From 78f78fed001a494f0db271f180b9bf1d8e611365 Mon Sep 17 00:00:00 2001
From: Brad Thompson <bradthompson@google.com>
Date: Fri, 8 Feb 2019 11:45:54 -0800
Subject: [PATCH 01/13] Commit initial HVCI table and schema.

---
 osquery/tables/system/windows/hvci_status.cpp | 89 +++++++++++++++++++
 specs/windows/hvci_status.table               | 10 +++
 2 files changed, 99 insertions(+)
 create mode 100644 osquery/tables/system/windows/hvci_status.cpp
 create mode 100644 specs/windows/hvci_status.table

diff --git a/osquery/tables/system/windows/hvci_status.cpp b/osquery/tables/system/windows/hvci_status.cpp
new file mode 100644
index 00000000000..7ce75f44ec2
--- /dev/null
+++ b/osquery/tables/system/windows/hvci_status.cpp
@@ -0,0 +1,89 @@
+#include <osquery/sql.h>
+#include <osquery/system.h>
+#include <osquery/tables.h>
+
+#include "osquery/core/conversions.h"
+#include "osquery/core/windows/wmi.h"
+
+namespace osquery {
+namespace tables {
+
+QueryData genHVCIStatus(QueryContext& context) {
+  Row r;
+  QueryData results;
+
+  const WmiRequest wmiSystemReq("SELECT * FROM Win32_DeviceGuard",
+                                (BSTR)L"ROOT\\MICROSOFT\\WINDOWS\\DEVICEGUARD");
+  const std::vector<WmiResultItem>& wmiResults = wmiSystemReq.results();
+  if (wmiResults.empty()) {
+    LOG(WARNING) << "Error retreiving information from WMI.";
+    return results;
+  }
+  for (const auto& data : wmiResults) {
+    long vbsmethod;
+    long codepolicystatusmethod;
+    long umcipolicymethod;
+
+    data.GetString("Version", r["version"]);
+    data.GetString("InstanceIdentifier", r["instance_identifier"]);
+    data.GetLong("VirtualizationBasedSecurityStatus", vbsmethod);
+    data.GetLong("CodeIntegrityPolicyEnforcementStatus",
+                 codepolicystatusmethod);
+    data.GetLong("UsermodeCodeIntegrityPolicyEnforcementStatus",
+                 umcipolicymethod);
+    data.GetVectorOfStrings("AvailableSecurityProperties",
+                            r["available_security_properties"]);
+
+    std::string vbsmethod_str;
+    std::map<long, std::string> vbsmethods;
+
+    std::string codepolicystatusmethod_str;
+    std::map<long, std::string> codepolicystatusmethods;
+
+    std::string umcipolicymethod_str;
+    std::map<long, std::string> umcipolicymethods;
+
+    vbsmethods[0] = "VBS_NOT_ENABLED";
+    vbsmethods[1] = "VBS_ENABLED_AND_NOT_RUNNING";
+    vbsmethods[2] = "VBS_ENABLED_AND_RUNNING";
+
+    codepolicystatusmethods[0] = "OFF";
+    codepolicystatusmethods[1] = "AUDIT_MODE";
+    codepolicystatusmethods[2] = "ENFORCED_MODE";
+
+    umcipolicymethods[0] = "OFF";
+    umcipolicymethods[0] = "AUDIT_MODE";
+    umcipolicymethods[0] = "ENFORCED_MODE";
+
+    if (vbsmethods.find(vbsmethod) != vbsmethods.end()) {
+      vbsmethod_str = vbsmethods.find(vbsmethod)->second;
+    } else {
+      vbsmethod_str = "UNKNOWN";
+    }
+
+    if (codepolicystatusmethods.find(codepolicystatusmethod) !=
+        codepolicystatusmethods.end()) {
+      codepolicystatusmethod_str =
+          codepolicystatusmethods.find(codepolicystatusmethod)->second;
+    } else {
+      codepolicystatusmethod_str = "UNKNOWN";
+    }
+
+    if (umcipolicymethods.find(umcipolicymethod) != umcipolicymethods.end()) {
+      umcipolicymethod_str = umcipolicymethods.find(umcipolicymethod)->second;
+    } else {
+      umcipolicymethod_str = "UNKNOWN";
+    }
+
+    r["vbs_status"] = vbsmethod_str;
+    r["code_integirty_policy_enforcement_status"] = codepolicystatusmethod_str;
+    r["umci_policy_status"] = umcipolicymethod_str;
+
+    // stuff goes before here
+    results.push_back(r);
+  }
+  return results;
+}
+} // namespace tables
+} // namespace osquery
+// namespace osquery
\ No newline at end of file
diff --git a/specs/windows/hvci_status.table b/specs/windows/hvci_status.table
new file mode 100644
index 00000000000..6b1b14c8ea2
--- /dev/null
+++ b/specs/windows/hvci_status.table
@@ -0,0 +1,10 @@
+table_name("hvci_status")
+description("Retrieve HVCI info of the machine.")
+schema([
+  Column("version", TEXT, "The version number of the Device Guard build."),
+  Column("instance_identifier", TEXT, "The instance ID of Device Guard."),
+  Column("vbs_status", TEXT, "The status of the virtualization based security settings."),
+  Column("code_integirty_policy_enforcement_status", TEXT, "The status of the code integirty policy enforcement settings."),
+  Column("umci_policy_status", TEXT, "The status of the User Mode Code Integrity security settings."), 
+])
+implementation("system/windows/hvci_info@genHVCIStatus")
\ No newline at end of file

From 0e3f3f5757347bc83037628f23c26b1da333d7df Mon Sep 17 00:00:00 2001
From: Brad Thompson <bradthompson@google.com>
Date: Fri, 8 Feb 2019 14:29:32 -0800
Subject: [PATCH 02/13] Fix typo with one of the umcipolicy, remove
 VectorOfStrings call.

---
 osquery/tables/system/windows/hvci_status.cpp | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/osquery/tables/system/windows/hvci_status.cpp b/osquery/tables/system/windows/hvci_status.cpp
index 7ce75f44ec2..d9abd9f4f28 100644
--- a/osquery/tables/system/windows/hvci_status.cpp
+++ b/osquery/tables/system/windows/hvci_status.cpp
@@ -31,8 +31,6 @@ QueryData genHVCIStatus(QueryContext& context) {
                  codepolicystatusmethod);
     data.GetLong("UsermodeCodeIntegrityPolicyEnforcementStatus",
                  umcipolicymethod);
-    data.GetVectorOfStrings("AvailableSecurityProperties",
-                            r["available_security_properties"]);
 
     std::string vbsmethod_str;
     std::map<long, std::string> vbsmethods;
@@ -52,8 +50,8 @@ QueryData genHVCIStatus(QueryContext& context) {
     codepolicystatusmethods[2] = "ENFORCED_MODE";
 
     umcipolicymethods[0] = "OFF";
-    umcipolicymethods[0] = "AUDIT_MODE";
-    umcipolicymethods[0] = "ENFORCED_MODE";
+    umcipolicymethods[1] = "AUDIT_MODE";
+    umcipolicymethods[2] = "ENFORCED_MODE";
 
     if (vbsmethods.find(vbsmethod) != vbsmethods.end()) {
       vbsmethod_str = vbsmethods.find(vbsmethod)->second;

From 909c4ac2356bb6cb7de733e1e771c4e80a766907 Mon Sep 17 00:00:00 2001
From: Brad Thompson <bradthompson@google.com>
Date: Fri, 8 Feb 2019 11:45:54 -0800
Subject: [PATCH 03/13] Commit initial HVCI table and schema.

Fix typo with one of the umcipolicy, remove VectorOfStrings call.

Fix"integrity" spelling issues.

Remove map calls to use arrays.

Switch to vectors instead of array methods.

Add conditional statements to use "unknown" for out-of-range values.

Remove extraneous comment.
---
 osquery/tables/system/windows/hvci_status.cpp | 58 +++++++++++++++++++
 specs/windows/hvci_status.table               | 10 ++++
 2 files changed, 68 insertions(+)
 create mode 100644 osquery/tables/system/windows/hvci_status.cpp
 create mode 100644 specs/windows/hvci_status.table

diff --git a/osquery/tables/system/windows/hvci_status.cpp b/osquery/tables/system/windows/hvci_status.cpp
new file mode 100644
index 00000000000..f962f2ac57c
--- /dev/null
+++ b/osquery/tables/system/windows/hvci_status.cpp
@@ -0,0 +1,58 @@
+#include <algorithm>
+#include <osquery/sql.h>
+#include <osquery/system.h>
+#include <osquery/tables.h>
+
+#include "osquery/core/conversions.h"
+#include "osquery/core/windows/wmi.h"
+
+namespace osquery {
+namespace tables {
+
+std::vector<std::string> vbs_methods = {"VBS_NOT_ENABLED",
+                                        "VBS_ENABLED_AND_NOT_RUNNING",
+                                        "VBS_ENABLED_AND_RUNNING"};
+
+std::vector<std::string> enforcement_methods = {
+    "OFF", "AUDIT_MODE", "ENFORCED_MODE"};
+
+QueryData genHVCIStatus(QueryContext& context) {
+  Row r;
+  QueryData results;
+
+  const WmiRequest wmiSystemReq("SELECT * FROM Win32_DeviceGuard",
+                                (BSTR)L"ROOT\\MICROSOFT\\WINDOWS\\DEVICEGUARD");
+  const std::vector<WmiResultItem>& wmiResults = wmiSystemReq.results();
+  if (wmiResults.empty()) {
+    LOG(ERROR) << "Error retreiving information from WMI.";
+    return results;
+  }
+  for (const auto& data : wmiResults) {
+    data.GetString("Version", r["version"]);
+    data.GetString("InstanceIdentifier", r["instance_identifier"]);
+
+    long vbs_status;
+    data.GetLong("VirtualizationBasedSecurityStatus", vbs_status);
+    r["vbs_status"] =
+        vbs_methods.size() < vbs_status ? vbs_methods[vbs_status] : "UNKNOWN";
+
+    long code_policy_status;
+    data.GetLong("CodeIntegrityPolicyEnforcementStatus", code_policy_status);
+    r["code_integrity_policy_enforcement_status"] =
+        enforcement_methods.size() < code_policy_status
+            ? enforcement_methods[vbs_status]
+            : "UNKNOWN";
+
+    long umci_status;
+    data.GetLong("UsermodeCodeIntegrityPolicyEnforcementStatus", umci_status);
+    r["umci_policy_status"] = enforcement_methods.size() < umci_status
+                                  ? enforcement_methods[umci_status]
+                                  : "UNKNOWN";
+
+    results.push_back(r);
+  }
+  return results;
+}
+} // namespace tables
+} // namespace osquery
+// namespace osquery
\ No newline at end of file
diff --git a/specs/windows/hvci_status.table b/specs/windows/hvci_status.table
new file mode 100644
index 00000000000..5b3bed1968d
--- /dev/null
+++ b/specs/windows/hvci_status.table
@@ -0,0 +1,10 @@
+table_name("hvci_status")
+description("Retrieve HVCI info of the machine.")
+schema([
+  Column("version", TEXT, "The version number of the Device Guard build."),
+  Column("instance_identifier", TEXT, "The instance ID of Device Guard."),
+  Column("vbs_status", TEXT, "The status of the virtualization based security settings."),
+  Column("code_integrity_policy_enforcement_status", TEXT, "The status of the code integrity policy enforcement settings."),
+  Column("umci_policy_status", TEXT, "The status of the User Mode Code Integrity security settings."), 
+])
+implementation("system/windows/hvci_info@genHVCIStatus")
\ No newline at end of file

From a32605e385771c7c2697642f20de4b9e43e0acf7 Mon Sep 17 00:00:00 2001
From: Brad Thompson <bradthompson@google.com>
Date: Fri, 8 Feb 2019 11:45:54 -0800
Subject: [PATCH 04/13] Commit initial HVCI table and schema.

Fix typo with one of the umcipolicy, remove VectorOfStrings call.

Fix"integrity" spelling issues.

Remove map calls to use arrays.

Switch to vectors instead of array methods.

Add conditional statements to use "unknown" for out-of-range values.

Remove extraneous comment.
---
 osquery/tables/system/windows/hvci_status.cpp | 58 +++++++++++++++++++
 specs/windows/hvci_status.table               | 10 ++++
 2 files changed, 68 insertions(+)
 create mode 100644 osquery/tables/system/windows/hvci_status.cpp
 create mode 100644 specs/windows/hvci_status.table

diff --git a/osquery/tables/system/windows/hvci_status.cpp b/osquery/tables/system/windows/hvci_status.cpp
new file mode 100644
index 00000000000..f962f2ac57c
--- /dev/null
+++ b/osquery/tables/system/windows/hvci_status.cpp
@@ -0,0 +1,58 @@
+#include <algorithm>
+#include <osquery/sql.h>
+#include <osquery/system.h>
+#include <osquery/tables.h>
+
+#include "osquery/core/conversions.h"
+#include "osquery/core/windows/wmi.h"
+
+namespace osquery {
+namespace tables {
+
+std::vector<std::string> vbs_methods = {"VBS_NOT_ENABLED",
+                                        "VBS_ENABLED_AND_NOT_RUNNING",
+                                        "VBS_ENABLED_AND_RUNNING"};
+
+std::vector<std::string> enforcement_methods = {
+    "OFF", "AUDIT_MODE", "ENFORCED_MODE"};
+
+QueryData genHVCIStatus(QueryContext& context) {
+  Row r;
+  QueryData results;
+
+  const WmiRequest wmiSystemReq("SELECT * FROM Win32_DeviceGuard",
+                                (BSTR)L"ROOT\\MICROSOFT\\WINDOWS\\DEVICEGUARD");
+  const std::vector<WmiResultItem>& wmiResults = wmiSystemReq.results();
+  if (wmiResults.empty()) {
+    LOG(ERROR) << "Error retreiving information from WMI.";
+    return results;
+  }
+  for (const auto& data : wmiResults) {
+    data.GetString("Version", r["version"]);
+    data.GetString("InstanceIdentifier", r["instance_identifier"]);
+
+    long vbs_status;
+    data.GetLong("VirtualizationBasedSecurityStatus", vbs_status);
+    r["vbs_status"] =
+        vbs_methods.size() < vbs_status ? vbs_methods[vbs_status] : "UNKNOWN";
+
+    long code_policy_status;
+    data.GetLong("CodeIntegrityPolicyEnforcementStatus", code_policy_status);
+    r["code_integrity_policy_enforcement_status"] =
+        enforcement_methods.size() < code_policy_status
+            ? enforcement_methods[vbs_status]
+            : "UNKNOWN";
+
+    long umci_status;
+    data.GetLong("UsermodeCodeIntegrityPolicyEnforcementStatus", umci_status);
+    r["umci_policy_status"] = enforcement_methods.size() < umci_status
+                                  ? enforcement_methods[umci_status]
+                                  : "UNKNOWN";
+
+    results.push_back(r);
+  }
+  return results;
+}
+} // namespace tables
+} // namespace osquery
+// namespace osquery
\ No newline at end of file
diff --git a/specs/windows/hvci_status.table b/specs/windows/hvci_status.table
new file mode 100644
index 00000000000..5b3bed1968d
--- /dev/null
+++ b/specs/windows/hvci_status.table
@@ -0,0 +1,10 @@
+table_name("hvci_status")
+description("Retrieve HVCI info of the machine.")
+schema([
+  Column("version", TEXT, "The version number of the Device Guard build."),
+  Column("instance_identifier", TEXT, "The instance ID of Device Guard."),
+  Column("vbs_status", TEXT, "The status of the virtualization based security settings."),
+  Column("code_integrity_policy_enforcement_status", TEXT, "The status of the code integrity policy enforcement settings."),
+  Column("umci_policy_status", TEXT, "The status of the User Mode Code Integrity security settings."), 
+])
+implementation("system/windows/hvci_info@genHVCIStatus")
\ No newline at end of file

From 6f9e2fd3f26ea7595cf9a51dff3692526a29c8d9 Mon Sep 17 00:00:00 2001
From: Brad Thompson <bradthompson@google.com>
Date: Wed, 13 Mar 2019 14:39:32 -0700
Subject: [PATCH 05/13] Create initial HVCI table and prefix.

---
 osquery/tables/system/windows/hvci_status.cpp | 58 +++++++++++++++++++
 specs/windows/hvci_status.table               | 10 ++++
 2 files changed, 68 insertions(+)
 create mode 100644 osquery/tables/system/windows/hvci_status.cpp
 create mode 100644 specs/windows/hvci_status.table

diff --git a/osquery/tables/system/windows/hvci_status.cpp b/osquery/tables/system/windows/hvci_status.cpp
new file mode 100644
index 00000000000..f962f2ac57c
--- /dev/null
+++ b/osquery/tables/system/windows/hvci_status.cpp
@@ -0,0 +1,58 @@
+#include <algorithm>
+#include <osquery/sql.h>
+#include <osquery/system.h>
+#include <osquery/tables.h>
+
+#include "osquery/core/conversions.h"
+#include "osquery/core/windows/wmi.h"
+
+namespace osquery {
+namespace tables {
+
+std::vector<std::string> vbs_methods = {"VBS_NOT_ENABLED",
+                                        "VBS_ENABLED_AND_NOT_RUNNING",
+                                        "VBS_ENABLED_AND_RUNNING"};
+
+std::vector<std::string> enforcement_methods = {
+    "OFF", "AUDIT_MODE", "ENFORCED_MODE"};
+
+QueryData genHVCIStatus(QueryContext& context) {
+  Row r;
+  QueryData results;
+
+  const WmiRequest wmiSystemReq("SELECT * FROM Win32_DeviceGuard",
+                                (BSTR)L"ROOT\\MICROSOFT\\WINDOWS\\DEVICEGUARD");
+  const std::vector<WmiResultItem>& wmiResults = wmiSystemReq.results();
+  if (wmiResults.empty()) {
+    LOG(ERROR) << "Error retreiving information from WMI.";
+    return results;
+  }
+  for (const auto& data : wmiResults) {
+    data.GetString("Version", r["version"]);
+    data.GetString("InstanceIdentifier", r["instance_identifier"]);
+
+    long vbs_status;
+    data.GetLong("VirtualizationBasedSecurityStatus", vbs_status);
+    r["vbs_status"] =
+        vbs_methods.size() < vbs_status ? vbs_methods[vbs_status] : "UNKNOWN";
+
+    long code_policy_status;
+    data.GetLong("CodeIntegrityPolicyEnforcementStatus", code_policy_status);
+    r["code_integrity_policy_enforcement_status"] =
+        enforcement_methods.size() < code_policy_status
+            ? enforcement_methods[vbs_status]
+            : "UNKNOWN";
+
+    long umci_status;
+    data.GetLong("UsermodeCodeIntegrityPolicyEnforcementStatus", umci_status);
+    r["umci_policy_status"] = enforcement_methods.size() < umci_status
+                                  ? enforcement_methods[umci_status]
+                                  : "UNKNOWN";
+
+    results.push_back(r);
+  }
+  return results;
+}
+} // namespace tables
+} // namespace osquery
+// namespace osquery
\ No newline at end of file
diff --git a/specs/windows/hvci_status.table b/specs/windows/hvci_status.table
new file mode 100644
index 00000000000..5b3bed1968d
--- /dev/null
+++ b/specs/windows/hvci_status.table
@@ -0,0 +1,10 @@
+table_name("hvci_status")
+description("Retrieve HVCI info of the machine.")
+schema([
+  Column("version", TEXT, "The version number of the Device Guard build."),
+  Column("instance_identifier", TEXT, "The instance ID of Device Guard."),
+  Column("vbs_status", TEXT, "The status of the virtualization based security settings."),
+  Column("code_integrity_policy_enforcement_status", TEXT, "The status of the code integrity policy enforcement settings."),
+  Column("umci_policy_status", TEXT, "The status of the User Mode Code Integrity security settings."), 
+])
+implementation("system/windows/hvci_info@genHVCIStatus")
\ No newline at end of file

From ca12bd6302dfb45c34c43fb69fb62dd76aa42543 Mon Sep 17 00:00:00 2001
From: Brad Thompson <bradthompson@google.com>
Date: Tue, 26 Mar 2019 14:41:23 -0700
Subject: [PATCH 06/13] Commit initial tests.

---
 tests/integration/tables/hvci_status.cpp | 40 ++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 tests/integration/tables/hvci_status.cpp

diff --git a/tests/integration/tables/hvci_status.cpp b/tests/integration/tables/hvci_status.cpp
new file mode 100644
index 00000000000..ed32945aab1
--- /dev/null
+++ b/tests/integration/tables/hvci_status.cpp
@@ -0,0 +1,40 @@
+/**
+ *  Copyright (c) 2014-present, Facebook, Inc.
+ *  All rights reserved.
+ *
+ *  This source code is licensed as defined on the LICENSE file found in the
+ *  root directory of this source tree.
+ */
+
+// Integration test for hvci_status
+// Spec file: specs/windows/hvci_status.table
+
+#include <osquery/tests/integration/tables/helper.h>
+
+namespace osquery {
+namespace table_tests {
+
+class HVCIStatus : public testing::Test {
+ protected:
+  void SetUp() override {
+    setUpEnvironment();
+  }
+};
+
+TEST_F(HVCIStatus, test_sanity) {
+  QueryData data = execute_query("select * from hvci_status");
+
+  ASSERT_GE(data.size(), 1ul);
+
+  ValidatatioMap row_map = {
+      {"version", NonEmptyString},
+      {"instance_identifier", NormalType},
+      {"vbs_status", NonEmptyString},
+      {"code_integrity_policy_enforcement_status", NonEmptyString},
+      {"umci_policy_status", NonEmptyString},
+  };
+  validate_rows(data, row_map);
+}
+
+} // namespace table_tests
+} // namespace osquery

From 1eea3aff0691b8af472a0da19c449c5105dda4b3 Mon Sep 17 00:00:00 2001
From: Brad Thompson <bradthompson@google.com>
Date: Tue, 26 Mar 2019 14:41:50 -0700
Subject: [PATCH 07/13] Fix table specs to include UNKNOWN reference

---
 specs/windows/hvci_status.table | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/specs/windows/hvci_status.table b/specs/windows/hvci_status.table
index 5b3bed1968d..45e180a3241 100644
--- a/specs/windows/hvci_status.table
+++ b/specs/windows/hvci_status.table
@@ -3,8 +3,8 @@ description("Retrieve HVCI info of the machine.")
 schema([
   Column("version", TEXT, "The version number of the Device Guard build."),
   Column("instance_identifier", TEXT, "The instance ID of Device Guard."),
-  Column("vbs_status", TEXT, "The status of the virtualization based security settings."),
-  Column("code_integrity_policy_enforcement_status", TEXT, "The status of the code integrity policy enforcement settings."),
-  Column("umci_policy_status", TEXT, "The status of the User Mode Code Integrity security settings."), 
+  Column("vbs_status", TEXT, "The status of the virtualization based security settings. Returns 'UNKNOWN' if an error is encountered."),
+  Column("code_integrity_policy_enforcement_status", TEXT, "The status of the code integrity policy enforcement settings. Returns 'UNKNOWN' if an error is encountered."),
+  Column("umci_policy_status", TEXT, "The status of the User Mode Code Integrity security settings. Returns 'UNKNOWN' if an error is encountered."), 
 ])
 implementation("system/windows/hvci_info@genHVCIStatus")
\ No newline at end of file

From 47a8f227e6728ebc4f97799c3479f4b19169a517 Mon Sep 17 00:00:00 2001
From: Brad Thompson <bradthompson@google.com>
Date: Tue, 16 Apr 2019 15:59:53 -0700
Subject: [PATCH 08/13] Fix dependency paths for Buck builds.

---
 osquery/tables/system/BUCK                    | 1 +
 osquery/tables/system/windows/hvci_status.cpp | 3 ++-
 specs/BUCK                                    | 4 ++++
 specs/windows/hvci_status.table               | 8 ++++----
 4 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/osquery/tables/system/BUCK b/osquery/tables/system/BUCK
index 5e10e536492..efc70d5a306 100644
--- a/osquery/tables/system/BUCK
+++ b/osquery/tables/system/BUCK
@@ -245,6 +245,7 @@ osquery_cxx_library(
                 "windows/disk_info.cpp",
                 "windows/drivers.cpp",
                 "windows/groups.cpp",
+                "windows/hvci_status.cpp",
                 "windows/ie_extensions.cpp",
                 "windows/intel_me.cpp",
                 "windows/kernel_info.cpp",
diff --git a/osquery/tables/system/windows/hvci_status.cpp b/osquery/tables/system/windows/hvci_status.cpp
index f962f2ac57c..472eb22d263 100644
--- a/osquery/tables/system/windows/hvci_status.cpp
+++ b/osquery/tables/system/windows/hvci_status.cpp
@@ -1,10 +1,11 @@
 #include <algorithm>
+#include <osquery/logger.h>
 #include <osquery/sql.h>
 #include <osquery/system.h>
 #include <osquery/tables.h>
 
-#include "osquery/core/conversions.h"
 #include "osquery/core/windows/wmi.h"
+#include <osquery/utils/conversions/tryto.h>
 
 namespace osquery {
 namespace tables {
diff --git a/specs/BUCK b/specs/BUCK
index 9579659c273..817e257617b 100644
--- a/specs/BUCK
+++ b/specs/BUCK
@@ -738,6 +738,10 @@ osquery_gentable_cxx_library(
             _SPECS_LOCATION + "/windows/authenticode.table",
             "windows",
         ),
+        (
+            _SPECS_LOCATION + "/windows/hvci_status.table",
+            "windows",
+        ),        
         (
             _SPECS_LOCATION + "/windows/pipes.table",
             "windows",
diff --git a/specs/windows/hvci_status.table b/specs/windows/hvci_status.table
index 45e180a3241..3fc3ab75527 100644
--- a/specs/windows/hvci_status.table
+++ b/specs/windows/hvci_status.table
@@ -3,8 +3,8 @@ description("Retrieve HVCI info of the machine.")
 schema([
   Column("version", TEXT, "The version number of the Device Guard build."),
   Column("instance_identifier", TEXT, "The instance ID of Device Guard."),
-  Column("vbs_status", TEXT, "The status of the virtualization based security settings. Returns 'UNKNOWN' if an error is encountered."),
-  Column("code_integrity_policy_enforcement_status", TEXT, "The status of the code integrity policy enforcement settings. Returns 'UNKNOWN' if an error is encountered."),
-  Column("umci_policy_status", TEXT, "The status of the User Mode Code Integrity security settings. Returns 'UNKNOWN' if an error is encountered."), 
+  Column("vbs_status", TEXT, "The status of the virtualization based security settings. Returns UNKNOWN if an error is encountered."),
+  Column("code_integrity_policy_enforcement_status", TEXT, "The status of the code integrity policy enforcement settings. Returns UNKNOWN if an error is encountered."),
+  Column("umci_policy_status", TEXT, "The status of the User Mode Code Integrity security settings. Returns UNKNOWN if an error is encountered."), 
 ])
-implementation("system/windows/hvci_info@genHVCIStatus")
\ No newline at end of file
+implementation("system/windows/hvci_status@genHVCIStatus")
\ No newline at end of file

From b628833fbd96eaa8b7f15280a121a86372762a35 Mon Sep 17 00:00:00 2001
From: Brad Thompson <brdthmpson@gmail.com>
Date: Thu, 23 Jan 2020 14:10:21 -0500
Subject: [PATCH 09/13] Remove _SPECS_LOCATION mention.

---
 specs/BUCK | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/specs/BUCK b/specs/BUCK
index 124b7063bbb..799addfb99e 100644
--- a/specs/BUCK
+++ b/specs/BUCK
@@ -745,7 +745,7 @@ osquery_gentable_cxx_library(
             "windows",
         ),
         (
-            _SPECS_LOCATION + "/windows/hvci_status.table",
+            "windows/hvci_status.table",
             "windows",
         ),        
         (

From 328fd8f4818bd40160b3846dae31e04a14286f6e Mon Sep 17 00:00:00 2001
From: Brad Thompson <brdthmpson@gmail.com>
Date: Thu, 23 Jan 2020 14:19:32 -0500
Subject: [PATCH 10/13] Move VBS and enforcement methods into loop.

---
 osquery/tables/system/windows/hvci_status.cpp | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/osquery/tables/system/windows/hvci_status.cpp b/osquery/tables/system/windows/hvci_status.cpp
index 472eb22d263..751314875db 100644
--- a/osquery/tables/system/windows/hvci_status.cpp
+++ b/osquery/tables/system/windows/hvci_status.cpp
@@ -10,17 +10,17 @@
 namespace osquery {
 namespace tables {
 
-std::vector<std::string> vbs_methods = {"VBS_NOT_ENABLED",
+QueryData genHVCIStatus(QueryContext& context) {
+  Row r;
+  QueryData results;
+  
+  std::vector<std::string> vbs_methods = {"VBS_NOT_ENABLED",
                                         "VBS_ENABLED_AND_NOT_RUNNING",
                                         "VBS_ENABLED_AND_RUNNING"};
 
-std::vector<std::string> enforcement_methods = {
+  std::vector<std::string> enforcement_methods = {
     "OFF", "AUDIT_MODE", "ENFORCED_MODE"};
 
-QueryData genHVCIStatus(QueryContext& context) {
-  Row r;
-  QueryData results;
-
   const WmiRequest wmiSystemReq("SELECT * FROM Win32_DeviceGuard",
                                 (BSTR)L"ROOT\\MICROSOFT\\WINDOWS\\DEVICEGUARD");
   const std::vector<WmiResultItem>& wmiResults = wmiSystemReq.results();
@@ -56,4 +56,4 @@ QueryData genHVCIStatus(QueryContext& context) {
 }
 } // namespace tables
 } // namespace osquery
-// namespace osquery
\ No newline at end of file
+// namespace osquery

From cb024d5db09170f9fad52b24eab7aabe96ce4638 Mon Sep 17 00:00:00 2001
From: Brad Thompson <brdthmpson@gmail.com>
Date: Thu, 23 Jan 2020 14:22:09 -0500
Subject: [PATCH 11/13] Remove additional "_SPEC_" mention

---
 specs/BUCK | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/specs/BUCK b/specs/BUCK
index 799addfb99e..23000a2d032 100644
--- a/specs/BUCK
+++ b/specs/BUCK
@@ -749,7 +749,7 @@ osquery_gentable_cxx_library(
             "windows",
         ),        
         (
-            _SPECS_LOCATION + "/windows/pipes.table",
+            "/windows/pipes.table",
             "windows",
         ),
         (

From 6feaabfff791d94a375289ce2717048491ba1bb1 Mon Sep 17 00:00:00 2001
From: Brad Thompson <brdthmpson@gmail.com>
Date: Thu, 23 Jan 2020 15:22:24 -0500
Subject: [PATCH 12/13] Remove additional slash in pipes table declaration

---
 specs/BUCK | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/specs/BUCK b/specs/BUCK
index 23000a2d032..07dac110f4e 100644
--- a/specs/BUCK
+++ b/specs/BUCK
@@ -749,7 +749,7 @@ osquery_gentable_cxx_library(
             "windows",
         ),        
         (
-            "/windows/pipes.table",
+            "windows/pipes.table",
             "windows",
         ),
         (

From 31405847a4124ac1ec7c947095b03e4220798605 Mon Sep 17 00:00:00 2001
From: Nick Anderson <nanderson7@gmail.com>
Date: Thu, 23 Jan 2020 15:43:07 -0800
Subject: [PATCH 13/13] Update hvci_status.cpp

Addressing `clang-format` nits, moving the `Row r` into the main loop.
---
 osquery/tables/system/windows/hvci_status.cpp | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/osquery/tables/system/windows/hvci_status.cpp b/osquery/tables/system/windows/hvci_status.cpp
index 751314875db..cdb2e875e9c 100644
--- a/osquery/tables/system/windows/hvci_status.cpp
+++ b/osquery/tables/system/windows/hvci_status.cpp
@@ -11,15 +11,14 @@ namespace osquery {
 namespace tables {
 
 QueryData genHVCIStatus(QueryContext& context) {
-  Row r;
   QueryData results;
-  
+
   std::vector<std::string> vbs_methods = {"VBS_NOT_ENABLED",
-                                        "VBS_ENABLED_AND_NOT_RUNNING",
-                                        "VBS_ENABLED_AND_RUNNING"};
+                                          "VBS_ENABLED_AND_NOT_RUNNING",
+                                          "VBS_ENABLED_AND_RUNNING"};
 
   std::vector<std::string> enforcement_methods = {
-    "OFF", "AUDIT_MODE", "ENFORCED_MODE"};
+      "OFF", "AUDIT_MODE", "ENFORCED_MODE"};
 
   const WmiRequest wmiSystemReq("SELECT * FROM Win32_DeviceGuard",
                                 (BSTR)L"ROOT\\MICROSOFT\\WINDOWS\\DEVICEGUARD");
@@ -29,6 +28,7 @@ QueryData genHVCIStatus(QueryContext& context) {
     return results;
   }
   for (const auto& data : wmiResults) {
+    Row r;
     data.GetString("Version", r["version"]);
     data.GetString("InstanceIdentifier", r["instance_identifier"]);