Hi, I think since active response is available for both Windows and unix operating systems, the restart-ossec.cmd is only created on Win- Agents. However the ar.conf and the merged.mg in "$YOUR_OSSEC_DIR/etc/ shared" contain an entry for restart-ossec.cmd, maybe to keep these files platform independent.
Without looking at the source code I would assume that execd processes ar.conf and merged.mg and checks if the listed scripts are available, so once a rule that triggers the corresponding active response, it knows if it can run the active-response. So to answer your questions: 1. Imo OSSEC doesnt want to restart itself, but only checks if restart- ossec.cmd is existing. 2. The file is the Windows equivalent shellscript for restart-ossec.sh in unix. Kind regards, Oscar
