When there is a PID re-use it may happen that service name is wrong.
This bug only occurs when events are queued too long by ETW, for instance when the EDR is not consuming events from trace.
Fix: we could partially fix this by checking the image or not resolving services for processes not tracked by the EDR
When there is a PID re-use it may happen that service name is wrong. This bug only occurs when events are queued too long by ETW, for instance when the EDR is not consuming events from trace.
Fix: we could partially fix this by checking the image or not resolving services for processes not tracked by the EDR