evaluator -> ill do that again. however i've allready done that some time ago, and the thing is, iirc the damned thing queries 3k+ registry entries!!!!

baatazu -> yes, thats excatly what it means. Its not by window name/process name. However i am tracing into some weird stuff like openmutant etc right around where this happens.

retroer -> no, not ts


Basicly what i do(right now) is this;
1. open one session
2. start second session in olly
3. trace forward in olly, if note from step6 exists then step up close to that
4. start third session
5. if 4 succeeds, close it and goto 3 else continue
6. take note of current instruction address, place breakpoint
7. goto 1

A timeconsuming affair, especially since olly wont *keep* the breakpoints I set outside of the debugged app, that is user32, kernel, ntdll etc. So thats manual work for each iteration!

Another thing that would be ubercool is some recording feature of the trace .. sorta like a code-traceroute, and a feature to compare these recordings. This way u'd quickly be able to see where two execution paths differs/branches for the first time... yea, i'd like THAT!