// Licensed to Elasticsearch B.V. under one or more contributor // license agreements. See the NOTICE file distributed with // this work for additional information regarding copyright // ownership. Elasticsearch B.V. licenses this file to you under // the Apache License, Version 2.0 (the "License"); you may // not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, // software distributed under the License is distributed on an // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY // KIND, either express or implied. See the License for the // specific language governing permissions and limitations // under the License. //go:build windows package process import ( "errors" "syscall" "golang.org/x/sys/windows" "golang.org/x/sys/windows/registry" "github.com/elastic/elastic-agent-libs/logp" ) func isNonFatal(err error) bool { if err == nil { return true } return errors.Is(err, windows.ERROR_ACCESS_DENIED) || errors.Is(err, syscall.EPERM) || errors.Is(err, syscall.EINVAL) || errors.Is(err, windows.ERROR_INVALID_PARAMETER) || errors.Is(err, NonFatalErr{}) } func processesToIgnore() map[uint64]struct{} { m := make(map[uint64]struct{}) // processesToIgnore checks if we should ignore the pid, to avoid elevated permissions // LSASS.exe is a process which has no useful cmdline arguments, we should ignore acessing such process to avoid triggering Windows ASR rules // we can query pid for LASASS.exe from registry key, err := registry.OpenKey(registry.LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Control\\Lsa", registry.READ) if err != nil { logp.L().Warnw("Failed to open registry path SYSTEM\\CurrentControlSet\\Control\\Lsa", "error", err) return m } defer key.Close() lsassPid, _, err := key.GetIntegerValue("LsaPid") if err != nil { logp.L().Warnw("Failed to read pid for lsass.exe", "error", err) return m } m[lsassPid] = struct{}{} return m }