Performance improvements to security checks when group policies are in effect for ExecutionPolicy #2588
Conversation
|
Hi @powercode, I'm your friendly neighborhood Microsoft Pull Request Bot (You can call me MSBOT). Thanks for your contribution! The agreement was validated by Microsoft and real humans are currently evaluating your PR. TTYL, MSBOT; |
powercode
changed the title
There was a problem hiding this comment.
Seems this should be in #if !UNIX
There was a problem hiding this comment.
Yes, you are correct. Fixing.
There was a problem hiding this comment.
PG do not accept formatting without code changes. It would be good to revert this.
powercode
force-pushed
the
master
branch
2 times, most recently
from
17cfe31 to
8ad2783
Compare
There was a problem hiding this comment.
It would be good to mention here about main - use caching dramatically accelerated GetParentProcess.
powercode
force-pushed
the
master
branch
5 times, most recently
from
2721367 to
d70dd08
Compare
|
@powercode - it looks like these changes cause the test failures. @LeeHolmes - can you review these changes? |
|
It is my bad. Fixing now. |
There was a problem hiding this comment.
s_currentProcessId never changes. It seems unnecessary.
There was a problem hiding this comment.
Good point. Refactoring...
There was a problem hiding this comment.
It is there to avoid creating a new process object every time the id of the current process is needed
There was a problem hiding this comment.
I maybe stupid here but why you check s_currentProcessId instead of s_currentParentProcessId.HasValue?
There was a problem hiding this comment.
Clear - "current" != "current" 😊
There was a problem hiding this comment.
This conditional is the opposite of what I think you intended.
There was a problem hiding this comment.
Yes, fixed in the updated pull request
There was a problem hiding this comment.
Our coding style puts a newline above comment blocks, as it represents a paragraph of thought.
|
Fixing |
There was a problem hiding this comment.
This would be an error condition (taking a snapshot with no processes), so returning 'parentPid' is misleading. Instead, we should return 0.
There was a problem hiding this comment.
Good point. Fixed.
There was a problem hiding this comment.
This is very close to being a duplication of GetParentProcess(). I think it'd be OK to add the caching logic to GetParentProcessIdNative. Also, it doesn't have the start time validation that GetParentProcess has, so we should make sure we don't expose anything that looks like a useful helper function without this validation.
powercode
force-pushed
the
master
branch
2 times, most recently
from
fce53f2 to
16f0e24
Compare
|
Pushed new version with |
powercode
force-pushed
the
master
branch
2 times, most recently
from
d7baf80 to
636a14c
Compare
|
@powercode Can you please rebase this PR to the latest from master and push an update? It looks like it is ready to merge and just needs final code review sign off. @LeeHolmes - Please take another look at this PR and provide feedback as appropriate. |
PaulHigin
left a comment
PaulHigin
left a comment
There was a problem hiding this comment.
I looked through the code changes and comments. I agree with Lee's comments but I notice that two have not yet been addressed:
- GetParentProcessIdNative() helper method is not needed and can be merged with GetParentProcessId() method.
- The GetParentProcessId() method should include the process start time check and return '0' if start time.
- Actually I don't see a need for GetParentProcessId() at all, since it is always used within GetParentProcess() and nowhere else. We can just add the s_currentParentProcessId caching in GetParentProcess().
In certain scenarios, like a domain joined machine with an executionpolicy set via GPO, a lot of checks are done for the ExecutionPolicy, and this is in the hot path.
It is expensive to determine if a script was run as a result of applying a group policy. This does not change during the lifetime of a process. This only affect the scenario when an execution policy has been set by a group policy.
|
@PaulHigin We now have an implementation of GetParentPid available. Using it instead, and inlining the caching as suggested. |
9 participants
Fixes #2578
When group policies are in effect for execution policy, a check is made to determine if the current process has been launched by gpscript.exe, and in that case, ignore the execution policy.
This is expensive to determine, is done over and over again, and has resulted in very long load times for scripts and modules.
One of the things that is checked (in an expensive way) is the parent id of the current process. That never changes, and is now cached.
The other change is to check once if we are launched by gpscript.exe or not and save that value.
This results in speedups in the order of a magnitude for module loads.