Seeing many duplicate clients across multiple systems. This is a nuisance as the new clients lose their tags and clutters up the GUI.

Here is an example of the first/last seen dates for one of the systems that is having duplicate issues:

1. Original Velociraptor install on 2023-09-14

Client ID: C.00fb0088ad89f50c
Agent Version: 0.7.0
Agent Build Time: 2023-08-28T02:38:17Z
First Seen At: 2023-09-14T14:36:39Z
Last Seen At: 2023-09-17T01:20:27Z

2. First duplicate

Client ID: C.703ce0643d031d83
Agent Version: 0.7.0
Agent Build Time: 2023-08-28T02:38:17Z
First Seen At: 2023-09-18T16:10:21Z
Last Seen At: 2023-09-18T18:02:25Z

3. Second duplicate.

Client ID: C.5e7aeca8ba91a45f
Agent Version: 0.7.0
Agent Build Time: 2023-08-28T02:38:17Z
First Seen At: 2023-09-18T18:08:19Z
Last Seen At: 2023-09-18T18:26:36Z

I attempted to see what was overwriting velociraptor.writeback.yaml using Sysmon. I saw event ID 11's for Velociraptor.exe at the time (2023-09-18T18:08:19Z) the second duplicate was created (C.5e7aeca8ba91a45f).

However, if you check the InstallDate via WMIC for Velociraptor, it still shows the original date of 2023-09-14.
wmic product get "name,installdate" gives "20230914 Velociraptor"

My theory is that sometimes velociraptor.writeback.yaml is getting corrupted, maybe when the client monitoring table is updated, causing it to be regenerated the next time the service starts up which generates a new client id.

Perhaps the client_id should be moved into the Windows registry, or a separate file?