Agent + CDB + Time Travel Debugging

The Mystery
After RDP'ing into a machine, dozens of Windows Hello prompts appear. No indication of what triggered them.
πŸ“Ό Captured a TTD trace of CredentialUIBroker.exe β€” opened it in a persistent CDB session
πŸ” Queried TTD: dx @$cursession.TTD.Calls("RPCRT4!I_RpcBindingInqLocalClientPID") β€” found 48 RPC calls from PID 0x7FC
βͺ Time-traveled to first call, stepped to return, read PID output β†’ svchost.exe (expected β€” but who called svchost?)
πŸ”— Queried QueryFullProcessImageNameW β€” found handle 0x290 (not self) passed through COM chain
🎯 Stepped to return, read buffer: "C:\Program Files\Okta\Okta Verify\OktaVerify.exe"
πŸ“‹ Call stack: FailedMip::PromptForWindowsCredentials β†’ LogBadOwnerWindow β€” Okta passes invalid HWND after RDP reconnect
9 hours of trace β†’ root cause in 14 minutes
CDB is already an agent tool. TTD queries are already a query language. The debugger IS the interface.
Real bug. Real TTD trace. Filed to Okta. Agent wrote the Raymond Chen–style blog post too.