Environment

• Cb Defense PSC Console: All Versions
• Cb Defense Sensor: Version 3.3 and Higher
• Microsoft Windows: All Supported Versions
• Cb LiveOps: LiveQuery page

Symptoms

• Querying the certificates table in LiveQuery returns items in the System/Local Computer store, not from the user account or personal store
• Running same query using osqueryi on an endpoint returns all certificates from user and local computer stores

Cause

• Cb Defense Sensor runs queries in local system/local machine context only

Resolution

• Query needs to be run in the user context to get results that include personal certificates
• Run the query directly from osqueryi on the endpoint to return results from the user/personal and the local/machine account store

Additional Notes

• LiveQuery only runs in the local system context, no user impersonation available
• Results for other contexts (such as user) will not be returned

Related Content

• Cb LiveQuery : How to Query Endpoints Using Query Builder
• Cb LiveQuery : How to Free-Form Query Endpoints
• Using osqueryi