Applocker (and AV) can make BCcontainerhelper very slow

[rdebath]

Describe the issue
On a windows 11 machine (23H2, 22631.3007) with Applocker enabled in Audit mode.
First command for a given powershell session takes a long time to start, 43 seconds below.
Subsequent commands are quick.

Problem also happens with Applocker fully turned on. Removing the Applocker GPO and rebooting a couple of times makes the machine operate normally, with a minimal delay on first run of BCContainerHelper.

Other approximate times are six seconds to load if applocker is not configured (W11), eight seconds to load if AppLocker is configured and running on Windows 10, three seconds on Win10 without AppLocker.

Seems I've managed to turn off MS-AV permanently on W11 so it's not doing anything (not sure why it's stopped turning itself back on).

Even the "six seconds" seems a bit long actually; perhaps most of those tiny files should be concatenated into one "library" script before signing? That should load faster as AES is a lot quicker than RSA.

Scripts used to create container and cause the issue

Test-BcContainer
# Or anything else really.

Full output of scripts

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\WINDOWS\system32> Measure-Command { Test-BcContainer }
BcContainerHelper version 6.0.7-preview1155
Setting MicrosoftTelemetryConnectionString =


Days              : 0
Hours             : 0
Minutes           : 0
Seconds           : 43
Milliseconds      : 767
Ticks             : 437676903
TotalDays         : 0.000506570489583333
TotalHours        : 0.01215769175
TotalMinutes      : 0.729461505
TotalSeconds      : 43.7676903
TotalMilliseconds : 43767.6903



PS C:\WINDOWS\system32> Measure-Command { Test-BcContainer }


Days              : 0
Hours             : 0
Minutes           : 0
Seconds           : 0
Milliseconds      : 228
Ticks             : 2285200
TotalDays         : 2.64490740740741E-06
TotalHours        : 6.34777777777778E-05
TotalMinutes      : 0.00380866666666667
TotalSeconds      : 0.22852
TotalMilliseconds : 228.52



PS C:\WINDOWS\system32> Test-BcContainer
False
PS C:\WINDOWS\system32>
...

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context

• does it happen all the time? Yup.
• did it use to work? Windows 10 seems okay.

[freddydk]

So, if you run Import-Module BcContainerHelper as the first thing, then that takes a long time - and subsequent commands are fast? I guess it is the module intialization that takes time, but I have no idea what.
I won't have time to install and test AppLocker right now, but if anybody can investigate if there is anything special, which takes the time - or this is "just" due to the module size???

[kine]

I know that on some presentation I saw that module with many files are slow to import and concatenating everything into one file before publishing the module is making the import much faster. I think this is the reason why the module is loading so long. And if the AV is trying to check every file during the process, it makes it much longer...

[rdebath]

Great, now I've turned it off and on yet again it seems going reasonably fast. 😒

Okay, I did see a trace of the PS commands a few days ago and it was visibly pausing for a fraction of a second for each of the bccontainerhelper ps1 files. A that point I thought it was the AV going silly so I didn't save the log. After disabling the AV, the delay was still present so I removed the AppLocker GPOs which sped the loading up. Adding applocker back in slowed it down again. Also as I hinted this applied to any command, not just Test-BcContainer.

But now it seems I only have a small increase in load time for both W10 and W11 with AppLocker.

Still, it is pretty well known that the AV (and AppLocker) performance cost is mostly paid per file, so I expect @kine has got it right. And even for this "reasonable" time the loading takes 8-10 seconds with AV/Applocker on compared to three with it turned off which is two or three times as long.

So lets make this a request to concatenate the library PS1 files to avoid the issue when it happens again.

[kine]

The concatenation is mentioned with few other tips e.g. here: https://dbatools.io/import-times/ and https://blog.netnerds.net/2018/12/even-faster-powershell-module-loading/.