New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Applocker (and AV) can make BCcontainerhelper very slow #3392
Comments
So, if you run |
I know that on some presentation I saw that module with many files are slow to import and concatenating everything into one file before publishing the module is making the import much faster. I think this is the reason why the module is loading so long. And if the AV is trying to check every file during the process, it makes it much longer... |
Great, now I've turned it off and on yet again it seems going reasonably fast. 😒 Okay, I did see a trace of the PS commands a few days ago and it was visibly pausing for a fraction of a second for each of the bccontainerhelper ps1 files. A that point I thought it was the AV going silly so I didn't save the log. After disabling the AV, the delay was still present so I removed the AppLocker GPOs which sped the loading up. Adding applocker back in slowed it down again. Also as I hinted this applied to any command, not just But now it seems I only have a small increase in load time for both W10 and W11 with AppLocker. Still, it is pretty well known that the AV (and AppLocker) performance cost is mostly paid per file, so I expect @kine has got it right. And even for this "reasonable" time the loading takes 8-10 seconds with AV/Applocker on compared to three with it turned off which is two or three times as long. So lets make this a request to concatenate the library PS1 files to avoid the issue when it happens again. |
The concatenation is mentioned with few other tips e.g. here: https://dbatools.io/import-times/ and https://blog.netnerds.net/2018/12/even-faster-powershell-module-loading/. |
Describe the issue
On a windows 11 machine (23H2, 22631.3007) with Applocker enabled in Audit mode.
First command for a given powershell session takes a long time to start, 43 seconds below.
Subsequent commands are quick.
Problem also happens with Applocker fully turned on. Removing the Applocker GPO and rebooting a couple of times makes the machine operate normally, with a minimal delay on first run of BCContainerHelper.
Other approximate times are six seconds to load if applocker is not configured (W11), eight seconds to load if AppLocker is configured and running on Windows 10, three seconds on Win10 without AppLocker.
Seems I've managed to turn off MS-AV permanently on W11 so it's not doing anything (not sure why it's stopped turning itself back on).
Even the "six seconds" seems a bit long actually; perhaps most of those tiny files should be concatenated into one "library" script before signing? That should load faster as AES is a lot quicker than RSA.
Scripts used to create container and cause the issue
Full output of scripts
Screenshots
If applicable, add screenshots to help explain your problem.
Additional context
The text was updated successfully, but these errors were encountered: