Increase in I/O on Hidden TCC Processes

[cgunhouse]

When I run the following:

activate "My TCC Process" hide
​

Where is a detach TCC Process called "My TCC Process", the I/O jumps up to about 16.2 KB and stays there.

If I do:

activate "My TCC Process" restore
​

It drops back to zero.

 

[vefatica]

What is "My TCC Process" doing when you hide it?

 

[cgunhouse]

Mostly a delay, something like:

delay %_15Minutes
​

 

[cgunhouse]

Idle at the prompt cause the same thing to happen as well.

 

[vefatica]

I can't reproduce it. I only see the beginning and the end.

v:\> activate "TCC test" hide & delay 30 & activate "TCC test" restore

 

[cgunhouse]

I narrowed it down to the following thread, if I suspend this thread the I/O goes away.
The Stack for this thread is:

and module is:

One other thing that is strange is when I attach Process Monitor (not Process Explorer) to the PID or TID, I get nothing.

I see this on both my Windows 7 and Windows 10 systems.

 

[vefatica]

What happens if you use "tcc.exe /iisp" when you start the TCC which will be hidden? That's no inifile, no tcstart file, and no plugins. You can test them independently with "/ii", "/is", and "/ip".

 

[vefatica]

Do you use something called "Fallout"? When I google "SfmDxSetSwapChainStats" nearly all hits refer to "Fallout". TCC does not import that function from user32.dll. Perhaps another process is injecting code, or setting an "in-context" hook. Can you see the DLLs loaded by TCC ... anything suspicious there?

 

[rconn]

Not reproducible here.

And that code is not in TCC.

 

[cgunhouse]

Fallout is a game, and on my Windows 10 system, SfmDxSetSwapChainStats isn't there.

Tried TCC /iisp and no difference.

I was trying to think of what was common between machine but maybe no one else here uses.

Maybe Process Lasso, https://bitsum.com/?inproduct, it could mess with process, but I tried disabling it no difference too.

 

[cgunhouse]

Here is what is loaded for one of the TCC doing I/O:

Image:

Mapped files:

I'm not sure what is causing it.

I have something similar with UltraEdit, the licensing module does something similar. Maybe trying to call home but the firewall prevents it and so it keeps trying.

 

[vefatica]

I only found "Fallout" because Google had changed my "SfmDxSetSwapChainStats" to "SfmDxGetSwapChainStats".

The only DLL or EXE in my System32 directory that uses "SfmDxSetSwapChainStats" is DWMCORE.DLL (DWM = DesktopWindowManager) which is, no doubt, injected into every app that interacts with the desktop.

I'm out of ideas.