[virtual tables] Build cpu_time table for Windows

[yux-m]

Resolves #4382.

The unit of time in this implementation is hundredths of a second, which is consistent with the linux implementation. However, I wonder if millisecond is more intuitive and if it is required to keep this consistent across operating systems. Currently linux's version uses clock ticks (~0.01sec) and mac's uses microseconds (1e-6sec).

[directionless]

You'll need to move the spec file to have this work on windows.

Good callout about the units. I'm not really sure what we should be doing here. Merits thought.

[directionless]

Hrm. I think this is going to be weird. We already see some issues around uptime not behaving as expected, and I think the lack of precision in percent is going to make this jump around.

[yux-m]

Thanks for the help! I've moved the spec file.

I'm still looking for a better source of uptime or specific times in windows, and yeah, I think the precision is a real problem - elapsed time given by wmi is in seconds as int, and the percentages are also integers. (It probably didn't make sense to use 0.01 sec as the unit.)

In case it doesn't work out, do you think it's a good idea to provide the percents instead, maybe in a new table just for windows?

[Smjert]

If you move or add a spec file (any file that contributes in the build really), you also have to modify the respective CMakeLists.txt.
In this case https://github.com/osquery/osquery/blob/master/specs/CMakeLists.txt; you would have to move the file from the platform_dependent to the independent one.

[yux-m]

Thanks for the guidance!

[yux-m]

Using percentage to calculate the time is really not a good idea. I haven't found any other source of cpu time data in Windows but I'll keep looking.
If the table for windows can be different with linux/max, is it ok if we provide percents instead of precise time?

[Smjert]

@yux-m I just realized that there's some confusion here, the cpu_time table is meant to provide the CPU time for each CPU and core, not for every process. The WMI class you are accessing lists the CPU usage and other statistics for each process.

[yux-m]

@yux-m I just realized that there's some confusion here, the cpu_time table is meant to provide the CPU time for each CPU and core, not for every process. The WMI class you are accessing lists the CPU usage and other statistics for each process.

My mistake. I used the wrong table for uptime. I'll look for the right table (if there is) or a substitute.
The second table Win32_PerfFormattedData_Counters_ProcessorInformation is indeed for processors, so hopefully only the uptime part needs to be modified.

[yux-m]

Haven't got too much luck on finding an equivalent data source of Windows.
Most recent commits fixed the uptime problem. Now the times are calculated by percentage * (time elapsed since the system was last restarted), listed by processors (cores). I added a row on top for aggregate data.
Not much improvement on precision unfortunately.

[directionless]

Haven't got too much luck on finding an equivalent data source of Windows. Most recent commits fixed the uptime problem. Now the times are calculated by percentage * (time elapsed since the system was last restarted), listed by processors (cores). I added a row on top for aggregate data. Not much improvement on precision unfortunately.

I'm a bit torn between adding columns for percentages, and just presenting that. (And maybe calculating it for the other platforms) vs taking the imprecision. Neither feels good