[MiWCryptohn]

Don't forget it's userspace equiv (strace is syscalls), ltrace. This tracks all lib calls made by process.

Under windows, strace is an SSL/TLS monitoring tool (also hella useful). It shows payloads passed to CryptoAPI/CNG libs so you can easily troubleshoot explicitly encrypted protocols like ldaps. Especially useful if you use client authenticated TLS where is is not possible to use a TLS mitm proxy to snoop the layer 7 data.

[wslh]

Shameless plug: if you want to trace Windows applications you can take a look at my company products SpyStudio[1] and Deviare[2]. Before downvoting me try them to see how powerful and unique they are in the Windows ecosystem.

VMware is using SpyStudio for creating and troubleshooting application virtualization packages, this is, for example, a twitter post from a VMware escalation engineer: https://twitter.com/DooDleWilk/status/428562701313662977

[1] http://www.nektra.com/products/spystudio-api-monitor/

[2] http://www.nektra.com/products/deviare-api-hook-windows/devi...

[yread]

Thanks, it actually works quite well!

[MiWCryptohn]

Agreed, neat stuff. I installed it on my windows workstation.

[chadfowler]

Good call on ltrace. I thought about writing about that one next.

[balazsbela]

Please do. I found this article very useful.

[iso-8859-1]

You can also track non-lib calls: http://stackoverflow.com/q/311840/309483