From cc1ac562a83bef33c702d635ec1714a3fcd75274 Mon Sep 17 00:00:00 2001 From: Vihas Makwana Date: Tue, 17 Dec 2024 23:26:30 +0530 Subject: [PATCH] chore: ignore lsass --- metric/system/process/process_windows.go | 25 ++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/metric/system/process/process_windows.go b/metric/system/process/process_windows.go index 01ea65012..238d73bce 100644 --- a/metric/system/process/process_windows.go +++ b/metric/system/process/process_windows.go @@ -199,6 +199,9 @@ func FillMetricsRequiringMoreAccess(pid int, state ProcState) (ProcState, error) } func getProcArgs(pid int) ([]string, error) { + if ok := shouldIgnore(pid); ok { + return []string{}, nil + } handle, err := syscall.OpenProcess( windows.PROCESS_QUERY_LIMITED_INFORMATION| windows.PROCESS_VM_READ, @@ -463,3 +466,25 @@ func fillIdleProcess(state ProcState) (ProcState, error) { state.CPU.Total.Value = opt.FloatWith(idle) return state, nil } + +func shouldIgnore(pid int) (bool, err) { + // shouldIgnore checks if we should ignore the pid, to avoid elevated permissions + + // LSASS.exe is a process which has no useful cmdline arguments, we should ignore acessing such process to avoid triggering Windows ASR rules + // we can query pid for LASASS.exe from registry + + key, err := registry.OpenKey(registry.LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Control\\Lsa", registry.READ) + if err != nil { + logp.L().Warnw("Failed to read registry path SYSTEM\\CurrentControlSet\\Control\\Lsa", "error", err) + return false + } + lsassPid, _, err := key.GetIntegerValue("LasPid") + if err != nil { + logp.L().Warnw("Failed to read pid for lsass.exe", "error", err) + return false + } + if lsassPid == pid { + return true + } + return false +}