By registering with us, you'll be able to discuss, share and exchange private messages with other members of our community.

SignUp Now!

Increase in I/O on Hidden TCC Processes

When I run the following:

activate "My TCC Process" hide
Where is a detach TCC Process called "My TCC Process", the I/O jumps up to about 16.2 KB and stays there.


If I do:

activate "My TCC Process" restore
It drops back to zero.
I can't reproduce it. I only see the beginning and the end.
v:\> activate "TCC test" hide & delay 30 & activate "TCC test" restore


I narrowed it down to the following thread, if I suspend this thread the I/O goes away.
The Stack for this thread is:


and module is:

One other thing that is strange is when I attach Process Monitor (not Process Explorer) to the PID or TID, I get nothing.

I see this on both my Windows 7 and Windows 10 systems.
What happens if you use "tcc.exe /iisp" when you start the TCC which will be hidden? That's no inifile, no tcstart file, and no plugins. You can test them independently with "/ii", "/is", and "/ip".
Do you use something called "Fallout"? When I google "SfmDxSetSwapChainStats" nearly all hits refer to "Fallout". TCC does not import that function from user32.dll. Perhaps another process is injecting code, or setting an "in-context" hook. Can you see the DLLs loaded by TCC ... anything suspicious there?
Fallout is a game, and on my Windows 10 system, SfmDxSetSwapChainStats isn't there.

Tried TCC /iisp and no difference.

Thread 9128.png

I was trying to think of what was common between machine but maybe no one else here uses.

Maybe Process Lasso, https://bitsum.com/?inproduct, it could mess with process, but I tried disabling it no difference too.
Here is what is loaded for one of the TCC doing I/O:


Mapped files:

Mapped Files.png

I'm not sure what is causing it.

I have something similar with UltraEdit, the licensing module does something similar. Maybe trying to call home but the firewall prevents it and so it keeps trying.
I only found "Fallout" because Google had changed my "SfmDxSetSwapChainStats" to "SfmDxGetSwapChainStats".

The only DLL or EXE in my System32 directory that uses "SfmDxSetSwapChainStats" is DWMCORE.DLL (DWM = DesktopWindowManager) which is, no doubt, injected into every app that interacts with the desktop.

I'm out of ideas.

Similar threads