whids icon indicating copy to clipboard operation
whids copied to clipboard

Published 20 hours ago verified publisher icon 0xrawsec

Bug in service name resolution

Open qjerome opened this issue 3 years ago • 0 comments

When there is a PID re-use it may happen that service name is wrong. This bug only occurs when events are queued too long by ETW, for instance when the EDR is not consuming events from trace.

Fix: we could partially fix this by checking the image or not resolving services for processes not tracked by the EDR

qjerome avatar Jun 30 '22 12:06 qjerome