Increase in I/O on Hidden TCC Processes

Dec 2, 2008
224
2
Canada
When I run the following:

activate "My TCC Process" hide
Where is a detach TCC Process called "My TCC Process", the I/O jumps up to about 16.2 KB and stays there.

2016-03-15_13-47-41.png

If I do:

activate "My TCC Process" restore
It drops back to zero.
 
May 20, 2008
10,634
82
Syracuse, NY, USA
I can't reproduce it. I only see the beginning and the end.
Code:
v:\> activate "TCC test" hide & delay 30 & activate "TCC test" restore
upload_2016-3-16_10-47-0.png
 
Dec 2, 2008
224
2
Canada
Thread.png

I narrowed it down to the following thread, if I suspend this thread the I/O goes away.
The Stack for this thread is:

Stack.png

and module is:
ModuleThread.png


One other thing that is strange is when I attach Process Monitor (not Process Explorer) to the PID or TID, I get nothing.

I see this on both my Windows 7 and Windows 10 systems.
 
May 20, 2008
10,634
82
Syracuse, NY, USA
What happens if you use "tcc.exe /iisp" when you start the TCC which will be hidden? That's no inifile, no tcstart file, and no plugins. You can test them independently with "/ii", "/is", and "/ip".
 
May 20, 2008
10,634
82
Syracuse, NY, USA
Do you use something called "Fallout"? When I google "SfmDxSetSwapChainStats" nearly all hits refer to "Fallout". TCC does not import that function from user32.dll. Perhaps another process is injecting code, or setting an "in-context" hook. Can you see the DLLs loaded by TCC ... anything suspicious there?
 
Dec 2, 2008
224
2
Canada
Fallout is a game, and on my Windows 10 system, SfmDxSetSwapChainStats isn't there.

Tried TCC /iisp and no difference.

Thread 9128.png


I was trying to think of what was common between machine but maybe no one else here uses.

Maybe Process Lasso, https://bitsum.com/?inproduct, it could mess with process, but I tried disabling it no difference too.
 
Dec 2, 2008
224
2
Canada
Here is what is loaded for one of the TCC doing I/O:

Image:
Modules.png


Mapped files:

Mapped Files.png

I'm not sure what is causing it.

I have something similar with UltraEdit, the licensing module does something similar. Maybe trying to call home but the firewall prevents it and so it keeps trying.
 
May 20, 2008
10,634
82
Syracuse, NY, USA
I only found "Fallout" because Google had changed my "SfmDxSetSwapChainStats" to "SfmDxGetSwapChainStats".

The only DLL or EXE in my System32 directory that uses "SfmDxSetSwapChainStats" is DWMCORE.DLL (DWM = DesktopWindowManager) which is, no doubt, injected into every app that interacts with the desktop.

I'm out of ideas.