diff --git a/metric/system/process/process_windows.go b/metric/system/process/process_windows.go index 01ea65012..238d73bce 100644 --- a/metric/system/process/process_windows.go +++ b/metric/system/process/process_windows.go @@ -199,6 +199,9 @@ func FillMetricsRequiringMoreAccess(pid int, state ProcState) (ProcState, error) } func getProcArgs(pid int) ([]string, error) { + if ok := shouldIgnore(pid); ok { + return []string{}, nil + } handle, err := syscall.OpenProcess( windows.PROCESS_QUERY_LIMITED_INFORMATION| windows.PROCESS_VM_READ, @@ -463,3 +466,25 @@ func fillIdleProcess(state ProcState) (ProcState, error) { state.CPU.Total.Value = opt.FloatWith(idle) return state, nil } + +func shouldIgnore(pid int) (bool, err) { + // shouldIgnore checks if we should ignore the pid, to avoid elevated permissions + + // LSASS.exe is a process which has no useful cmdline arguments, we should ignore acessing such process to avoid triggering Windows ASR rules + // we can query pid for LASASS.exe from registry + + key, err := registry.OpenKey(registry.LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Control\\Lsa", registry.READ) + if err != nil { + logp.L().Warnw("Failed to read registry path SYSTEM\\CurrentControlSet\\Control\\Lsa", "error", err) + return false + } + lsassPid, _, err := key.GetIntegerValue("LasPid") + if err != nil { + logp.L().Warnw("Failed to read pid for lsass.exe", "error", err) + return false + } + if lsassPid == pid { + return true + } + return false +}