fix(windows): stop console window flashes during scheduled scans#104
Merged
Merged
Conversation
The schtasks /create action used to invoke the agent via a cmd /c wrapper, which produced a visible cmd.exe flash on every scheduled fire. This change: - Drops the cmd /c wrapper; the task now invokes the agent (or the GUI-subsystem launcher) directly, with --install-dir / filelog handling moved into the binary. - Adds cmd/stepsecurity-dev-machine-guard-task — a small GUI-subsystem launcher .exe used by the MSI install layout so Windows does not allocate a console for the scheduled task. - Adds internal/winproc to suppress subprocess console flashes via CREATE_NO_WINDOW for child processes spawned by the agent. - Wires the launcher binary into the MSI WiX manifest, .goreleaser config, Makefile, and the msi-smoke / release workflows. - Adds Windows-side test coverage for schtasks, winproc, and the IDE detector.
varunsh-coder
approved these changes
May 22, 2026
9 tasks
This was referenced May 23, 2026
ashishkurmi
pushed a commit
that referenced
this pull request
May 27, 2026
The launcher was hardcoded to spawn the sibling agent .exe, which is exactly what the MSI install layout needs but doesn't work for the PowerShell loader. The PS task action has to run `powershell.exe -File loader.ps1 send-telemetry` on every tick (loader owns auto-update), and powershell.exe is console-subsystem — Task Scheduler firing it directly allocates a console and flashes a window before -WindowStyle Hidden takes effect. Same root cause PR #104 fixed for the agent, just at the powershell layer. This adds an --exec mode so the PS loader's scheduled task can wrap powershell.exe in the launcher's no-console envelope: task.exe --exec powershell.exe -ExecutionPolicy Bypass ... When --exec is absent the launcher falls through to the existing sibling-agent behaviour, so MSI installs see no change. Target resolution lives in internal/launcher so it gets unit-test coverage on the macOS CI runner (the launcher binary itself stays Windows-only).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The schtasks /create action used to invoke the agent via a cmd /c wrapper, which produced a visible cmd.exe flash on every scheduled fire. This change:
What does this PR do?
Type of change
Testing
./stepsecurity-dev-machine-guard --verbose./stepsecurity-dev-machine-guard --json | python3 -m json.toolmake lintmake testRelated Issues