "Sheets": [
                                    {
                                        "Size": 474,
                                        "Version": "31-53-50-53",
                                        "GUID": "9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3",
                                        "PropertyNames": {
                                            "28": "ms-resource:///Resources/ScientificModeText",
                                            "27": "ms-resource:///Resources/ScientificModeText",
                                            "30": "",
                                            "29": "ms-appx:///Assets/Scientific.png",
                                            "5": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
                                            "20": "1"
                                        },
                                        "PropertySheetType": "Numeric"
                                    },
                                    {
                                        "Size": 257,
                                        "Version": "31-53-50-53",
                                        "GUID": "f29f85e0-4ff9-1068-ab91-08002b27b3d9",
                                        "PropertyNames": {
                                            "2": "@{Microsoft.WindowsCalculator_11.2411.1.0_x64__8wekyb3d8bbwe?ms-resource:///Resources/ScientificModeText}"
                                        },
                                        "PropertySheetType": "Numeric"
                                    },
                                    {
                                        "Size": 49,
                                        "Version": "31-53-50-53",
                                        "GUID": "436f2667-14e2-4feb-b30a-146c53b5b674",
                                        "PropertyNames": {
                                            "100": "1"
                                        },
                                        "PropertySheetType": "Numeric"
                                    }
                                ]
                            }
                        }
                    ],
                    "SourceFile": "C:\\git\\beats\\Offset_0x51C.lnk",
                    "RawBytes": "TAAAAAEUAgAAAAAAwAAAAAAAAEaFAKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAMoAyAAyAAAAAAAAAAAAAABNaWNyb3NvZnQuV2luZG93c0NhbGN1bGF0b3JfOHdla3liM2Q4YmJ3ZSFBcHAAjAAJAAQA774AAAAAAAAAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE0AaQBjAHIAbwBzAG8AZgB0AC4AVwBpAG4AZABvAHcAcwBDAGEAbABjAHUAbABhAHQAbwByAF8AOAB3AGUAawB5AGIAMwBkADgAYgBiAHcAZQAhAEEAcABwAAAAPAAAAGkAQAB7AE0AaQBjAHIAbwBzAG8AZgB0AC4AVwBpAG4AZABvAHcAcwBDAGEAbABjAHUAbABhAHQAbwByAF8AMQAxAC4AMgA0ADEAMQAuADEALgAwAF8AeAA2ADQAXwBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAPwBtAHMALQByAGUAcwBvAHUAcgBjAGUAOgAvAC8ALwBSAGUAcwBvAHUAcgBjAGUAcwAvAFMAYwBpAGUAbgB0AGkAZgBpAGMATQBvAGQAZQBUAGUAeAB0AH0AGAMAAAkAAKDaAQAAMVNQU1UoTJ95nzlLqNDh1C3h1fNpAAAAHAAAAAAfAAAALAAAAG0AcwAtAHIAZQBzAG8AdQByAGMAZQA6AC8ALwAvAFIAZQBzAG8AdQByAGMAZQBzAC8AUwBjAGkAZQBuAHQAaQBmAGkAYwBNAG8AZABlAFQAZQB4AHQAAABpAAAAGwAAAAAfAAAALAAAAG0AcwAtAHIAZQBzAG8AdQByAGMAZQA6AC8ALwAvAFIAZQBzAG8AdQByAGMAZQBzAC8AUwBjAGkAZQBuAHQAaQBmAGkAYwBNAG8AZABlAFQAZQB4AHQAAAAVAAAAHgAAAAAfAAAAAQAAAAAAAABVAAAAHQAAAAAfAAAAIQAAAG0AcwAtAGEAcABwAHgAOgAvAC8ALwBBAHMAcwBlAHQAcwAvAFMAYwBpAGUAbgB0AGkAZgBpAGMALgBwAG4AZwAAAAAAbQAAAAUAAAAAHwAAAC4AAABNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMAQwBhAGwAYwB1AGwAYQB0AG8AcgBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAIQBBAHAAcAAAABUAAAAUAAAAAB8AAAACAAAAMQAAAAAAAAABAQAAMVNQU+CFn/L5T2gQq5EIACsns9nlAAAAAgAAAAAIAAAA1AAAAEAAewBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMAQwBhAGwAYwB1AGwAYQB0AG8AcgBfADEAMQAuADIANAAxADEALgAxAC4AMABfAHgANgA0AF8AXwA4AHcAZQBrAHkAYgAzAGQAOABiAGIAdwBlAD8AbQBzAC0AcgBlAHMAbwB1AHIAYwBlADoALwAvAC8AUgBlAHMAbwB1AHIAYwBlAHMALwBTAGMAaQBlAG4AdABpAGYAaQBjAE0AbwBkAGUAVABlAHgAdAB9AAAAAAAAADEAAAAxU1BTZyZvQ+IU60+zChRsU7W2dBUAAABkAAAAAB8AAAACAAAAMQAAAAAAAAAAAAAAAAAAAAEUAgAAAAAAwAAAAAAAAEY=",
                    "Header": {
                        "Signature": "0002140100000000c000000000000046",
                        "DataFlags": 10485893,
                        "FileAttributes": 0,
                        "TargetCreationDate": "\/Date(-11644473600000)\/",
                        "TargetModificationDate": "\/Date(-11644473600000)\/",
                        "TargetLastAccessedDate": "\/Date(-11644473600000)\/",
                        "FileSize": 0,
                        "IconIndex": 0,
                        "HotKey": "",
                        "ShowWindow": "SwNormal",
                        "Reserved0": 0,
                        "Reserved1": 0,
                        "Reserved2": 0
                    },
                    "Name": "@{Microsoft.WindowsCalculator_11.2411.1.0_x64__8wekyb3d8bbwe?ms-resource:///Resources/ScientificModeText}",
                    "LocationFlags": 0
                },
                {
                    "TargetIDs": [
                        {
                            "__type": "Lnk.ShellItems.ShellBag0X32, Lnk",
                            "FileSize": 0,
                            "ShortName": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
                            "FriendlyName": "File",
                            "Value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
                            "ExtensionBlocks": [
                                {
                                    "__type": "ExtensionBlocks.Beef0004, ExtensionBlocks",
                                    "Identifier": 46,
                                    "MFTInformation": {
                                        "MFTEntryNumber": 0,
                                        "Note": "Network/special item"
                                    },
                                    "LongName": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
                                    "LocalisedName": "",
                                    "Message": "",
                                    "Size": 140,
                                    "Version": 9,
                                    "Signature": 3203334148,
                                    "VersionOffset": 60
                                }
                            ]
                        }
                    ],
                    "ExtraBlocks": [
                        {
                            "__type": "Lnk.ExtraData.PropertyStoreDataBlock, Lnk",
                            "PropertyStore": {
                                "Sheets": [
                                    {
                                        "Size": 506,
                                        "Version": "31-53-50-53",
                                        "GUID": "9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3",
                                        "PropertyNames": {
                                            "28": "ms-resource:///Resources/GraphingCalculatorModeText",
                                            "27": "ms-resource:///Resources/GraphingCalculatorModeText",
                                            "30": "",
                                            "29": "ms-appx:///Assets/Graphing.png",
                                            "5": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
                                            "20": "17"
                                        },
                                        "PropertySheetType": "Numeric"
                                    },
                                    {
                                        "Size": 273,
                                        "Version": "31-53-50-53",
                                        "GUID": "f29f85e0-4ff9-1068-ab91-08002b27b3d9",
                                        "PropertyNames": {
                                            "2": "@{Microsoft.WindowsCalculator_11.2411.1.0_x64__8wekyb3d8bbwe?ms-resource:///Resources/GraphingCalculatorModeText}"
                                        },
                                        "PropertySheetType": "Numeric"
                                    },
                                    {
                                        "Size": 53,
                                        "Version": "31-53-50-53",
                                        "GUID": "436f2667-14e2-4feb-b30a-146c53b5b674",
                                        "PropertyNames": {
                                            "100": "17"
                                        },
                                        "PropertySheetType": "Numeric"
                                    }
                                ]
                            }
                        }
                    ],
                    "SourceFile": "C:\\git\\beats\\Offset_0xA34.lnk",
                    "RawBytes": "TAAAAAEUAgAAAAAAwAAAAAAAAEaFAKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAMoAyAAyAAAAAAAAAAAAAABNaWNyb3NvZnQuV2luZG93c0NhbGN1bGF0b3JfOHdla3liM2Q4YmJ3ZSFBcHAAjAAJAAQA774AAAAAAAAAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE0AaQBjAHIAbwBzAG8AZgB0AC4AVwBpAG4AZABvAHcAcwBDAGEAbABjAHUAbABhAHQAbwByAF8AOAB3AGUAawB5AGIAMwBkADgAYgBiAHcAZQAhAEEAcABwAAAAPAAAAHEAQAB7AE0AaQBjAHIAbwBzAG8AZgB0AC4AVwBpAG4AZABvAHcAcwBDAGEAbABjAHUAbABhAHQAbwByAF8AMQAxAC4AMgA0ADEAMQAuADEALgAwAF8AeAA2ADQAXwBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAPwBtAHMALQByAGUAcwBvAHUAcgBjAGUAOgAvAC8ALwBSAGUAcwBvAHUAcgBjAGUAcwAvAEcAcgBhAHAAaABpAG4AZwBDAGEAbABjAHUAbABhAHQAbwByAE0AbwBkAGUAVABlAHgAdAB9AEwDAAAJAACg+gEAADFTUFNVKEyfeZ85S6jQ4dQt4dXzeQAAABwAAAAAHwAAADQAAABtAHMALQByAGUAcwBvAHUAcgBjAGUAOgAvAC8ALwBSAGUAcwBvAHUAcgBjAGUAcwAvAEcAcgBhAHAAaABpAG4AZwBDAGEAbABjAHUAbABhAHQAbwByAE0AbwBkAGUAVABlAHgAdAAAAHkAAAAbAAAAAB8AAAA0AAAAbQBzAC0AcgBlAHMAbwB1AHIAYwBlADoALwAvAC8AUgBlAHMAbwB1AHIAYwBlAHMALwBHAHIAYQBwAGgAaQBuAGcAQwBhAGwAYwB1AGwAYQB0AG8AcgBNAG8AZABlAFQAZQB4AHQAAAAVAAAAHgAAAAAfAAAAAQAAAAAAAABRAAAAHQAAAAAfAAAAHwAAAG0AcwAtAGEAcABwAHgAOgAvAC8ALwBBAHMAcwBlAHQAcwAvAEcAcgBhAHAAaABpAG4AZwAuAHAAbgBnAAAAAABtAAAABQAAAAAfAAAALgAAAE0AaQBjAHIAbwBzAG8AZgB0AC4AVwBpAG4AZABvAHcAcwBDAGEAbABjAHUAbABhAHQAbwByAF8AOAB3AGUAawB5AGIAMwBkADgAYgBiAHcAZQAhAEEAcABwAAAAGQAAABQAAAAAHwAAAAMAAAAxADcAAAAAAAAAAAARAQAAMVNQU+CFn/L5T2gQq5EIACsns9n1AAAAAgAAAAAIAAAA5AAAAEAAewBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMAQwBhAGwAYwB1AGwAYQB0AG8AcgBfADEAMQAuADIANAAxADEALgAxAC4AMABfAHgANgA0AF8AXwA4AHcAZQBrAHkAYgAzAGQAOABiAGIAdwBlAD8AbQBzAC0AcgBlAHMAbwB1AHIAYwBlADoALwAvAC8AUgBlAHMAbwB1AHIAYwBlAHMALwBHAHIAYQBwAGgAaQBuAGcAQwBhAGwAYwB1AGwAYQB0AG8AcgBNAG8AZABlAFQAZQB4AHQAfQAAAAAAAAA1AAAAMVNQU2cmb0PiFOtPswoUbFO1tnQZAAAAZAAAAAAfAAAAAwAAADEANwAAAAAAAAAAAAAAAAAAAAAAARQCAAAAAADAAAAAAAAARg==",
                    "Header": {
                        "Signature": "0002140100000000c000000000000046",
                        "DataFlags": 10485893,
                        "FileAttributes": 0,
                        "TargetCreationDate": "\/Date(-11644473600000)\/",
                        "TargetModificationDate": "\/Date(-11644473600000)\/",
                        "TargetLastAccessedDate": "\/Date(-11644473600000)\/",
                        "FileSize": 0,
                        "IconIndex": 0,
                        "HotKey": "",
                        "ShowWindow": "SwNormal",
                        "Reserved0": 0,
                        "Reserved1": 0,
                        "Reserved2": 0
                    },
                    "Name": "@{Microsoft.WindowsCalculator_11.2411.1.0_x64__8wekyb3d8bbwe?ms-resource:///Resources/GraphingCalculatorModeText}",
                    "LocationFlags": 0
                },
                {
                    "TargetIDs": [
                        {
                            "__type": "Lnk.ShellItems.ShellBag0X32, Lnk",
                            "FileSize": 0,
                            "ShortName": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
                            "FriendlyName": "File",
                            "Value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
                            "ExtensionBlocks": [
                                {
                                    "__type": "ExtensionBlocks.Beef0004, ExtensionBlocks",
                                    "Identifier": 46,
                                    "MFTInformation": {
                                        "MFTEntryNumber": 0,
                                        "Note": "Network/special item"
                                    },
                                    "LongName": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
                                    "LocalisedName": "",
                                    "Message": "",
                                    "Size": 140,
                                    "Version": 9,
                                    "Signature": 3203334148,
                                    "VersionOffset": 60
                                }
                            ]
                        }
                    ],
                    "ExtraBlocks": [
                        {
                            "__type": "Lnk.ExtraData.PropertyStoreDataBlock, Lnk",
                            "PropertyStore": {
                                "Sheets": [
                                    {
                                        "Size": 474,
                                        "Version": "31-53-50-53",
                                        "GUID": "9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3",
                                        "PropertyNames": {
                                            "28": "ms-resource:///Resources/ProgrammerModeText",
                                            "27": "ms-resource:///Resources/ProgrammerModeText",
                                            "30": "",
                                            "29": "ms-appx:///Assets/Programmer.png",
                                            "5": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
                                            "20": "2"
                                        },
                                        "PropertySheetType": "Numeric"
                                    },
                                    {
                                        "Size": 257,
                                        "Version": "31-53-50-53",
                                        "GUID": "f29f85e0-4ff9-1068-ab91-08002b27b3d9",
                                        "PropertyNames": {
                                            "2": "@{Microsoft.WindowsCalculator_11.2411.1.0_x64__8wekyb3d8bbwe?ms-resource:///Resources/ProgrammerModeText}"
                                        },
                                        "PropertySheetType": "Numeric"
                                    },
                                    {
                                        "Size": 49,
                                        "Version": "31-53-50-53",
                                        "GUID": "436f2667-14e2-4feb-b30a-146c53b5b674",
                                        "PropertyNames": {
                                            "100": "2"
                                        },
                                        "PropertySheetType": "Numeric"
                                    }
                                ]
                            }
                        }
                    ],
                    "SourceFile": "C:\\git\\beats\\Offset_0xF90.lnk",
                    "RawBytes": "TAAAAAEUAgAAAAAAwAAAAAAAAEaFAKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAMoAyAAyAAAAAAAAAAAAAABNaWNyb3NvZnQuV2luZG93c0NhbGN1bGF0b3JfOHdla3liM2Q4YmJ3ZSFBcHAAjAAJAAQA774AAAAAAAAAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE0AaQBjAHIAbwBzAG8AZgB0AC4AVwBpAG4AZABvAHcAcwBDAGEAbABjAHUAbABhAHQAbwByAF8AOAB3AGUAawB5AGIAMwBkADgAYgBiAHcAZQAhAEEAcABwAAAAPAAAAGkAQAB7AE0AaQBjAHIAbwBzAG8AZgB0AC4AVwBpAG4AZABvAHcAcwBDAGEAbABjAHUAbABhAHQAbwByAF8AMQAxAC4AMgA0ADEAMQAuADEALgAwAF8AeAA2ADQAXwBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAPwBtAHMALQByAGUAcwBvAHUAcgBjAGUAOgAvAC8ALwBSAGUAcwBvAHUAcgBjAGUAcwAvAFAAcgBvAGcAcgBhAG0AbQBlAHIATQBvAGQAZQBUAGUAeAB0AH0AGAMAAAkAAKDaAQAAMVNQU1UoTJ95nzlLqNDh1C3h1fNpAAAAHAAAAAAfAAAALAAAAG0AcwAtAHIAZQBzAG8AdQByAGMAZQA6AC8ALwAvAFIAZQBzAG8AdQByAGMAZQBzAC8AUAByAG8AZwByAGEAbQBtAGUAcgBNAG8AZABlAFQAZQB4AHQAAABpAAAAGwAAAAAfAAAALAAAAG0AcwAtAHIAZQBzAG8AdQByAGMAZQA6AC8ALwAvAFIAZQBzAG8AdQByAGMAZQBzAC8AUAByAG8AZwByAGEAbQBtAGUAcgBNAG8AZABlAFQAZQB4AHQAAAAVAAAAHgAAAAAfAAAAAQAAAAAAAABVAAAAHQAAAAAfAAAAIQAAAG0AcwAtAGEAcABwAHgAOgAvAC8ALwBBAHMAcwBlAHQAcwAvAFAAcgBvAGcAcgBhAG0AbQBlAHIALgBwAG4AZwAAAAAAbQAAAAUAAAAAHwAAAC4AAABNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMAQwBhAGwAYwB1AGwAYQB0AG8AcgBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAIQBBAHAAcAAAABUAAAAUAAAAAB8AAAACAAAAMgAAAAAAAAABAQAAMVNQU+CFn/L5T2gQq5EIACsns9nlAAAAAgAAAAAIAAAA1AAAAEAAewBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMAQwBhAGwAYwB1AGwAYQB0AG8AcgBfADEAMQAuADIANAAxADEALgAxAC4AMABfAHgANgA0AF8AXwA4AHcAZQBrAHkAYgAzAGQAOABiAGIAdwBlAD8AbQBzAC0AcgBlAHMAbwB1AHIAYwBlADoALwAvAC8AUgBlAHMAbwB1AHIAYwBlAHMALwBQAHIAbwBnAHIAYQBtAG0AZQByAE0AbwBkAGUAVABlAHgAdAB9AAAAAAAAADEAAAAxU1BTZyZvQ+IU60+zChRsU7W2dBUAAABkAAAAAB8AAAACAAAAMgAAAAAAAAAAAAAAAAAAAAEUAgAAAAAAwAAAAAAAAEY=",
                    "Header": {
                        "Signature": "0002140100000000c000000000000046",
                        "DataFlags": 10485893,
                        "FileAttributes": 0,
                        "TargetCreationDate": "\/Date(-11644473600000)\/",
                        "TargetModificationDate": "\/Date(-11644473600000)\/",
                        "TargetLastAccessedDate": "\/Date(-11644473600000)\/",
                        "FileSize": 0,
                        "IconIndex": 0,
                        "HotKey": "",
                        "ShowWindow": "SwNormal",
                        "Reserved0": 0,
                        "Reserved1": 0,
                        "Reserved2": 0
                    },
                    "Name": "@{Microsoft.WindowsCalculator_11.2411.1.0_x64__8wekyb3d8bbwe?ms-resource:///Resources/ProgrammerModeText}",
                    "LocationFlags": 0
                },
                {
                    "TargetIDs": [
                        {
                            "__type": "Lnk.ShellItems.ShellBag0X32, Lnk",
                            "FileSize": 0,
                            "ShortName": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
                            "FriendlyName": "File",
                            "Value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
                            "ExtensionBlocks": [
                                {
                                    "__type": "ExtensionBlocks.Beef0004, ExtensionBlocks",
                                    "Identifier": 46,
                                    "MFTInformation": {
                                        "MFTEntryNumber": 0,
                                        "Note": "Network/special item"
                                    },
                                    "LongName": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
                                    "LocalisedName": "",
                                    "Message": "",
                                    "Size": 140,
                                    "Version": 9,
                                    "Signature": 3203334148,
                                    "VersionOffset": 60
                                }
                            ]
                        }
                    ],
                    "ExtraBlocks": [
                        {
                            "__type": "Lnk.ExtraData.PropertyStoreDataBlock, Lnk",
                            "PropertyStore": {
                                "Sheets": [
                                    {
                                        "Size": 486,
                                        "Version": "31-53-50-53",
                                        "GUID": "9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3",
                                        "PropertyNames": {
                                            "28": "ms-resource:///Resources/DateCalculationModeText",
                                            "27": "ms-resource:///Resources/DateCalculationModeText",
                                            "30": "",
                                            "29": "ms-appx:///Assets/Date.png",
                                            "5": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
                                            "20": "3"
                                        },
                                        "PropertySheetType": "Numeric"
                                    },
                                    {
                                        "Size": 269,
                                        "Version": "31-53-50-53",
                                        "GUID": "f29f85e0-4ff9-1068-ab91-08002b27b3d9",
                                        "PropertyNames": {
                                            "2": "@{Microsoft.WindowsCalculator_11.2411.1.0_x64__8wekyb3d8bbwe?ms-resource:///Resources/DateCalculationModeText}"
                                        },
                                        "PropertySheetType": "Numeric"
                                    },
                                    {
                                        "Size": 49,
                                        "Version": "31-53-50-53",
                                        "GUID": "436f2667-14e2-4feb-b30a-146c53b5b674",
                                        "PropertyNames": {
                                            "100": "3"
                                        },
                                        "PropertySheetType": "Numeric"
                                    }
                                ]
                            }
                        }
                    ],
                    "SourceFile": "C:\\git\\beats\\Offset_0x14A8.lnk",
                    "RawBytes": "TAAAAAEUAgAAAAAAwAAAAAAAAEaFAKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAMoAyAAyAAAAAAAAAAAAAABNaWNyb3NvZnQuV2luZG93c0NhbGN1bGF0b3JfOHdla3liM2Q4YmJ3ZSFBcHAAjAAJAAQA774AAAAAAAAAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE0AaQBjAHIAbwBzAG8AZgB0AC4AVwBpAG4AZABvAHcAcwBDAGEAbABjAHUAbABhAHQAbwByAF8AOAB3AGUAawB5AGIAMwBkADgAYgBiAHcAZQAhAEEAcABwAAAAPAAAAG4AQAB7AE0AaQBjAHIAbwBzAG8AZgB0AC4AVwBpAG4AZABvAHcAcwBDAGEAbABjAHUAbABhAHQAbwByAF8AMQAxAC4AMgA0ADEAMQAuADEALgAwAF8AeAA2ADQAXwBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAPwBtAHMALQByAGUAcwBvAHUAcgBjAGUAOgAvAC8ALwBSAGUAcwBvAHUAcgBjAGUAcwAvAEQAYQB0AGUAQwBhAGwAYwB1AGwAYQB0AGkAbwBuAE0AbwBkAGUAVABlAHgAdAB9ADADAAAJAACg5gEAADFTUFNVKEyfeZ85S6jQ4dQt4dXzdQAAABwAAAAAHwAAADEAAABtAHMALQByAGUAcwBvAHUAcgBjAGUAOgAvAC8ALwBSAGUAcwBvAHUAcgBjAGUAcwAvAEQAYQB0AGUAQwBhAGwAYwB1AGwAYQB0AGkAbwBuAE0AbwBkAGUAVABlAHgAdAAAAAAAdQAAABsAAAAAHwAAADEAAABtAHMALQByAGUAcwBvAHUAcgBjAGUAOgAvAC8ALwBSAGUAcwBvAHUAcgBjAGUAcwAvAEQAYQB0AGUAQwBhAGwAYwB1AGwAYQB0AGkAbwBuAE0AbwBkAGUAVABlAHgAdAAAAAAAFQAAAB4AAAAAHwAAAAEAAAAAAAAASQAAAB0AAAAAHwAAABsAAABtAHMALQBhAHAAcAB4ADoALwAvAC8AQQBzAHMAZQB0AHMALwBEAGEAdABlAC4AcABuAGcAAAAAAG0AAAAFAAAAAB8AAAAuAAAATQBpAGMAcgBvAHMAbwBmAHQALgBXAGkAbgBkAG8AdwBzAEMAYQBsAGMAdQBsAGEAdABvAHIAXwA4AHcAZQBrAHkAYgAzAGQAOABiAGIAdwBlACEAQQBwAHAAAAAVAAAAFAAAAAAfAAAAAgAAADMAAAAAAAAADQEAADFTUFPghZ/y+U9oEKuRCAArJ7PZ8QAAAAIAAAAACAAAAN4AAABAAHsATQBpAGMAcgBvAHMAbwBmAHQALgBXAGkAbgBkAG8AdwBzAEMAYQBsAGMAdQBsAGEAdABvAHIAXwAxADEALgAyADQAMQAxAC4AMQAuADAAXwB4ADYANABfAF8AOAB3AGUAawB5AGIAMwBkADgAYgBiAHcAZQA/AG0AcwAtAHIAZQBzAG8AdQByAGMAZQA6AC8ALwAvAFIAZQBzAG8AdQByAGMAZQBzAC8ARABhAHQAZQBDAGEAbABjAHUAbABhAHQAaQBvAG4ATQBvAGQAZQBUAGUAeAB0AH0AAAAAAAAAAAAxAAAAMVNQU2cmb0PiFOtPswoUbFO1tnQVAAAAZAAAAAAfAAAAAgAAADMAAAAAAAAAAAAAAAAAAAA=",
                    "Header": {
                        "Signature": "0002140100000000c000000000000046",
                        "DataFlags": 10485893,
                        "FileAttributes": 0,
                        "TargetCreationDate": "\/Date(-11644473600000)\/",
                        "TargetModificationDate": "\/Date(-11644473600000)\/",
                        "TargetLastAccessedDate": "\/Date(-11644473600000)\/",
                        "FileSize": 0,
                        "IconIndex": 0,
                        "HotKey": "",
                        "ShowWindow": "SwNormal",
                        "Reserved0": 0,
                        "Reserved1": 0,
                        "Reserved2": 0
                    },
                    "Name": "@{Microsoft.WindowsCalculator_11.2411.1.0_x64__8wekyb3d8bbwe?ms-resource:///Resources/DateCalculationModeText}",
                    "LocationFlags": 0
                }
            ]
        }
    ]
}
Osquery Extension Output (This PR) 
[
  {
    "application_id": "ff99ba2fb2e34b73",
    "application_name": "Windows Calculator",
    "command_line_arguments": "",
    "file_size": "0",
    "hot_key": "",
    "icon_index": "0",
    "icon_location": "",
    "jumplist_type": "custom",
    "local_path": "",
    "name": "@{Microsoft.WindowsCalculator_11.2411.1.0_x64__8wekyb3d8bbwe?ms-resource:///Resources/StandardModeText}",
    "show_window": "SW_SHOWNORMAL",
    "source_file_path": "C:\\Users\\brian.WIN10DEV\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ff99ba2fb2e34b73.customDestinations-ms",
    "target_creation_time": "0",
    "target_last_accessed_time": "0",
    "target_modification_time": "0",
    "volume_label": "",
    "volume_label_offset": "0",
    "volume_serial_number": "",
    "volume_type": ""
  },
  {
    "application_id": "ff99ba2fb2e34b73",
    "application_name": "Windows Calculator",
    "command_line_arguments": "",
    "file_size": "0",
    "hot_key": "",
    "icon_index": "0",
    "icon_location": "",
    "jumplist_type": "custom",
    "local_path": "",
    "name": "@{Microsoft.WindowsCalculator_11.2411.1.0_x64__8wekyb3d8bbwe?ms-resource:///Resources/ScientificModeText}",
    "show_window": "SW_SHOWNORMAL",
    "source_file_path": "C:\\Users\\brian.WIN10DEV\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ff99ba2fb2e34b73.customDestinations-ms",
    "target_creation_time": "0",
    "target_last_accessed_time": "0",
    "target_modification_time": "0",
    "volume_label": "",
    "volume_label_offset": "0",
    "volume_serial_number": "",
    "volume_type": ""
  },
  {
    "application_id": "ff99ba2fb2e34b73",
    "application_name": "Windows Calculator",
    "command_line_arguments": "",
    "file_size": "0",
    "hot_key": "",
    "icon_index": "0",
    "icon_location": "",
    "jumplist_type": "custom",
    "local_path": "",
    "name": "@{Microsoft.WindowsCalculator_11.2411.1.0_x64__8wekyb3d8bbwe?ms-resource:///Resources/GraphingCalculatorModeText}",
    "show_window": "SW_SHOWNORMAL",
    "source_file_path": "C:\\Users\\brian.WIN10DEV\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ff99ba2fb2e34b73.customDestinations-ms",
    "target_creation_time": "0",
    "target_last_accessed_time": "0",
    "target_modification_time": "0",
    "volume_label": "",
    "volume_label_offset": "0",
    "volume_serial_number": "",
    "volume_type": ""
  },
  {
    "application_id": "ff99ba2fb2e34b73",
    "application_name": "Windows Calculator",
    "command_line_arguments": "",
    "file_size": "0",
    "hot_key": "",
    "icon_index": "0",
    "icon_location": "",
    "jumplist_type": "custom",
    "local_path": "",
    "name": "@{Microsoft.WindowsCalculator_11.2411.1.0_x64__8wekyb3d8bbwe?ms-resource:///Resources/ProgrammerModeText}",
    "show_window": "SW_SHOWNORMAL",
    "source_file_path": "C:\\Users\\brian.WIN10DEV\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ff99ba2fb2e34b73.customDestinations-ms",
    "target_creation_time": "0",
    "target_last_accessed_time": "0",
    "target_modification_time": "0",
    "volume_label": "",
    "volume_label_offset": "0",
    "volume_serial_number": "",
    "volume_type": ""
  },
  {
    "application_id": "ff99ba2fb2e34b73",
    "application_name": "Windows Calculator",
    "command_line_arguments": "",
    "file_size": "0",
    "hot_key": "",
    "icon_index": "0",
    "icon_location": "",
    "jumplist_type": "custom",
    "local_path": "",
    "name": "@{Microsoft.WindowsCalculator_11.2411.1.0_x64__8wekyb3d8bbwe?ms-resource:///Resources/DateCalculationModeText}",
    "show_window": "SW_SHOWNORMAL",
    "source_file_path": "C:\\Users\\brian.WIN10DEV\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ff99ba2fb2e34b73.customDestinations-ms",
    "target_creation_time": "0",
    "target_last_accessed_time": "0",
    "target_modification_time": "0",
    "volume_label": "",
    "volume_label_offset": "0",
    "volume_serial_number": "",
    "volume_type": ""
  }
]

As you can probably see, the JLECmd output is more extensive than what we are providing in this PR. This PR contains as much of the crucial fields as possible, while balancing that against the difficulty to get at some of the fields. JLECmd goes deep into parsing the internal data structures of the LNK file (Shellbags). We can do that as well, but it would be follow on work and not within the scope of this PR.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
  • I have added an entry in ./changelog/fragments using the changelog tool.

Disruptive User Impact

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

brian-mckinney and others added 30 commits October 8, 2025 14:55
@brian-mckinney
amcache osquery extension initial work:wq!
c57891d
@brian-mckinney
individual tables
0e99b6f
@brian-mckinney
Shared global state, constraints
ca5de0b
@brian-mckinney
Merge remote-tracking branch 'origin/main' into amcache
2f30f9b
@brian-mckinney
go mod/sum
f0eb0e6
@brian-mckinney
Refactor + Tests
74502e6
@brian-mckinney
fix unused import
9bc0763
@brian-mckinney
remove unecessary log statements
499c6c1
@brian-mckinney
go mod tidy
ce6735d
@brian-mckinney
Merge branch 'main' into amcache
9da02c2
@brian-mckinney
remove unecessary file
0320bf1
@brian-mckinney
formatting
80414fd
@brian-mckinney
Add detailed comments around Globalstate
6d343b7
@marc-gr
feat: Implement encoding package with MarshalToMap and EncodingFlag s…
b1dc94a 
…upport
@emilioalvap
Merge branch 'main' into feat/osquery-ext-encoding
88241ff
@marc-gr
fix: Update EncodingFlag constants and enhance tests for zero value h…
bdbf507 
…andling
@marc-gr
Merge remote-tracking branch 'upstream/main' into feat/osquery-ext-en…
c95b25f 
…coding
@marc-gr
fix: Enhance float handling in convertValueToString to respect zero v…
1bd24db 
…alue flag
@brian-mckinney
add view creator
2ba9dfe
@brian-mckinney
Merge remote-tracking branch 'beats/main' into amcache
797c348
@brian-mckinney
fix main.go
2ac148b
@brian-mckinney
fix main.go .. again
0db35f1
@marc-gr
fix: Remove unused EncodingFlagParseUnexported and related test cases
3aca547
@brian-mckinney
debugging for agent package
4986161
@brian-mckinney
Merge remote-tracking branch 'marc-beats/feat/osquery-ext-encoding' i…
f10bc9f 
…nto amcache
@brian-mckinney
Merge branch 'main' into amcache
663c516
@brian-mckinney
refactor + view creator
88881e4
@brian-mckinney
changelog fragment
d32b108
@brian-mckinney
Merge branch 'amcache' of github.com:brian-mckinney/beats into amcache
cd06cc7
@brian-mckinney
make amcache global state explicit, move view creator
aba5563
@brian-mckinney brian-mckinney added the Team:Security-Windows Platform Windows Platform Team in Security Solution label Nov 21, 2025
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Nov 21, 2025
@elasticmachine
Copy link
Contributor

elasticmachine commented Nov 21, 2025

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Nov 21, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Nov 21, 2025

🤖 GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

@mergify
Copy link
Contributor

mergify bot commented Nov 28, 2025

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b jumplists upstream/jumplists
git merge upstream/main
git push upstream jumplists

@brian-mckinney brian-mckinney marked this pull request as draft December 4, 2025 21:59
@brian-mckinney brian-mckinney changed the title [Osquerybeat] [WIP] Custom Jumplists [Osquerybeat] Jumplists - Custom Dec 10, 2025
@brian-mckinney brian-mckinney mentioned this pull request Dec 10, 2025
Draft
6 tasks
@brian-mckinney brian-mckinney marked this pull request as ready for review December 12, 2025 21:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@brian-mckinney brian-mckinney

Labels

backport-skip Skip notification from the automated backport with mergify enhancement Osquerybeat Team:Security-Windows Platform Windows Platform Team in Security Solution

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@brian-mckinney @elasticmachine @marc-gr @emilioalvap