Skip to main content

Run OSQuery Commands -- View VS Code Extension Reports

Updated yesterday

This article explains how to use Swif to:

  • Run OSQuery-based commands using a Command Template

  • View structured OSQuery Command Reports for VS Code extensions

  • Access the same report from both Commands and Device Details

  • Download a CSV report of the OSQuery results

This feature extends the existing commands experience described here:
Run Commands by Script, OSQuery, File, or Git Repo | Help Center | Swif.ai

1. What is the OSQuery VS Code Extensions Report?

Swif can run an OSQuery script on your managed devices (macOS, Windows, Linux) to collect information about installed VS Code extensions for each local user.

The OSQuery command returns a table of extensions with fields such as:

  • name

  • version

  • bundle_identifier (empty for VS Code extensions)

  • extension_id

  • browser (empty for VS Code extensions)

  • source (e.g. vscode_extensions)

  • vendor (publisher)

  • last_opened_at (empty for this query)

  • installed_path

Swif saves these results and displays them in a structured Command Report instead of a raw text blob.

Note: The backend can return dynamic columns for other OSQuery use cases. The UI will display all columns returned by the backend, not a hard‑coded list.

2. Prerequisites

Before you run this command and view reports:

  1. Supported OSQuery version

    The VS Code extensions script requires OSQuery v5.21.0 or newer on devices.

    • macOS

      osqueryi --version

    • Windows

      "C:\Program Files\osquery\osqueryi.exe" --version

    If OSQuery is missing or outdated, install the latest official build:
    https://osquery.io/downloads/official/5.21.0

  2. Swif agent is installed and online on the target devices.

  3. Your Swif account has permission to:

    • View and create Commands

    • Access Device Details

3. OSQuery Command Template for VS Code Extensions

Swif provides an OSQuery command type that reuses the standard Command Template workflow but with an OSQuery-specific Execution Type.

3.1. Create an OSQuery command template

  1. In the Swif web app, go to Commands →.

  2. Click Create Command.

  3. For Template type, select OSQuery.

  4. The Execution Type field:

    • Is automatically set to the OSQuery value.

    • Is read‑only/disabled for OSQuery templates.

  5. Fill in the remaining required fields (for example: name, scope, description) according to your policy/usage.

  6. Save the template.

After saving:

  • The template appears in the templates list.

  • The Execution Type column shows the OSQuery label for this template.

3.2. OSQuery script for VS Code extensions

The template is wired to a backend OSQuery script that retrieves VS Code extensions for each non‑system user on macOS, Windows, and Linux.

For reference, the query used for all three platforms follows this pattern:

WITH cached_users AS (WITH cached_groups AS (select * from groups)
 SELECT uid, uuid, username, type, groupname, shell
 FROM users LEFT JOIN cached_groups USING (gid)
 WHERE type <> 'special' AND shell NOT LIKE '%/false' AND shell NOT LIKE '%/nologin'
   AND shell NOT LIKE '%/shutdown' AND shell NOT LIKE '%/halt'
   AND username NOT LIKE '%$' AND username NOT LIKE '\_%' ESCAPE '\'
   AND NOT (username = 'sync' AND shell ='/bin/sync' AND directory <> ''))
SELECT
  name,
  version,
  '' AS bundle_identifier,
  vscode_extensions.uuid AS extension_id,
  '' AS browser,
  'vscode_extensions' AS source,
  publisher AS vendor,
  '' AS last_opened_at,
  path AS installed_path
FROM cached_users CROSS JOIN vscode_extensions USING (uid);

This query runs on macOS, Windows, and Linux with OSQuery v5.21.0.

3.3. OSQuery‑specific behavior

For OSQuery commands:

  • Execution Type is managed by the backend and cannot be edited in the UI.

  • Timeout After and Run As fields are hidden for OSQuery command creation and update flows (they are not required for this command type).

4. Running the OSQuery VS Code Extensions Command

You can run the OSQuery VS Code Extensions command just like other commands described in the main Commands article:
Run Commands by Script, OSQuery, File, or Git Repo | Help Center | Swif.ai

High‑level steps:

  1. Go to Commands → Commands.

  2. Select the OSQuery – VS Code Extensions command (or your custom OSQuery template).

  3. Click Run command (or use the OSQuery template directly if your workflow supports it).

  4. Choose target devices or groups.

  5. Confirm and run the command.

Once devices complete execution and send results back, an OSQuery Command Report becomes available for that command/device.

5. Viewing OSQuery Command Reports from Commands

You can open the OSQuery report from the Commands list via the Command Details panel.

5.1. Open the report from Command Details

  1. Go to Commands → Commands.

  2. Locate an OSQuery command that has successfully run on at least one device.

  3. Click the command to open Command Details.

  4. In Command Details, look for the Command Report entry/tab specific to OSQuery (per the “Command Details 1.3.3 [Command Report – OSQuery]” design).

  5. Click Command Report.

You’ll see:

  • The OSQuery Command Report view in the Command Details context.

  • Titles/breadcrumbs clearly indicating:

    • The command name, and

    • That this is an OSQuery command report.

  • For non‑OSQuery commands, this OSQuery report entry will not appear (or will be disabled), so the report is strictly OSQuery‑only.

5.2. What the report looks like

In the OSQuery Command Report:

  • Results are displayed as a table, not plain text.

  • Each row represents a single VS Code extension result for a specific device/user.

  • Columns match what the backend returns. For the VS Code example, expect:

    • name

    • version

    • bundle_identifier

    • extension_id

    • browser

    • source

    • vendor

    • last_opened_at

    • installed_path

  • Table styling and behaviors:

    • Standard Swif table header and row hover styling.

    • Loading and empty states consistent with the rest of the Commands UI.

    • Pagination or scrolling behavior when there are more rows than fit on one page.

  • If the backend returns no data (for example, OSQuery error or no extensions found), you’ll see an appropriate empty/“no results” state.

6. Viewing OSQuery Command Reports from Device Details

You can also access exactly the same OSQuery report from the device’s own page.

6.1. Open the report from Device Details

  1. Go to Devices and open the Device Details page for a device that has run the OSQuery command.

  2. Click the Commands tab for that device.

  3. In the commands list, locate the OSQuery command entry (e.g. “OSQuery – VS Code Extensions”).

  4. Click View report (or the equivalent report icon/action) for that row.

You’ll see:

  • An OSQuery Command Report view opened within the Device Details context.

  • Title/breadcrumbs indicating both:

    • The command (OSQuery VS Code extensions), and

    • The device you’re viewing.

  • The report is a drill‑in panel/page; you remain within Device Details (no full‑page navigation away).

6.2. Same data from both entry points

Whether you open the report from:

  • Command Details → Command Report, or

  • Device Details → Commands tab → View report,

the OSQuery Command Report uses the same underlying report data, so you should see:

  • Identical rows and values for the same command/device.

  • Same columns, order, labels, and default sorting.

This ensures consistency across both workflows.

7. Downloading OSQuery Results as CSV

From the Device Details → Commands tab → View report flow, you can download the OSQuery results as CSV.

7.1. Download the CSV report

  1. Open Device Details for the target device.

  2. Go to the Commands tab.

  3. For the OSQuery command row, click View report to open the OSQuery Command Report.

  4. In the report view, look for the CSV download control (as shown in “Device Details – Commands Tab 1.3.5 [Command Report – OSQuery, Column Selector]”).

  5. Click the CSV download button/link.

Expected behavior:

  • A CSV file downloads without errors.

  • Each row in the CSV corresponds to one OSQuery result row in the table.

  • Columns match the on‑screen table, including dynamic columns returned by the backend (for VS Code: name, version, bundle_identifier, extension_id, browser, source, vendor, last_opened_at, installed_path).

  • Sampled records in the CSV match the UI values exactly.

8. Troubleshooting OSQuery Command Reports

If your OSQuery report is empty or showing errors, check the following:

8.1. No results in the report

Possible causes:

  • OSQuery is not installed or is an unsupported version.

  • The device has no VS Code extensions for any eligible users.

  • The command failed on the device (exit status not successful).

What to do:

  1. Verify OSQuery version on the device (see Prerequisites).

  2. In the Commands UI, inspect the command’s execution status for that device.

  3. If you’re comfortable checking logs/API responses, confirm that the backend OSQuery result payload actually contains rows.

8.2. Errors when running the command

Typical examples:

  • Missing binary (Windows):

    • fork/exec C:\Program Files\osquery\osqueryi.exe: The system cannot find the file specified.
      → Install OSQuery into the expected path or update your environment so OSQuery is available.

  • Exit status 1 (macOS/other):
    General OSQuery execution issue; can be caused by:

    • Incorrect or incompatible OSQuery version.

    • OSQuery not properly installed.

    • Underlying table (e.g., vscode_extensions) not available in the OSQuery build.

To resolve:

  1. Re‑run the OSQuery command from Swif.

  2. Open the OSQuery Command Report again from Command Details or Device Details.

Related Articles
Run a Command Script
How to run Commands as sudo on macOS with Swif
View Command Report
Viewing Installed Browser Extensions in Swif
Run Commands by Script, OSQuery, File, or Git Repo
Did this answer your question?