Tables
Fleet uses osquery tables to query operating system, hardware, and software data. Each table provides specific data for analysis and filtering.
Apple
Linux
Windows
ChromeOS
process_etw_events
process_etw_events EVENTED TABLE
Windows process execution events.
| Column | Type | Description |
|---|---|---|
| cmdline | text | Command Line |
| datetime | text | Event timestamp in DATETIME format |
| eid | integer | Event ID Not returned in SELECT * FROM process_etw_events. |
| exit_code | integer | Exit Code - Present only on ProcessStop events |
| flags | integer | Process Flags |
| header_pid | bigint | Process ID of the process reporting the event Not returned in SELECT * FROM process_etw_events. |
| mandatory_label | text | Primary token mandatory label sid - Present only on ProcessStart events |
| parent_process_sequence_number | bigint | Parent Process Sequence Number - Present only on ProcessStart events Not returned in SELECT * FROM process_etw_events. |
| path | text | Path of executed binary |
| pid | bigint | Process ID |
| ppid | bigint | Parent Process ID |
| process_sequence_number | bigint | Process Sequence Number - Present only on ProcessStart events Not returned in SELECT * FROM process_etw_events. |
| session_id | integer | Session ID |
| time | bigint | Event timestamp in Unix format Not returned in SELECT * FROM process_etw_events. |
| time_windows | bigint | Event timestamp in Windows format Not returned in SELECT * FROM process_etw_events. |
| token_elevation_status | integer | Primary token elevation status - Present only on ProcessStart events |
| token_elevation_type | text | Primary token elevation type - Present only on ProcessStart events |
| type | text | Event Type (ProcessStart, ProcessStop) |
| username | text | User rights - primary token username |
Example
select * from process_etw_events WHERE datetime BETWEEN '2022-11-18 16:40:00' AND '2022-11-18 16:50:00';
Edit page
Ask us anything
Questions?
SOC2 Type 2
© 2025 Fleet Inc.
Privacy
