Out of ideas and advice - Nothing captured

[Bob Denny]

From the sticky "Trobleshoot Missing Traffic"

On Fiddler’s Help menu, click Troubleshoot... and navigate your browser somewhere. Does traffic appear in Fiddler?

No.

 In your browser, visit http://ipv4.fiddler:8888/. Does anything appear in Fiddler or your browser?

Nothing in Fiddler and in the browser (Chrome below, Firefox and IE same thing essentially) 

 In your browser, visit http://localhost:8888/. Does anything appear in Fiddler or your browser?

In Fiddler, 

in the browser:

Also, include information about what client you are attempting to use (e.g. Chrome), what URL you're attempting to load (or as much information about it as you can safely share, e.g. "A HTTPS URL on my Intranet"), and the Fiddler version number from Fiddler's Help > About screen. Also, check Fiddler's LOG tab for any warning or error messages.

All of my browsers and also programs that to HTTP(S) to REST/API services. In other words absolutely nothing except the  localhost:8888 results in captured traffic. Here is the Fiddler information:

I know this is really desperation ("If all you have is a hammer, everything looks like a nail") but I uninstalled and reinstalled the program, including the option to have all of the settings removed. I had a customized FiddlerScript and I did save that (and I still have it saved away from its Documents\Fiddler2 area, but apparently that wasn't the issue). I saw that the uninstall reinitialized the info in My Documents\Fiddler2\...

I keep a detailed log of everything I do to my system including config changes and software installation/remove/update. I've gone back through that and can't find anything that rings a bell. Tkis is Windows 7 with User Account Control turned OFF (development machine that is scrupulously monitored). One last thing: I know this uses the system proxy settings, so...

I can't think of anything else to include in this report. I'm sorry to say I am totally out of ideas (4 hours spent so far). I just know I'm going to be embarrassed on this :-) :-)

[Bob Denny]

PS: In the About window, it says I've run Fiddler 2 times. Well, that was after I did a total uninstall and reinstall. Before, the count was somewhere in the many hundreds if I recall.

[EricLaw]

Is the screenshot of the proxy settings while Fiddler is in Capturing mode?

If the system proxy settings aren't changing, the possibilities are:

1. Fiddler isn't set to capture (look at bottom left of status bar)
2. There's a policy set that prevents the proxy from being changed.
3. Other software like networking/vpn/malware is resetting the proxy
4. There's a bug in Windows.

If you run Firefox and point it at Fiddler, does everything work as expected?

[Bob Denny]

Wow that was FAST!! Thank you Eric, and on a Sunday no less :-)

 Fiddler isn't set to capture (look at bottom left of status bar)

 There's a policy set that prevents the proxy from being changed. 

Where would I look for this? Group policy? I know very little about Windows sysadmin.

 Other software like networking/vpn/malware is resetting the proxy

Ah. Of course this is possible. I wonder how to dig for it? I'll do some research on how to see what the "system proxy" is set to (again I am no sysadmin expert, I'm just an astronomy software developer .NET/web/AJAX/JSON/REST/Javascript/Python whatever).

WAIT!!! I forgot... once I saw a yellow bar appear at the top of Fiddler when I stopped and restarted capturing. It said something about the proxy being changed, click here to set it. I clicked. Now I can use F12 to toggle capture on and off at will and that yellow bar hasn't reappeared. 

There's a bug in Windows.

Unsure how to address this one. I keep this system up to date including using Security Essentials with weekly scans.

[Bob Denny]

PS It looks like the malware setting a system proxy would show something on the LAN Settings - and I posted the screen shot saying it is in auutomatic? Should it actually be something for Fiddler when Fiddler is active or ??? 

[Bob Denny]

Here's another data point I forgot above:

[Bob Denny]

I deleted several "false alarm" messages about maybe a WPAD malware attack. I don't have this for sure. Using Process Explorer with some creative filtering on the registry, (all processes in the system, just include registry accesses with "Internet Settings/Proxy" in the path), I get this mystifying trace:

Here you can see Fiddler setting the ProxyServer to http=127.0.0.1:8888;https=127.0.0.1:8888 (and changing the ProxyOverride to <-loopback>) then reading it back successfully, then immediately deleting the ProxyServer value (and also forcing the ProxyOverride back to its usual <local>;*.local). This was traced when I clicked the yellow bar which appeared in response to turning off Automatic Detect in the WININET Options LAN Settings.

Also note that I cannot successfully change the LAN Settings away from Automatic Detection. It always goes back, even if I enter manual proxy configuration into the Proxy Server area. 

[Bob Denny]

Last gasp effort - Set the ProxyServer, ProxyOverride, and ProxyEnable registry settings above to those which are set by Fiddler. Watch them for 10 minutes without starting any browsers or Fiddler. Start fiddler. The proxy settings are immediately removed and set back to ProxyEnable=0, no ProxyServer at all and ProxyOverride=<local>;*.local, the normal values when Fiddler is not running. And again this is when Fiddler is started. 

5 hours now, and I have to give up.

[Eric Lawrence]

Alas, the "immediately set back" sounds like a bug in WinINET; a few users reported this issue with IE10 a few years back but there was no known root cause or fix from Microsoft.

Which version of Internet Explorer do you have installed on your PC?

[Eric Lawrence]

Also, if you set Firefox to point directly at Fiddler (using 127.0.0.1:8888), it should be unaffected by the WinINET bug. 

[Bob Denny]

Thanks for that info (both posts). I haven't completely given up on this, but I had a project to complete so I moved the dev environnment over to a VMWare Virtual Machine and used it successfully there. I did get a bit obsessed about getting it running (again) on my real dev machine. I'm running IE11 on WIndows 7. 

I meant to post the Process Monitor trace of all activity to the ProxyXxx registry data which shows that it is being reset immediately after it is changed by either clicking the yellow bar in Fiddler or by setting the proxy manually with the WININET control panel (which runs as rundll32.exe). Only those two processes (fiddler.exe and rundll32.exe) ever change the data, so this isn't malware. I'm now trying to understand the role of the Connections/Saved Legacy Settings that keep appearing. Anyway, I will look back on this once I deliver the software I am finishing up for a customer. Thanks for trying to help... it's weird.

[EricLaw]

What you are describing (values set to correct values, then immediately reset to bad values) is the bug in WinINET. Fiddler calls InternetSetOption with the new setting, WinINET writes it to the registry and attempts to invoke a broker to set it in another bitness. The broker fails, so WinINET rolls back the setting.

Unfortunately, the fix for this was never identified (to me) by my old friends on WinINET. You might try running IE's Reset All Settings to Defaults inside Tools / Internet Options / Advanced, but other than that I don't know of any straightforward steps that might help.

[Bob Denny]

That helps a LOT. Now I know something to go after. Thanks Eric! He he I keep thinking I know you from the distant past. I was the author of the O'Reilly WebSite webserver package which we sold through year 2000. Yeah I'm one of those guys that got put out of business by Microsoft ....twice (earlier AlisaMail replaced by the original X.400 derived Exchange). So anyway I did an image search and came up with this gem:

Engineering Excellence Award - Congratulations!! Anyway you look familiar from long ago.