search

microsoft / vscode

Visual Studio Code
https://code.visualstudio.com
MIT License
163.28k stars 28.89k forks source link

Event viewer spam and high cpu usage caused by Microsoft Account and Github authentication #98333

Closed ghost closed 3 years ago

ghost commented 4 years ago

I'm seeing a large number of security events on Event viewer:

image

Looking at the logs for these events, it seems to be caused by vscode:

 <Data Name="TargetName">vscode-github.login/account</Data> 
<Data Name="TargetName">vscode-microsoft.login/account</Data>

When I turned off the Microsoft Account and GitHub Authentication extensions, the problems seems to go away.

Is this expected behavior? It seems that vs code keeps polling the windows credential manager entries, and this causes an increase in cpu usage, and it also fills up the event viewer.

I have attached a log of one of the events:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> 
  <EventID>5379</EventID> 
  <Version>0</Version> 
  <Level>0</Level> 
  <Task>13824</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8020000000000000</Keywords> 
  <TimeCreated SystemTime="2020-05-21T15:12:13.363954300Z" /> 
  <EventRecordID>1349115</EventRecordID> 
  <Correlation ActivityID="{13941836-2f0c-0002-fe18-94130c2fd601}" /> 
  <Execution ProcessID="904" ThreadID="208" /> 
  <Channel>Security</Channel> 
  <Computer>serenity</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data Name="SubjectUserSid"></Data> 
  <Data Name="SubjectUserName">phg</Data> 
  <Data Name="SubjectDomainName">SERENITY</Data> 
  <Data Name="SubjectLogonId">0xcd6232</Data> 
  <Data Name="TargetName">vscode-github.login/account</Data> 
  <Data Name="Type">1</Data> 
  <Data Name="CountOfCredentialsReturned">1</Data> 
  <Data Name="ReadOperation">%%8099</Data> 
  <Data Name="ReturnCode">3221226021</Data> 
  <Data Name="ProcessCreationTime">2020-05-21T15:11:39.919121900Z</Data> 
  <Data Name="ClientProcessId">15608</Data> 
  </EventData>
  </Event>
ghost commented 4 years ago

This issue has not been addressed, and now with 1.46 I cannot disable the Microsoft Account extension.

RMacfarlane commented 4 years ago

Hey @phgmacedo, this is currently expected behavior. Each window has its own instance of the "extension host" process, so there are multiple copies of each extension. To synchronize state between them, they poll the credential manager to see if another window has signed in/signed out. There is no OS event emitted when the credential manager is updated

ghost commented 4 years ago

@RMacfarlane This is reproducible even with only 1 window open.

And there should be a way to disable it lest having to delete the authentication extension folder. In previous versions it was possible to disable the "Microsoft Authentication" extension so that the CPU usage would not be an issue.

RMacfarlane commented 4 years ago

The extension doesn't know how many windows are open, so it will also poll in the 1 window case.

@sandy081 What determines whether a built-in extension appears when querying @builtin in the extensions viewlet? The "GitHub Authentication" extension shows up there but not "Microsoft Authentication"

ghost commented 4 years ago

The extension doesn't know how many windows are open, so it will also poll in the 1 window case.

@sandy081 What determines whether a built-in extension appears when querying @builtin in the extensions viewlet? The "GitHub Authentication" extension shows up there but not "Microsoft Authentication"

@RMacfarlane In 1.45 it was possible to disable, this issue was introduced in 1.46.

sandy081 commented 4 years ago

@sandy081 What determines whether a built-in extension appears when querying @builtin in the extensions viewlet? The "GitHub Authentication" extension shows up there but not "Microsoft Authentication"

No built in extensions are hidden by default. I see this is not shown but I am seeing it when filter by name in built in extensions say @builtin Mic

image

I will see why it is not displayed by default and will fix it.

sandy081 commented 4 years ago

Filed https://github.com/microsoft/vscode/issues/100289 for above issue.

tumukei commented 4 years ago

Got 38k of these logs. If this is expected behavior, can you tell a forwarding address where to send all the "important" logging to? Thanks!

flywheelnz commented 4 years ago

I'm currently seeing several of these per-second, which I think is having a knock-on effect to services like Diagnostic Policy Service - blowing out disk, cpu and memory usage. There has to be a better way.

cyraid commented 4 years ago

Launching event viewer a couple times a minute, logging a security event, is filling up our logs and also it's incredibly annoying to see the 'hourglass' on the mouse so very often. Disabled those builtin extensions, because setting sync and such is just not worth the annoying hourglass and filling of log.

myks790 commented 4 years ago

image There are so many logs that only 2 days are logged. So the RDP login event has been cleared. Is there any other way?

RMacfarlane commented 3 years ago

Closing, as we no longer poll the credential manager in VS Code version 1.50.1, so this should be fixed. Thanks!