πΌ
Captured a TTD trace of CredentialUIBroker.exe β opened it in a persistent CDB session
π
Queried TTD: dx @$cursession.TTD.Calls("RPCRT4!I_RpcBindingInqLocalClientPID") β found 48 RPC calls from PID 0x7FC
βͺ
Time-traveled to first call, stepped to return, read PID output β svchost.exe (expected β but who called svchost?)
π
Queried QueryFullProcessImageNameW β found handle 0x290 (not self) passed through COM chain
π―
Stepped to return, read buffer: "C:\Program Files\Okta\Okta Verify\OktaVerify.exe"
π
Call stack: FailedMip::PromptForWindowsCredentials β LogBadOwnerWindow β Okta passes invalid HWND after RDP reconnect
9 hours of trace β root cause in 14 minutes
CDB is already an agent tool. TTD queries are already a query language. The debugger IS the interface.
Real bug. Real TTD trace. Filed to Okta. Agent wrote the Raymond Chenβstyle blog post too.