Trace Analysis Patterns (Part 35)

News Value is a pattern that assigns relative importance to software traces for problem solving purposes especially when related to problem description, recent incidents and timestamps of other supporting artifacts (memory dumps, other traces, etc.). For example, in one scenario, an ETW trace was provided with 3 additional log files:

# Source PID  TID  Date       Time         Message 
0 Header 1260 1728 12/14/2010 06:48:56.289 ?????  
[…] 
215301 Unknown 640 808 12/14/2010 07:22:57.508 ?????  Unknown( 16): GUID=[…] (No Format Information found).
 

// LogA
05/11/10 18:28:15.1562 : Service() - entry
[...]
14/12/10 10:31:58.0381 : Notification: sleep
* Start of new log *
14/12/10 10:34:38.4687 : Service() - entry
[…]
14/12/10 11:53:35.2729 : Service.CleanUp complete
* Start of new log *
14/12/10 11:56:11.7031 : Service() - entry
[…]
14/12/10 15:25:23.3004 : Notification: sleep

// LogB
[   1] 12/14 10:34:29:890   Entry: ctor
[…]
[   2] 12/14 11:53:30:866   Exit: COMServer.Server.DeleteObject

// LogC
[   1] 12/14 11:56:03:359   Entry: ctor
[…]
[  20] 12/14 15:30:20:110   Exit: Kernel32.Buffer.Release

From the description of the problem we expected LogB and LogC to be logs from two subsequent process executions where the first launch fails (LogB) and the second launch succeeds (LogC). Looking at their start and end times we see that they make sense from the problem description perspective but we have to dismiss ETW trace and most of LogA as recorded earlier and having no value for Inter-Correlation analysis of the more recent logs. We also see that portions of LogA overlap with LogB and LogC and therefore having analysis value for us.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Leave a Reply