Bypass Detection·Jun 2, 2026

No Trace Bypass: Oversized mycomput.dll in Computer Management

No Trace Bypass plants a malicious replacement for mycomput.dll — the legitimate Computer Management host DLL — that is approximately 145 times larger than the authentic file (~18,000 KB vs ~124 KB). The bypass is triggered by the Win+X then F7 keyboard sequence, which opens Computer Management and causes the oversized DLL to be loaded. File size alone is sufficient to flag this bypass without requiring hash computation.

FiveMBypass Detectionmycomput.dllDLL Size AnomalyComputer Management

Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided.

Overview

mycomput.dll is the DLL that implements the Computer Management snap-in host (compmgmt.msc). On a stock Windows 11 installation, the legitimate file is located at C:\Windows\System32\mycomput.dll and has a size of approximately 124 KB. The No Trace Bypass replaces this file with a malicious DLL of approximately 18,000 KB (18 MB) — 145 times the legitimate size — which bundles the bypass loader alongside stub implementations of the legitimate exports.

The bypass is activated by the Win+X keyboard shortcut (opens the Quick Access menu in Windows 11) followed by pressing F7, which selects Computer Management from the menu. When compmgmt.msc launches, the Microsoft Management Console loads mycomput.dll from System32, at which point the bypass DLL executes its loader payload. The use of a Windows built-in shortcut to trigger injection is intended to make the activation sequence appear innocuous on a screenshare.

Despite the "No Trace" branding, the size anomaly is immediately visible without any forensic tooling — File Explorer shows the file size in the details pane. A 18 MB mycomput.dll cannot be disguised or explained away as a legitimate Windows component, making this one of the most straightforward detections documented in this research series.

Primary IOCs

1

mycomput.dll file size check

Navigate to C:\Windows\System32 in File Explorer. Locate mycomput.dll. Right-click → Properties → General tab. The Size field should read approximately 124 KB (the exact value varies slightly by Windows build — typical range 120–128 KB). If the size reads anything near 18,000 KB or 18 MB, the bypass DLL is present. This single check is definitive and requires no additional tooling.

2

SHA-256 hash comparison

For conclusive identification, compute the SHA-256 of the suspect file: run certutil -hashfile C:\Windows\System32\mycomput.dll SHA256 in an elevated Command Prompt. The bypass DLL SHA-256 is f07de2eb82878d89e6851b5c6434638049467f1c343bcacc287037f621e5a494. A hash match confirms the specific No Trace bypass version. Any non-matching hash on a file of anomalous size is still a strong positive IOC warranting escalation.

3

DLL path verification

The legitimate mycomput.dll is only present in C:\Windows\System32\ and, on 64-bit systems with 32-bit compatibility, potentially in C:\Windows\SysWOW64\. Run where mycomput.dll in a Command Prompt to list all instances. Additional copies in unexpected locations (user profile directories, AppData, game directories) indicate DLL search order hijacking or staging of the replacement file prior to installation.

4

Journal Trace creation event for oversized mycomput.dll

Use NTFS Journal analysis (e.g., MFT Explorer or KAPE with the NTFS collection module) to query the USN Journal for change records on mycomput.dll. A creation or modification record on this file with a timestamp that does not correspond to a Windows Update is an IOC. The timestamp will indicate when the bypass DLL was written to disk, which can be cross-referenced with logon events and game session timestamps.

5

Win+X menu usage in LastActivityView

Open LastActivityView (NirSoft). Filter for compmgmt.msc or mmc.exe launch events. A recent execution of Computer Management — particularly one occurring during or immediately before a game session — indicates that the bypass activation sequence was used. Cross-reference the MMC launch timestamp with the MFT record modification timestamp on mycomput.dll to establish the injection trigger timeline.

Size-Based DLL Detection

File size is one of the most underutilized IOC types in bypass detection, yet for DLL replacement attacks it is frequently definitive. Legitimate Windows system DLLs are compiled by Microsoft and their sizes are stable across systems running the same Windows build — they do not vary by user configuration or installed software. A malicious replacement DLL that bundles additional code (a bypass loader, packed payload, or embedded resources) will almost always be substantially larger than the file it replaces.

The 145× size discrepancy in this case (124 KB → 18,000 KB) is among the most extreme examples encountered in FiveM bypass analysis. It reflects a design choice to embed a large payload directly inside the DLL rather than fetching it at runtime — a tradeoff that makes network forensics harder but makes file-level detection trivially easy.

For server administrators building detection playbooks, maintaining a reference table of expected sizes for commonly targeted system DLLs is a high-value, low-cost defensive measure. The following DLLs are frequently targeted and have stable, well-documented sizes on stock Windows installations:

  • mycomput.dll — ~124 KB (Computer Management snap-in)
  • ntdll.dll — ~2.1 MB (varies slightly by build)
  • kernel32.dll — ~700–800 KB
  • user32.dll — ~1.4–1.6 MB

Any system DLL that deviates significantly from its expected size — without a corresponding Windows Update installation event — should be considered a candidate for DLL replacement investigation.

Screenshare Check Methodology

1

File Explorer size check — live view

Ask the subject to open File Explorer, navigate to C:\Windows\System32, type mycomput in the search box, and right-click the result to open Properties. The Size field must show approximately 124 KB. Ask the subject to read the size aloud or zoom in so it is clearly visible on screenshare. A value near 18,000 KB or 18 MB is an immediate positive IOC.

2

Hash verification in elevated Command Prompt

Ask the subject to open an elevated Command Prompt and run certutil -hashfile C:\Windows\System32\mycomput.dll SHA256. The output hash should be compared against the known-good value for the installed Windows build (obtainable from the Microsoft Symbol Server or a clean reference system). A match to f07de2eb82878d89e6851b5c6434638049467f1c343bcacc287037f621e5a494 confirms the bypass DLL.

3

Signature check via PowerShell

Ask the subject to run Get-AuthenticodeSignature C:\Windows\System32\mycomput.dll | Select-Object Status, SignerCertificate. The legitimate DLL is signed by Microsoft. The bypass DLL may be unsigned or signed with an invalid or untrusted certificate. A NotSigned or HashMismatch result on a System32 DLL is definitive evidence of tampering.

4

SysWOW64 check for 32-bit variant

Ask the subject to run dir C:\Windows\SysWOW64\mycomput.dll. On most 64-bit Windows systems, this file does not exist in SysWOW64 (Computer Management is a 64-bit application). If found in SysWOW64 with an anomalous size, it indicates the bypass has also targeted 32-bit MMC scenarios. Document the size and hash of both copies if present.

5

MMC recent execution check

Ask the subject to open WinPrefetchView and scroll to MMC.EXE-*.pf. Check the last run time. Ask them to also open LastActivityView and filter for mmc. A recent execution timestamp — particularly one aligned with a game session — combined with the oversized DLL confirms that the injection trigger was used. The combination of artifact presence and trigger evidence constitutes a complete IOC chain.

Detection Notes

The file size check alone is sufficient to confirm this bypass. No advanced tooling is required — File Explorer, PowerShell's Get-Item, or a single dir command will expose the anomaly. The "No Trace" name is aspirational; this bypass leaves a highly visible artifact in one of the most stable, well-characterized locations on a Windows system.

Investigators should also check whether Windows Resource Protection (SFC — System File Checker) would detect the replacement. SFC maintains hashes of protected system files in a cache (C:\Windows\System32\catroot). Running sfc /verifyonly in an elevated Command Prompt will report integrity violations for a replaced mycomput.dll without making any changes, providing an additional confirmation method.

After detection and removal, the legitimate mycomput.dll can be restored by running sfc /scannow in an elevated Command Prompt, which will replace the tampered file with the cached genuine version from the Windows Component Store (C:\Windows\WinSxS).