This document captures FAQ and known issues with Microsoft Message

Analyzer. Please browse this list if you're having an issue before

reporting a problem to our team.

zsfsdgdsfs

Table of Content
CAPTURING........................................................................................................ 2
NETWORK CONNECTIONS ARE RESET WHEN MESSAGE ANALYZER IS INSTALLED......................................2
WHY CANT I VIEW WEB TRAFFIC ANYMORE? WHY IS IE NOW NOT WORKING THE SAME?.........................2
CAN'T START CAPTURING OR NO DATA BEING RECEIVED....................................................................2
IT SEEMS LIKE SOME OF THE MESSAGES ARE MISSING WHEN I CAPTURE...............................................2
I RECEIVE THE ERROR FAILED TO START ONE OR MORE TRACE SESSION(S) DUE TO THE FOLLOWING

MICROSOFT MESSAGE
ANALYZER
Frequently Asked Questions and Known
Issues

ERROR(S)

............................................................................................................................. 2
LIVE CONSUMER XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX FAILS TO START. ....................................2
UNABLE TO START FILTER INFO PROVIDER SERVICE.........................................................................2
POWERSHELL CAPTURE TRACE IS NOT SAVED TO PS EXECUTE PATH IF YOU ARE USING RELATIVE PATH........3
SIMULTANEOUS CAPTURES INVOLVING THE SAME PROVIDER MAY GIVE UNPREDICTABLE RESULTS.................3
THE WEB PROXY LIVE TRACE SCENARIO CAUSES ISSUES WITH INTERNET EXPLORER AND WINDOWS STORE
APPLICATIONS.......................................................................................................................... 3
INFORMATION DISCLOSURE ON WEBPROXY TRACE SCENARIO FOR MULTI USER SCENARIO........................4
HYPER-V TRAFFIC BETWEEN VIRTUAL MACHINES IS NOT CAPTURED IN WINDOWS SERVER 2008 R2..........4
REMOTE CAPTURE.............................................................................................. 4
SUPPORTED REMOTE CAPTURE SCENARIOS....................................................................................4
FAILED TO CREATE A REMOTE TRACE SESSION AFTER PROVIDING WRONG CREDENTIALS...........................5
ETW KEYWORDS IGNORED WHEN DOING REMOTE CAPTURE...............................................................5
FAILED TO CREATE A REMOTE TRACE SESSION OR TO CONFIGURE NDIS PROVIDER WHEN ENTERING AN
INVALID OR NOT REACHABLE HOSTNAME FOR LINK LAYER REMOTE CAPTURE..........................................5
WINDOWS 8.1 AND WINDOWS SERVER 2012 R2 SPECIFIC ISSUES.........................5

1 | Page

Known Issues

CANT.................................................................................................................................... 5
CAPTURE ON NDISCAP AFTER MESSAGE ANALYZER INSTALLATION.....................................................5
CAPTURE ON LOCAL LINK LAYER FAILS.......................................................................................... 5
UI...................................................................................................................... 5
CAN'T SEE COLUMNS FOR USB (OR OTHER) EVENTS.......................................................................5
CHARTS.................................................................................................................................. 6
ASSETS IN APPDATA/ROAMING ARE NOT UPDATED AFTER UNINSTALL/REINSTALL.....................................6
PERFORMANCE.................................................................................................. 6
SIZE OF TRACES THAT CAN BE LOADED/NUMBER OF MESSAGES THAT CAN BE CAPTURED........................6
ERRORS ON 32-BIT MACHINE...................................................................................................... 7
FILTERING.......................................................................................................... 7
IPV4 AND IPV6ADRESS FILTERS DO NOT WORK ON WIFI...................................................................7
FAST FILTERS ON WFP............................................................................................................. 7
SEQUENCE EXPRESSIONS...................................................................................7
WHAT

ARE THE SEQUENCE EXPRESSIONS LIMITATIONS?.....................................................................7

OPENING TRACES.............................................................................................10
MA IS UNABLE TO DECODE ETL FILE.......................................................................................... 10
SLOW PERFORMANCE LOADING CLUSTER LOG WITH TEXT LOG ADAPTER.............................................10
CLICKING MULTIPLE FILES FROM WINDOWS EXPLORER DOESNT DO ANYTHING.....................................10

Capturing
Network connections are reset when Message Analyzer is installed
Message Analyzer installs PEFNDIS driver in Windows 8/Windows Server 2012 and below
systems. When we add our driver on the system during the installation, the network stack
may reset. This might cause a temporary loss network access which can interfere with
programs that rely on a network connection. This problem is mitigated on Windows 8 and
Windows 2012 and above.

Why cant I view web traffic anymore? Why is IE now not working
the same?
Message Analyzer uses Fiddler to create a man-in-the-middle proxy to capture unencrypted
web traffic. When the Message Analyzer closes unexpectedly, Message Analyzer tries to
recover the original proxy settings; however, there are times when this may not occur. To fix
this issue, try restarting and then stopping a Web Proxy capture OR resetting your proxy
settings in the LAN settings section of the Connections Tab in Internet Options within
Internet Explorer.

Can't start capturing or no data being received

There is a limit to the number of capture sessions which can run concurrently. If the Message
Analyzer isn't properly closed, these can accumulate and prevent new ones from running. To
close these extra sessions:

2 | Page

Known Issues

1. Open the Computer Management utility by right-clicking Computer in the Start

Menu and selecting Manage.
2. Open up the Performance tree category under System Tools and find the Event Trace
Sessions folder under Data Collector Sets.
3. Find any sessions with the name Web-Proxy/Firewall or Local-Link-Layer (or same as
the provider name); right-click and stop them.
4. Then right-click them again and Delete them.

It seems like some of the messages are missing when I capture

If the number of messages is very high, Message Analyzer may drop messages. Microsoft
suggests that you use Fast Filtering to prevent this from happening. To do this, select
Capture/Trace, select the relevant provider, and then select the Fast Filter attributes. For
instance, for capturing DNS across a Firewall, select Trace Scenario Firewall, Select Fast
Filter 1, Filter Type =UDPPort and then Filter 53.

I receive the error Failed to start one or more trace session(s)

due to the following error(s) Live consumer xxxxxxxx-xxxx-xxxxxxxx-xxxxxxxxxxxx fails to start. Unable to start filter info
provider service.
This happens when you start the Firewall Trace Scenario without running Message Analyzer
as administrator. To resolve this issue, save your work, exit Message Analyzer, and then do
the following:
1. Go to the Command Prompt.
2. At the command line, type sc stop wfpcapture to stop the PEF WFP driver.
3. Restart Open the Message Analyzer by right-clicking "Microsoft Message Analyzer" on
the Start menu and then selecting "Run as administrator".

PowerShell capture trace is not saved to PS execute path if you

are using relative path
When running a PowerShell script as Admin, the path variable for Current Directory is set to
the System32 directory. So any relative path trace files will but created in System32. To work
around the issue, specify a fully qualified path starting at the drive when capturing with
PowerShell as Admin.

Simultaneous captures involving the same provider may give

unpredictable results
Starting simultaneous captures involving the same provider is not recommended. It is not
possible to configure different instances of the same provider and attempting to start
multiple instances of the same provider can provide unpredictable results.

The Web Proxy live trace scenario causes issues with Internet
Explorer and Windows Store applications
You might find that when you try to trace using the Web Proxy provider with Message
Analyzer that the application you are tracing fails to work or that Message Analyzer doesnt
capture any traffic.

3 | Page

Known Issues

This happens because Windows now protects client-to-client traffic by disabling local
loopback to 127.0.0.1 in certain conditions. This interferes with the way that Web Proxy
captures traffic.
Windows 8 has EPM (Enhanced Protected Mode) enabled default for the Windows 8 Internet
Explorer Application (the desktop version is not enabled). This mode includes the option to
block EMP. You can either remove this option, or change the Loopback exemption directly by
using the information below.
Windows 8.1 client and server have EPM enabled by default at this time for both versions of
IE.
Windows 8 and 8.1 have the loopback option disabled for all Windows Store applications. You
have to use workaround below to enable tracing for a specific Windows Store application.
Workaround(s) :
1. If the Web client is IE 10, then Enhanced Protected Mode has to be unchecked in the
advanced settings or on Windows 8 or later execute the command
"CheckNetIsolation.exe loopbackExempt -a -n=Windowsieac_001" to enable
the loopback exemption for IE.
2. On Windows 8 or later, if the Webclient is store app, then following command has to
be executed "CheckNetIsolation.exe loopbackExempt -a -n=<Appcontainer
name of the Web client application>" to enable the loopback exemption for
Windows Store applications.
Reference http://msdn.microsoft.com/en-us/library/windows/apps/Hh780593.aspx.
Capturing with the Web Proxy provider uses the Fiddler core API which has some known
limitations and issues:

Untrusted certificate with SSL capturing won't decode.

Proxy settings not reverted when MMA crashes on capturing with WebProxy.
The Web Proxy scenario won't work in cases, like Azure, where you need dedicate
certificate instead of the fake fiddler certificate.
Cannot capture a site that requires additional authentication, for instance Channel
binding tokens.
There's no way to know the actual process ID or name of the traffic from the WEb
Proxy provider.
Cannot capture traffic which does not use proxy settings as set in Internet Options
for Internet Explorer.

Information Disclosure on WebProxy Trace Scenario for multi user

scenario
If admin adds the two users User1 and User2 to the MCUG group and both users are
remotely logged in at the same time, User1 can see the traffic of User2 vice versa using MA.
The reason is that ETW session is global. Further, if admin added two users to capture, its
assumed theyll have capture capabilities at the system level in such cases.

Hyper-V traffic between virtual machines is not captured in

Windows Server 2008 R2
On Windows Server 2008 R2 Hyper-V traffic is only captured between the host and any
virtual machine. Traffic from a virtual machine targeted to another virtual machine is not
captured.

4 | Page

Known Issues

Remote Capture
Supported Remote Capture Scenarios
Supported servers (remote capture target):

Windows Server 2012 R2

Supported clients (remote capture source):

Windows 7 (needs WMF 3.0 http://www.microsoft.com/enpk/download/details.aspx?id=34595)

Windows Server 2008 R2 (needs WMF 3.0 http://www.microsoft.com/enpk/download/details.aspx?id=34595)
Windows 8
Windows Server 2012
Windows Blue 8.1 (build 9600)
Windows Server 2012 R2 (build 9600)

The following are the supported capture scenarios:

Both client and server being domain-joined

Both client and server being in workgroup
When the Client is domain-joined and server is in workgroup
The last case (client in workgroup and server is domain-joined) is supported but
IPSec needs to be disabled on the server, so this is not a recommended scenario.

Special considerations:

If credentials are not provided, the current logged on users credentials (on the
client) are used for establishing connection to server.
When the client is domain-joined and the server is in workgroup, the remote
machine needs to be added to the trusted hosts list on the client by running the
following commands from an elevated command prompt:

WinRM quickconfig -quiet

WinRM set winrm/config/client @{TrustedHosts="RemoteHostName"}

Failed to create a remote trace session after providing wrong

credentials
In a remote capture scenario, if the provided credentials (or the implicit ones) are not
accepted by the target server, then subsequent message captures will fail, even if the right
credentials are provided afterwards. The workaround is to restart MA.

ETW keywords ignored when doing remote capture

ETW keywords are ignored when doing a remote capture.

5 | Page

Known Issues

Failed to create a remote trace session or to configure NDIS

provider when entering an invalid or not reachable hostname for
Link layer remote capture.
Hostname is not resolved until you attempt to start the trace or selecting Configure for
NDIS provider.

Windows 8.1 and Windows Server 2012 R2

specific issues
Cant capture on NDISCAP after Message Analyzer installation
For first time capture, User needs to log-out and log back in OR run as administrator to
capture on NDIS layer with Windows 8.1 Client and Windows Server 2012 R2.

Capture on Local Link Layer fails

User needs to always run as administrator to capture on Local Link Layer with Windows 8.1
Client and Windows Server 2012 R2

UI
Can't see columns for USB (or other) Events
Some fields for providers can't be seen until they are loaded for the first time. USB and other
provider parsers are created dynamically the first time you open or start a new trace for that
provider. You can't see the provider fields in the Column chooser or use them for filtering
until the parser is created. Once the parser is created you can add fields as columns which
will be preserved, even if you reset the parser by removing it manually.

Charts
Cannot delete a data mapping
Data mappings for charts cannot be removed from the UI. You can edit the XML reference
which starts with <DataCollector> if you must remove the mapping. Export your assets from
the library management system, make a change and re-import the asset.

Click on pie slice other produces blank analysis grid

Clicking on a pie slice or bar chart that represents other will open up a blank grid. The issue
is that the other is the category represents every column that was not shown because it falls
below the threshold, DefaultMaxDisplayItemNumber which defaults to 10. We are not able to
generate a filter for the other group.

Assets in Appdata/Roaming are not updated after

uninstall/reinstall
Any beta users will not get the latest assets we ship. So before installing, they should
manually wipe out appdata/.../MessageANalyzer directories. Also if you uninstall v1 and
reinstall, the assets are not affected either. Again you must do the step to manually wipe out
appdata.

6 | Page

Known Issues

Performance
Size of Traces that can be loaded/Number of Messages that can
be captured
The number of messages that can be captured or the size of trace file that can be loaded is
dependent on the amount total memory (actual + virtual using paging file) on the machine.
Paging file settings can be adjusted using the Control Panel | System applet.

Dropping Messages while Capturing

By default, Message Analyzer has a 200MB queue in memory to store messages temporarily
while messages are being processed. If messages are incoming at a very fast rate, this
queue can get filled and messages may be dropped. If you suspect that Message Analyzer
is dropping messages, you can adjust this queue by changing the Live Message Buffer: Size
using File | Options. Message Analyzer currently does not currently indicate if a message
has been dropped.

Another way to avoid dropped packets is to use Fast Filtering which will filter out messages
at the driver level. Fast Filtering can be configured for the specific providers that are being
used to capture.

Importing Time
When you load a non-native trace into Message Analyzer it will be imported (re/parsed).
The following are the approximate time it takes for importing:

.CAP files:

~2500 messages/second
~2 MB /second

.MATP files:
Though .matp files are already parsed and are native, you can reparse them if you use File |
Browse. You would do this if you wanted to combine a .matp with other traces so that they
can be viewed together as if they were one trace.
Opening a .matp using Quick Open,
double clicking in File Explorer, or dragging and dropping it into Message Analyzer is not an
import as the messages are already parsed, and will result in significantly faster loading
time.

~2000 messages/second
~1.5 MB /second

Errors on 32-bit machine

On a 32 bit machine or a machine with limited memory, you may get random run-time
errors, popups about insufficient memory, sudden exits and stopped parsing. This can
happen when you parse a trace file that involves large amount of state information. In
particular TCP connections, (around 10,000 connections) can cause this problem. In general
this problem is very data dependent.
Each piece of state can remain in memory until the state is released. For instance, TCP
connection will introduce separate data structure for parsing, which is 64813not released

7 | Page

Known Issues

dynamically, until end of parsing. When large amount connections need to be parsed
simultaneously, the memory will be exhausted.
You need a machine with more memory to parse these traces, ideally 64 bits machine with
minimal 8G memory.

Filtering
IPv4 and IPv6Adress filters do not work on Wifi
IPv4 and IPv6 Link level fast filters don't work on WiFi on Windows 7 64bit. No traffic will
match these filters.

FAST Filters on WFP

When adding fast filters to the Firewall provider which result in removing traffic, for
instance != 127.0.0.1, you will receive duplicate traffic which results in erroneous TCP
retransmits and other false diagnoses. Instead use a Trace Filter, which while slower, does
not have the issue.

Sequence Expressions
What are the sequence expressions limitations?
in parameter for creating collection is not supported:
scenario S[out array<int> ids] = Request{ID in ids} interleave;

Permute (&) operator is not supported:

Wont be compiled:
scenario S = A & B;
or scenario S = A permute B;

fork operator can only be the top most operator:

Following definitions are not allowed:
scenario S = A | B -> (C || D);
scenario S = A || B || C;

Explicitly specify the type of out parameter in not allowed:

Wont be compiled:
scenario s[out binary payload] = HTTP.HttpContract.Operation{Payload is payload:binary};
Supported syntax:
scenario s[out binary payload] = HTTP.HttpContract.Operation{ Payload is payload };

8 | Page

Known Issues

Explicitly specify the in keyword for parameters is not allowed:

Wont be compiled:
scenario S[in string name] = HTTP.HttpContract.Operation{Method == name};
Supported syntax:
scenario S[string name] = HTTP.HttpContract.Operation{Method == name};

where clause is not supported in virtual operation:

Wont be compiled:
virtual operation VOp
{
}
= MyScenario[out var reqId, out var statusCode]
where (StatusCode != 200) ==> !Success;
scenario MyScenario[out int reqId, out int statusCode] =
accepts Request{ID is reqId}
accepts Response{ID == reqId, StatusCode is statusCode};

exception clause is not supported in virtual operation:

Wont be compiled:
virtual operation VOp
{
}
exception optional int = reason
=
accepts Request{ID is reqId:int}
(
accepts Response{ID == reqId, StatusCode == 200, StatusCode is statusCode:int}
|
accepts Response{ID == reqId, StatusCode != 200, StatusCode is reason:int}
);

9 | Page

Known Issues

Reference one scenario from another is not supported:

Wont be compiled:
scenario S1 = Relay{ID is var id} Relay{ID == id};
scenario S2 = Request{ID is var id} -> S1 -> Response{ID == id};
Please note: In MAs Sequence Match View, it is not allowed to declare more than one
scenario.

Limited support in referencing scenarios in virtual operation:

Supported:
virtual operation M { } = S();
scenario S() =
Not Supported:
virtual operation M { } = S1() -> S2()

In the case of overlapping matches, there is no guarantee that the

longer one will be reported:
scenario S = Request{ID is var reqId} -> Relay{ID == reqId}? -> Response{ID == reqId};
The input sequence is:
Request{ ID == 1 }
Request { ID == 2 }
Relay { ID == 1 }
Response { ID == 2 }
Response { ID == 1 }
Expected:
Request{ ID == 1 } Relay { ID == 1 } Response { ID == 1 }
Actual:
{{Request { ID == 2 } Response { ID == 2 }

Opening Traces
MA is unable to decode ETL file
ETL traces can come in 3 different flavors, Manifest Based, WPP, and MOF. We can open and
parse manifest files if the manifest is on the machine (either registered or provided

10 | P a g e

Known Issues

manually) or if the manifest is embedded which happens automatically when you capture
with Message Analyzer. We currently don't support MOF file formats and for these the
messages will show up as ETW events.

Slow performance loading Cluster log with text log adapter

Log file parsing is based on how many log file adapters there are. The only way to affect this
is to rename the extension of other log files so that they are not loaded. This can be done
from
C:\Users\YOURNAME\AppData\Local\Microsoft\MessageAnalyzer\OpnAndConfiguration\TextLo
gConfiguration

Clicking multiple files from Windows Explorer doesnt do anything

Selecting multiple files in the Windows File Explorer and selecting "Open with Message
Analyzer" will not launch Message Analyzer. This is currently not supported. You can select a
single file and select "Open with Message Analyzer". An alternative to view multiple files is
to launch Message Analyzer first, go to the Browse page and add the files.

11 | P a g e

Known Issues