The customer reported that their computer was being randomly “Locked” while they were typing. I’m sure our initial thought was “What are they smoking there?”.
But we had some other reports of the problem as well, so we couldn’t discount it to the hallucinations of one user.
We were stumped, so we called Microsoft in to determine what was going on.
Microsoft Premier Field Engineering gave as a utility called “Time Travel Tracing” also known as TTTracer. It created a log file we shipped to Microsoft for analysis.
The answer back? FooBar.exe was sending a “lock workstation” command to the operating system.
So what is TTTracer?
Well in the words of several Microsoft employees:
Time Travel Tracing (also known as iDNA tracing) consists of two elements:
- an utility to capture TTT trace (available to everyone)
- an extension to Windbg that allows to load the trace for analysis (available only internally)
The novelty of this tool is that when the trace is loaded into WinDbg, it allows the user to move back and forth in the process execution time.
Thanks to this capability, it helps us debug the Windows interoperability behaviors without the need to reproduce the problem or remote live debugging.
As of now, the tool only allows to capture user mode processes.
— This is how we troubleshoot Windows interoperability issues in the Open Specifications support team
In order to troubleshoot this problem, I had the customer get a Time Travel Trace, something we often call an iDNA dump. An iDNA dump is analyzed like any other memory dump, but unlike a traditional user-mode dump that contains the contents of memory at a particular moment in time, an iDNA dump contains a “recording” of user-mode memory over a period of time. It’s kind of like Tivo for the debugger, and in situations where a problem is easily reproduced in short time, it’s a great way to dig into problems.
— Image or ImageButton without ImageUrl Causes HTTP GET for Default Document
TTTracer basically uses an instruction emulator to
run the code in a sand box which records stuff along the way, which is
also the reason why you won’t see it for kernel-mode code soon.
– Jake Oshins, Windows Virtualization Guy