Skip to content

Commit

Permalink
chore: ignore lsass
Browse files Browse the repository at this point in the history
  • Loading branch information
VihasMakwana committed Dec 17, 2024
1 parent fa3caa1 commit cc1ac56
Showing 1 changed file with 25 additions and 0 deletions.
25 changes: 25 additions & 0 deletions metric/system/process/process_windows.go
Original file line number Diff line number Diff line change
Expand Up @@ -199,6 +199,9 @@ func FillMetricsRequiringMoreAccess(pid int, state ProcState) (ProcState, error)
}

func getProcArgs(pid int) ([]string, error) {
if ok := shouldIgnore(pid); ok {
return []string{}, nil
}
handle, err := syscall.OpenProcess(
windows.PROCESS_QUERY_LIMITED_INFORMATION|
windows.PROCESS_VM_READ,
Expand Down Expand Up @@ -463,3 +466,25 @@ func fillIdleProcess(state ProcState) (ProcState, error) {
state.CPU.Total.Value = opt.FloatWith(idle)
return state, nil
}

func shouldIgnore(pid int) (bool, err) {
// shouldIgnore checks if we should ignore the pid, to avoid elevated permissions

// LSASS.exe is a process which has no useful cmdline arguments, we should ignore acessing such process to avoid triggering Windows ASR rules
// we can query pid for LASASS.exe from registry

key, err := registry.OpenKey(registry.LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Control\\Lsa", registry.READ)
if err != nil {
logp.L().Warnw("Failed to read registry path SYSTEM\\CurrentControlSet\\Control\\Lsa", "error", err)
return false
}
lsassPid, _, err := key.GetIntegerValue("LasPid")
if err != nil {
logp.L().Warnw("Failed to read pid for lsass.exe", "error", err)
return false
}
if lsassPid == pid {
return true
}
return false
}

0 comments on commit cc1ac56

Please sign in to comment.