fix(windows): stop console window flashes during scheduled scans#100
Open
swarit-stepsecurity wants to merge 3 commits into
Open
fix(windows): stop console window flashes during scheduled scans#100swarit-stepsecurity wants to merge 3 commits into
swarit-stepsecurity wants to merge 3 commits into
Conversation
Signed-off-by: Swarit Pandey <swarit@stepsecurity.io>
Signed-off-by: Swarit Pandey <swarit@stepsecurity.io>
There was a problem hiding this comment.
Pull request overview
This PR aims to prevent visible console window flashes on Windows during scheduled scans by changing how the scheduled task launches the agent and by suppressing console creation for subprocesses.
Changes:
- Add a Windows GUI-subsystem launcher (
stepsecurity-dev-machine-guard-task.exe) and install it side-by-side with the agent in the MSI. - Update Task Scheduler registration to invoke the binary directly (no
cmd /cwrapper) and prefer the launcher when present. - Introduce a cross-platform
internal/winprochelper to apply Windows process attributes that suppress console windows for spawned child processes, and apply it in key call sites.
Reviewed changes
Copilot reviewed 18 out of 18 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| packaging/windows/Product.wxs | Adds launcher binary to MSI payload and feature refs. |
| Makefile | Adds build targets for the launcher and includes it in MSI builds/clean. |
| internal/winproc/winproc.go | Non-Windows stub for HideWindow. |
| internal/winproc/winproc_windows.go | Windows implementation setting HideWindow + CREATE_NO_WINDOW. |
| internal/winproc/winproc_windows_test.go | Windows-only tests for attribute merging/idempotency. |
| internal/winproc/winproc_test.go | Cross-platform safety tests (nil-safe, no panic). |
| internal/schtasks/schtasks.go | Prefers launcher for scheduled task; removes cmd /c wrapper; uses --install-dir. |
| internal/schtasks/schtasks_test.go | Updates args tests and adds launcher preference + /tr format tests. |
| internal/executor/executor.go | Applies winproc.HideWindow to subprocess execution paths. |
| internal/detector/ide.go | Adds package.json fast-path for VS Code-derived IDE version detection. |
| internal/detector/ide_test.go | Adds test ensuring VS Code version comes from package.json (no .cmd shell-out). |
| internal/config/config_windows.go | Suppresses console window for icacls invocation. |
| internal/aiagents/enrich/npm/registry.go | Suppresses console window for npm-related subprocess invocation. |
| internal/aiagents/cli/.stepsecurity/ai-agent-hook-errors.jsonl | Adds a new log entry line. |
| cmd/stepsecurity-dev-machine-guard-task/main.go | New Windows-only GUI launcher that spawns agent with CREATE_NO_WINDOW and job object lifecycle binding. |
| .goreleaser.yml | Adds build + archive configuration for the launcher binary. |
| .github/workflows/release.yml | Updates release workflow to locate/sign/upload both agent and launcher Windows assets. |
| .github/workflows/msi-smoke.yml | Builds/verifies both binaries in MSI smoke workflow and asserts task action points at launcher. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+72
to
+78
| args := buildCreateArgs(binaryPath, logDir, stepHome, hours, exec.IsRoot()) | ||
| log.Debug("schtasks create: binary=%q log_dir=%q step_home=%q hours=%d is_admin=%v", binaryPath, logDir, stepHome, hours, exec.IsRoot()) | ||
| taskBinary := resolveTaskBinary(exec, binaryPath) | ||
| args := buildCreateArgs(taskBinary, stepHome, hours, exec.IsRoot()) |
Comment on lines
389
to
+392
| func (d *IDEDetector) resolveWindowsVersionFromDir(ctx context.Context, spec ideSpec, installDir string) string { | ||
| if v := readProductInfoVersion(d.exec, filepath.Join(installDir, "resources", "app", "package.json")); v != "unknown" { | ||
| return v | ||
| } |
Comment on lines
+1
to
+2
| {"ts":"2026-05-21T16:38:14.309922Z","stage":"install","code":"no_home","message":"should be silently dropped"} | ||
| {"ts":"2026-05-22T00:59:13.355439Z","stage":"install","code":"no_home","message":"should be silently dropped"} |
Signed-off-by: Swarit Pandey <swarit@stepsecurity.io>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Type of change
Testing
./stepsecurity-dev-machine-guard --verbose./stepsecurity-dev-machine-guard --json | python3 -m json.toolmake lintmake testRelated Issues