Basic facts, periodic error and defamiliarizing effect: software trace pattern cooperation

This is a synthesized case study with the simplified ETW trace output based on real events (consider it as an exercise in a software narrative fiction). In a client-server environment a server session was always active regardless of whether a client was active or not. There was a workaround to enable a registry key to force checking for user activity via CheckActivity registry key. Unfortunately this didn’t help and a software trace was recorded for the offline analysis. First, we checked for Basic Facts and found the correspondence that confirmed the registry key setting:

#      PID  TID  Message
[...]
3200   1428 5476 CheckActivity = 1
[...]

There was also Periodic Errors throughout the whole trace fabric: 

#       PID  TID  Message
[...]
119097  2468 476  Security check failed
[...]

Although such errors happened in a number of support incidents we see a message text we have never seen and couldn’t even find in our database of incidents (Defamiliarizing Effect):

#      PID  TID  Message
[...]
119090 2468 476  Calling the third party security information provider
119091 2468 476  Get security information: failed
[...]

Therefore we advised to test with the 3rd party security provider disabled. The software story continues…

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Leave a Reply

You must be logged in to post a comment.