Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[process/windows] - Ignore accessing command line arguments for selected processes (currently, lsass.exe) #198

Open
wants to merge 11 commits into
base: main
Choose a base branch
from
25 changes: 25 additions & 0 deletions metric/system/process/process_windows.go
Original file line number Diff line number Diff line change
Expand Up @@ -199,6 +199,9 @@ func FillMetricsRequiringMoreAccess(pid int, state ProcState) (ProcState, error)
}

func getProcArgs(pid int) ([]string, error) {
if ok := shouldIgnore(pid); ok {
return []string{}, nil
VihasMakwana marked this conversation as resolved.
Show resolved Hide resolved
}
handle, err := syscall.OpenProcess(
windows.PROCESS_QUERY_LIMITED_INFORMATION|
windows.PROCESS_VM_READ,
Expand Down Expand Up @@ -463,3 +466,25 @@ func fillIdleProcess(state ProcState) (ProcState, error) {
state.CPU.Total.Value = opt.FloatWith(idle)
return state, nil
}

func shouldIgnore(pid int) (bool, err) {
// shouldIgnore checks if we should ignore the pid, to avoid elevated permissions

// LSASS.exe is a process which has no useful cmdline arguments, we should ignore acessing such process to avoid triggering Windows ASR rules
// we can query pid for LASASS.exe from registry

key, err := registry.OpenKey(registry.LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Control\\Lsa", registry.READ)
andrewkroh marked this conversation as resolved.
Show resolved Hide resolved
if err != nil {
logp.L().Warnw("Failed to read registry path SYSTEM\\CurrentControlSet\\Control\\Lsa", "error", err)
return false
}
VihasMakwana marked this conversation as resolved.
Show resolved Hide resolved
lsassPid, _, err := key.GetIntegerValue("LasPid")
if err != nil {
logp.L().Warnw("Failed to read pid for lsass.exe", "error", err)
return false
}
if lsassPid == pid {
return true
}
return false
}
Loading