Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided.
Overview
mycomput.dll is the DLL that implements the Computer Management snap-in host (compmgmt.msc). On a stock Windows 11 installation, the legitimate file is located at C:\Windows\System32\mycomput.dll and has a size of approximately 124 KB. The No Trace Bypass replaces this file with a malicious DLL of approximately 18,000 KB (18 MB) — 145 times the legitimate size — which bundles the bypass loader alongside stub implementations of the legitimate exports.
The bypass is activated by the Win+X keyboard shortcut (opens the Quick Access menu in Windows 11) followed by pressing F7, which selects Computer Management from the menu. When compmgmt.msc launches, the Microsoft Management Console loads mycomput.dll from System32, at which point the bypass DLL executes its loader payload. The use of a Windows built-in shortcut to trigger injection is intended to make the activation sequence appear innocuous on a screenshare.
Despite the "No Trace" branding, the size anomaly is immediately visible without any forensic tooling — File Explorer shows the file size in the details pane. A 18 MB mycomput.dll cannot be disguised or explained away as a legitimate Windows component, making this one of the most straightforward detections documented in this research series.
Primary IOCs
mycomput.dll file size check
Navigate to C:\Windows\System32 in File Explorer. Locate mycomput.dll. Right-click → Properties → General tab. The Size field should read approximately 124 KB (the exact value varies slightly by Windows build — typical range 120–128 KB). If the size reads anything near 18,000 KB or 18 MB, the bypass DLL is present. This single check is definitive and requires no additional tooling.
SHA-256 hash comparison
For conclusive identification, compute the SHA-256 of the suspect file: run certutil -hashfile C:\Windows\System32\mycomput.dll SHA256 in an elevated Command Prompt. The bypass DLL SHA-256 is f07de2eb82878d89e6851b5c6434638049467f1c343bcacc287037f621e5a494. A hash match confirms the specific No Trace bypass version. Any non-matching hash on a file of anomalous size is still a strong positive IOC warranting escalation.
DLL path verification
The legitimate mycomput.dll is only present in C:\Windows\System32\ and, on 64-bit systems with 32-bit compatibility, potentially in C:\Windows\SysWOW64\. Run where mycomput.dll in a Command Prompt to list all instances. Additional copies in unexpected locations (user profile directories, AppData, game directories) indicate DLL search order hijacking or staging of the replacement file prior to installation.
Journal Trace creation event for oversized mycomput.dll
Use NTFS Journal analysis (e.g., MFT Explorer or KAPE with the NTFS collection module) to query the USN Journal for change records on mycomput.dll. A creation or modification record on this file with a timestamp that does not correspond to a Windows Update is an IOC. The timestamp will indicate when the bypass DLL was written to disk, which can be cross-referenced with logon events and game session timestamps.
Win+X menu usage in LastActivityView
Open LastActivityView (NirSoft). Filter for compmgmt.msc or mmc.exe launch events. A recent execution of Computer Management — particularly one occurring during or immediately before a game session — indicates that the bypass activation sequence was used. Cross-reference the MMC launch timestamp with the MFT record modification timestamp on mycomput.dll to establish the injection trigger timeline.
Size-Based DLL Detection
File size is one of the most underutilized IOC types in bypass detection, yet for DLL replacement attacks it is frequently definitive. Legitimate Windows system DLLs are compiled by Microsoft and their sizes are stable across systems running the same Windows build — they do not vary by user configuration or installed software. A malicious replacement DLL that bundles additional code (a bypass loader, packed payload, or embedded resources) will almost always be substantially larger than the file it replaces.
The 145× size discrepancy in this case (124 KB → 18,000 KB) is among the most extreme examples encountered in FiveM bypass analysis. It reflects a design choice to embed a large payload directly inside the DLL rather than fetching it at runtime — a tradeoff that makes network forensics harder but makes file-level detection trivially easy.
For server administrators building detection playbooks, maintaining a reference table of expected sizes for commonly targeted system DLLs is a high-value, low-cost defensive measure. The following DLLs are frequently targeted and have stable, well-documented sizes on stock Windows installations:
mycomput.dll— ~124 KB (Computer Management snap-in)ntdll.dll— ~2.1 MB (varies slightly by build)kernel32.dll— ~700–800 KBuser32.dll— ~1.4–1.6 MB
Any system DLL that deviates significantly from its expected size — without a corresponding Windows Update installation event — should be considered a candidate for DLL replacement investigation.
Detection Notes
The file size check alone is sufficient to confirm this bypass. No advanced tooling is required — File Explorer, PowerShell's Get-Item, or a single dir command will expose the anomaly. The "No Trace" name is aspirational; this bypass leaves a highly visible artifact in one of the most stable, well-characterized locations on a Windows system.
Investigators should also check whether Windows Resource Protection (SFC — System File Checker) would detect the replacement. SFC maintains hashes of protected system files in a cache (C:\Windows\System32\catroot). Running sfc /verifyonly in an elevated Command Prompt will report integrity violations for a replaced mycomput.dll without making any changes, providing an additional confirmation method.
After detection and removal, the legitimate mycomput.dll can be restored by running sfc /scannow in an elevated Command Prompt, which will replace the tampered file with the cached genuine version from the Windows Component Store (C:\Windows\WinSxS).