In the next section of the walkthrough, we will record the execution of the sample app to see if we can determine why this exception is occurring. In Section 2, you will record a trace of the misbehaving sample "DisplayGreeting" app. To launch the sample app and record a TTD trace, follow these steps. Enter the path to the user mode executable that you wish to record or select Browse to navigate to the executable. Check the Record with Time Travel Debugging box to record a trace when the executable is launched.

When the "Configure recording" dialog box appears, Click Record to launch the executable and start recording. The recording dialog appears indicating the trace is being recorded.

Shortly after that, the application crashes. Click on Close Program , to dismiss the "DisplayGreeting has stopped working" dialog box. The debugger will automatically open the trace file and index it. Indexing is a process that enables efficient debugging of the trace file. This indexing process will take longer for larger trace files. A keyframe is a location in a trace used for indexing. Keyframes are generated automatically. Larger traces will contain more keyframes. At this point you are at the beginning of the trace file and are ready to travel forward and backward in time.

Now that you have a recorded a TTD trace, you can replay the trace back or work with the trace file, for example sharing it with a co-worker. In the next section of this lab we will analyze the trace file to locate the issue with our code. Add your local symbol location to the symbol path and reload the symbols, by typing the following commands.

To be able to view the state of the stack and local variables, on the WinDbg Preview ribbon, select View and Locals and View and Stack. Organize the windows to allow you to view them, the source code and the command windows at the same time. Locate the DisplayGreeting.

Use the dx command to list all of the events in the recording. The exception event is listed in the events. The exception data indicates that this is a Hardware fault thrown by the CPU. It also provides the exception code of 0xc that indicates that this is an access violation. This typically indicates that we were attempting to write to memory that we don't have access to. Of note in this output is that the stack and base pointer are pointing to two very different addresses.

This could indicate that stack corruption - possibly a function returned and then corrupted the stack. To validate this, we need to travel back to before the CPU state was corrupted and see if we can determine when the stack corruption occurred.

At the point of failure in trace it is common to end up a few steps after the true cause in error handling code. With time travel we can go back an instruction at a time, to locate the true root cause. From the Home ribbon use the Step Into Back command to step back three instructions. As you do this, continue to examine the stack and memory windows.

