Remove GetLastError usage in Windows code

[clarkb7]

What does this PR do?

This PR removes the incorrect usage of windows.GetLastError() in Go code. As documented in golang/go#41220, GetLastError() always returns nil in Go because the syscall implementation resets the last error before calling the DLL function.

Changes:

• Added forbidigo linter rule to prevent future usage of GetLastError()
• Fixed all existing usages by using the error returned directly from syscalls (third return value from .Call())
• Updated CGO code in comp/etw/impl and pkg/util/winutil/winmem to properly capture and return Windows error codes

Motivation

https://datadoghq.atlassian.net/browse/WINA-2127
GetLastError() is fundamentally broken in Go and should never be used. This PR ensures we don't use it and properly capture Windows errors.

Testing

• Ensure live processes still has processes/commandlines/metrics
• Ensure flare has file permission info
• Ensure system.paging.* metrics still show and have path tag
• Ensure systray still has icon
• comp/etw has coverage through security-agent integration/e2e tests

[iglendd]

Again, OMG, it looks like it fixed 10 subtle bugs.

[agent-platform-auto-pr]

Static quality checks

✅ Please find below the results from static quality gates
Comparison made with ancestor dae02eb
📊 Static Quality Gates Dashboard

Successful checks

Info

	Quality gate	Delta	On disk size (MiB)	Delta	On wire size (MiB)
✅	agent_deb_amd64	$${+0}$$	$${708.09}$$ < $${708.41}$$	$${-0.03}$$	$${173.87}$$ < $${174.49}$$
✅	agent_deb_amd64_fips	$${+0}$$	$${703.39}$$ < $${704.0}$$	$${+0.02}$$	$${172.7}$$ < $${173.75}$$
✅	agent_heroku_amd64	$${+0}$$	$${328.7}$$ < $${329.53}$$	$${-0}$$	$${87.44}$$ < $${88.45}$$
✅	agent_msi	$${-0}$$	$${570.68}$$ < $${982.08}$$	$${+0.02}$$	$${142.7}$$ < $${143.02}$$
✅	agent_rpm_amd64	$${+0}$$	$${708.08}$$ < $${708.38}$$	$${+0.03}$$	$${176.48}$$ < $${177.66}$$
✅	agent_rpm_amd64_fips	$${+0}$$	$${703.37}$$ < $${703.99}$$	$${+0.04}$$	$${175.94}$$ < $${176.6}$$
✅	agent_rpm_arm64	$${+0}$$	$${689.61}$$ < $${693.52}$$	$${-0.02}$$	$${159.95}$$ < $${161.26}$$
✅	agent_rpm_arm64_fips	$${+0}$$	$${685.76}$$ < $${688.48}$$	$${+0.03}$$	$${159.43}$$ < $${160.55}$$
✅	agent_suse_amd64	$${+0}$$	$${708.08}$$ < $${708.38}$$	$${+0.03}$$	$${176.48}$$ < $${177.66}$$
✅	agent_suse_amd64_fips	$${+0}$$	$${703.37}$$ < $${703.99}$$	$${+0.04}$$	$${175.94}$$ < $${176.6}$$
✅	agent_suse_arm64	$${+0}$$	$${689.61}$$ < $${693.52}$$	$${-0.02}$$	$${159.95}$$ < $${161.26}$$
✅	agent_suse_arm64_fips	$${+0}$$	$${685.76}$$ < $${688.48}$$	$${+0.03}$$	$${159.43}$$ < $${160.55}$$
✅	docker_agent_amd64	$${+0}$$	$${769.93}$$ < $${770.72}$$	$${-0.01}$$	$${261.75}$$ < $${262.45}$$
✅	docker_agent_arm64	$${+0}$$	$${776.04}$$ < $${780.2}$$	$${-0.02}$$	$${250.8}$$ < $${252.63}$$
✅	docker_agent_jmx_amd64	$${+0}$$	$${960.8}$$ < $${961.6}$$	$${+0}$$	$${330.39}$$ < $${331.08}$$
✅	docker_agent_jmx_arm64	$${+0}$$	$${955.64}$$ < $${959.8}$$	$${-0.01}$$	$${315.42}$$ < $${317.27}$$
✅	docker_cluster_agent_amd64	$${-0}$$	$${180.7}$$ < $${181.08}$$	$${+0}$$	$${63.85}$$ < $${64.49}$$
✅	docker_cluster_agent_arm64	$${-0}$$	$${196.55}$$ < $${198.49}$$	$${-0}$$	$${60.12}$$ < $${61.17}$$
✅	docker_cws_instrumentation_amd64	$${+0}$$	$${7.13}$$ < $${7.18}$$	$${+0}$$	$${2.99}$$ < $${3.33}$$
✅	docker_cws_instrumentation_arm64	$${+0}$$	$${6.69}$$ < $${6.92}$$	$${+0}$$	$${2.73}$$ < $${3.09}$$
✅	docker_dogstatsd_amd64	$${+0}$$	$${38.78}$$ < $${39.38}$$	$${+0}$$	$${15.01}$$ < $${15.82}$$
✅	docker_dogstatsd_arm64	$${+0}$$	$${37.07}$$ < $${37.94}$$	$${+0}$$	$${14.34}$$ < $${14.83}$$
✅	dogstatsd_deb_amd64	$${+0}$$	$${30.0}$$ < $${30.61}$$	$${-0}$$	$${7.94}$$ < $${8.79}$$
✅	dogstatsd_deb_arm64	$${+0}$$	$${28.15}$$ < $${29.11}$$	$${+0}$$	$${6.81}$$ < $${7.71}$$
✅	dogstatsd_rpm_amd64	$${+0}$$	$${30.0}$$ < $${30.61}$$	$${+0}$$	$${7.95}$$ < $${8.8}$$
✅	dogstatsd_suse_amd64	$${+0}$$	$${30.0}$$ < $${30.61}$$	$${+0}$$	$${7.95}$$ < $${8.8}$$
✅	iot_agent_deb_amd64	$${+0}$$	$${42.96}$$ < $${43.29}$$	$${-0}$$	$${11.25}$$ < $${12.04}$$
✅	iot_agent_deb_arm64	$${+0}$$	$${40.08}$$ < $${40.92}$$	$${-0}$$	$${9.62}$$ < $${10.45}$$
✅	iot_agent_deb_armhf	$${+0}$$	$${40.67}$$ < $${41.03}$$	$${+0}$$	$${9.82}$$ < $${10.62}$$
✅	iot_agent_rpm_amd64	$${+0}$$	$${42.96}$$ < $${43.29}$$	$${+0}$$	$${11.27}$$ < $${12.06}$$
✅	iot_agent_suse_amd64	$${+0}$$	$${42.96}$$ < $${43.29}$$	$${+0}$$	$${11.27}$$ < $${12.06}$$

[cit-pr-commenter]

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: c634d07e-1da6-4455-b450-0c4a415c817e

Baseline: dae02eb
Comparison: d5175e2
Diff

Optimization Goals: ✅ No significant changes detected

Experiments ignored for regressions

Regressions in experiments with settings containing erratic: true are ignored.

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	docker_containers_cpu	% cpu utilization	+0.27	[-2.75, +3.29]	1	Logs

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	ddot_metrics	memory utilization	+0.47	[+0.24, +0.70]	1	Logs
➖	docker_containers_memory	memory utilization	+0.29	[+0.22, +0.36]	1	Logs
➖	docker_containers_cpu	% cpu utilization	+0.27	[-2.75, +3.29]	1	Logs
➖	ddot_metrics_sum_cumulativetodelta_exporter	memory utilization	+0.23	[-0.00, +0.45]	1	Logs
➖	quality_gate_idle	memory utilization	+0.23	[+0.18, +0.27]	1	Logs bounds checks dashboard
➖	otlp_ingest_metrics	memory utilization	+0.19	[+0.04, +0.35]	1	Logs
➖	otlp_ingest_logs	memory utilization	+0.19	[+0.10, +0.28]	1	Logs
➖	uds_dogstatsd_20mb_12k_contexts_20_senders	memory utilization	+0.15	[+0.09, +0.20]	1	Logs
➖	file_to_blackhole_0ms_latency	egress throughput	+0.10	[-0.30, +0.49]	1	Logs
➖	file_to_blackhole_100ms_latency	egress throughput	+0.04	[-0.01, +0.08]	1	Logs
➖	file_tree	memory utilization	+0.02	[-0.03, +0.08]	1	Logs
➖	uds_dogstatsd_to_api_v3	ingress throughput	+0.01	[-0.14, +0.15]	1	Logs
➖	tcp_dd_logs_filter_exclude	ingress throughput	-0.01	[-0.08, +0.07]	1	Logs
➖	file_to_blackhole_1000ms_latency	egress throughput	-0.01	[-0.43, +0.41]	1	Logs
➖	uds_dogstatsd_to_api	ingress throughput	-0.01	[-0.14, +0.11]	1	Logs
➖	file_to_blackhole_500ms_latency	egress throughput	-0.01	[-0.39, +0.36]	1	Logs
➖	quality_gate_idle_all_features	memory utilization	-0.06	[-0.10, -0.02]	1	Logs bounds checks dashboard
➖	ddot_metrics_sum_delta	memory utilization	-0.09	[-0.31, +0.12]	1	Logs
➖	ddot_logs	memory utilization	-0.18	[-0.25, -0.11]	1	Logs
➖	ddot_metrics_sum_cumulative	memory utilization	-0.52	[-0.68, -0.36]	1	Logs
➖	quality_gate_metrics_logs	memory utilization	-1.43	[-1.63, -1.22]	1	Logs bounds checks dashboard
➖	tcp_syslog_to_blackhole	ingress throughput	-1.59	[-1.69, -1.50]	1	Logs
➖	quality_gate_logs	% cpu utilization	-1.78	[-3.26, -0.30]	1	Logs bounds checks dashboard

Bounds Checks: ✅ Passed

perf	experiment	bounds_check_name	replicates_passed	links
✅	docker_containers_cpu	simple_check_run	10/10
✅	docker_containers_memory	memory_usage	10/10
✅	docker_containers_memory	simple_check_run	10/10
✅	file_to_blackhole_0ms_latency	lost_bytes	10/10
✅	file_to_blackhole_0ms_latency	memory_usage	10/10
✅	file_to_blackhole_1000ms_latency	lost_bytes	10/10
✅	file_to_blackhole_1000ms_latency	memory_usage	10/10
✅	file_to_blackhole_100ms_latency	lost_bytes	10/10
✅	file_to_blackhole_100ms_latency	memory_usage	10/10
✅	file_to_blackhole_500ms_latency	lost_bytes	10/10
✅	file_to_blackhole_500ms_latency	memory_usage	10/10
✅	quality_gate_idle	intake_connections	10/10	bounds checks dashboard
✅	quality_gate_idle	memory_usage	10/10	bounds checks dashboard
✅	quality_gate_idle_all_features	intake_connections	10/10	bounds checks dashboard
✅	quality_gate_idle_all_features	memory_usage	10/10	bounds checks dashboard
✅	quality_gate_logs	intake_connections	10/10	bounds checks dashboard
✅	quality_gate_logs	lost_bytes	10/10	bounds checks dashboard
✅	quality_gate_logs	memory_usage	10/10	bounds checks dashboard
✅	quality_gate_metrics_logs	cpu_usage	10/10	bounds checks dashboard
✅	quality_gate_metrics_logs	intake_connections	10/10	bounds checks dashboard
✅	quality_gate_metrics_logs	lost_bytes	10/10	bounds checks dashboard
✅	quality_gate_metrics_logs	memory_usage	10/10	bounds checks dashboard

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

CI Pass/Fail Decision

✅ Passed. All Quality Gates passed.

• quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check lost_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check lost_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.

[chouetz]

Small suggestion

[chouetz]

Nit, I don't know how far there is a risk for trailing characters, maybe in a return with 2 outputs?

Suggested change

	- pattern: ^.*\.GetLastError()$
	- pattern: ^.*\.GetLastError().*$

[clarkb7]

nice catch! looks like either way works fine

pkg\util\winutil\getlasterror_test.go:47:9: use of `windows.GetLastError` forbidden because "GetLastError always returns nil in Go because the syscall implementation resets the last error before calling the DLL function (see https://github.com/golang/go/issues/41220). Use the error returned directly from the syscall (third return value) instead." (forbidigo)
        return windows.GetLastError(), nil
               ^
pkg\util\winutil\getlasterror_test.go:51:17: use of `windows.GetLastError` forbidden because "GetLastError always returns nil in Go because the syscall implementation resets the last error before calling the DLL function (see https://github.com/golang/go/issues/41220). Use the error returned directly from the syscall (third return value) instead." (forbidigo)
        return []error{windows.GetLastError(), nil}

[ofek]

I'm not sure how this is working because it is technically incorrect.

>>> import re
>>> examples = [
...     "return windows.GetLastError(), nil",
...     "return []error{windows.GetLastError(), nil}",
... ]
>>> def test(pattern):
...     for example in examples:
...         print(re.search(pattern, example))
...
>>> test(r"^.*\.GetLastError()$")
None
None
>>> test(r"^.*\.GetLastError().*$")
<re.Match object; span=(0, 34), match='return windows.GetLastError(), nil'>
<re.Match object; span=(0, 43), match='return []error{windows.GetLastError(), nil}'>

Also, since parentheses are special characters in regular expressions I think we should escape them as we do for the . character.

Suggested change

	- pattern: ^.*\.GetLastError()$
	- pattern: ^.*\.GetLastError\(\).*$

[clarkb7]

it's not clear to me from the docs what forbidgo matches against, but based on the output "use of windows.GetLastError forbidden" and that forbigdo uses ast.Node, not source lines, I imagine it's matching against the windows.GetLastError identifier/token (without the parentheses).

I think it works as is b/c the parentheses are treated as a match group as you say. forbidgo does not find any matches after escaping the parentheses. regardless of the .* at the end.

I'll remove the parentheses, but without them I don't think we should include the trailing .*, because then it wouldn't be an exact match anymore.