Hi, I've been having a problem whereby a large number of our lab machines, servers, and desktops are all having problems with internet explorer 8 freezing on either browser startup, creation of new tabs, or creation of popup windows. There are at least 50 machines involved on three highly segregated networks across multiple domains and affecting multiple user accounts. There's at least Windows XP and Windows Server 2003 affected. I've tried running IE with all extensions off (both with -extoff and manually disabling all add ins, accelerators, and other loaded modules), or disabling a few at a time, as well as resetting my settings, re-registering DLLs, and re-installing Internet Explorer 8. Not even a fresh install with no addins and -extoff is immune - IE8 still locks up/freezes. Looking at the problem in more depth, there are three main ways that IE8 shows up in the process list (as seen by process explorer) when this problem is occurring: 1. a single iexplore.exe process with an unusually small (typically ~1600k) private bytes count, and a similarly tiny working set (typically ~4000k) 2. a main iexplore.exe process with standard private bytes and working set sizes of ~12600k and ~22600k respectively, and a single child iexplore.exe process with the same characteristics of the process from #1 above. 3. the same setup as #2, but with at least one other child process that also shares normal private and working set sizes respectively. #1 and #2 are associated with an instance of IE that doesn't generate any window (it looks like IE silently fails to load) but leaves a trace in the task manager. #3 shows up as a standard, working IE8 window, but with a 'crashed' (more accurately: nonresponsive) tab, popup, or child window. If I try and list the threads of the iexplore.exe processes with process explorer I get the usual list of theads (10-15 of them) with start addresses, but attempts to open the thread list of the nonresponsive iexplore.exe processes results in a short pause (~5 seconds or so) followed by a completely empty thread list. It's almost as if whatever is blocking iexplore.exe interferes with process explorer's attempts to open and query the thread/process as well. I force crashed a process in state #3 (the only one that will generate a "would you like to report this problem?" dialogue and analyzed it with windbg and the salient output from it is: Probably caused by : ieframe.dll ( ieframe!CTabWindow::LaunchTabThread+75d ) It definitely feels like internet explorer is deadlocking on something, but for the life of me I can't seem to get it to come back to life (I even tried selectively closing file handles, semaphores, and mutex's on crashed processes in the hope that this would unblock it, but to no avail!) Some other useful information: All operating systems are fully patched with all critical and recommended updates, and all are running the latest version of Sophos antivirus with fully updated definitions. I've run multiple adware checkers, multiple rootkit revealers, examined the system in great depth for anything suspicious, and even ran two other antivirus sweeps with both trend and clamav for win and nothing turned up. None of the affected systems appear to be infected with any known viruses or rootkits or with anything that is causing any suspicious activity on any concievable system monitoring utility, and none of them have anything out of the ordinary with respect to addins etc (they're all running without accellerators and other than the latest versions of flash, adobe reader, java, and sophos, they are basically clean - eg, no toolbars or other rubbish installed.) I've done a ~lot~ of googling and can't seem to find anything relevant or helpful. I'm at a bit of a loss as to where to go from here. Regards, Jon.

Additional info: this started happening sometime in the last month, so I tried rolling back any updates or patches applied to IE via windows updates since then - no luck. I take it from the lack of responses that everyone else is at a loss as to what to do as well :/

It definitely feels like internet explorer is deadlocking on something, but for the life of me I can't seem to get it to come back to life (I even tried selectively closing file handles, semaphores, and mutex's on crashed processes in the hope that this would unblock it, but to no avail!) What was it doing? E.g. see how your symptom changes if you use the -nohome switch on your command line.

I suggest that you try to reset IE settings. 1. Click Start, please type “inetcpl.cpl” (without quotation marks) in the Start Search bar and press Enter to open the Internet options window. 2. Switch to the Advanced tab. 3. Click the "Reset Internet Explorer Settings" button. 4. Click Reset to confirm the operation. 5. Click Close when the resetting process has finished. 6. Uncheck the "Enable third-party browser extensions" option in the Settings box. 7. Click Apply, click OK. If the issue still occurs after resetting IE, try to boot in No Add-ons Mode. Click the Start Button, All Programs, Accessories, System Tools, and then click Internet Explorer (No Add-ons). Please check if the issue persists. If the issue does not reoccur, it may be caused by an IE Add-on. In that case, let’s continue to perform the following steps to narrow down the cause. Check Check Internet Explorer Add-Ons ========================= 1. Click Tools, and then click Internet Options. 2. Click the "Programs" tab, and then click Manage Add-ons. 3. Select an add-on in the Name list, and then click Disable. 4. Please restart IE with Add-ons and check the issue again. If the issue is resolved, the disabled Add-on was the cause of the issue. If the issue reoccurs, let’s let’s continue to disable the next Add-on using the same method. By doing so, we can determine which Add-on contributed to the issue. Arthur Xie - MSFT

4. Please restart IE with Add-ons and check the issue again. Arthur, Are you just seeing this after the move? Notice that the OP has already taken add-ons into account. FWIW I agree with the decision to move the thread to Networking. E.g. I have occasionally seen symptoms like this (mostly with WLMail, less frequently with IE) and the symptom then is that the only activity on the thread (e.g. according to Task Manager) is a periodic incrementing of the I/O Other Bytes statistic by 16 while the I/O Other counter goes crazy. That to me would seem to be indicating more a problem with the OS than with IE. I was intending on mentioning that after hearing that -nohome idea works (of course--the problem is not IE but the connectivity) but the move happened first. <eg> FYI Robert ---

I'm also having this problem. What I have found is that it is related to sophos. It wasn't happening until I installed that.

Using -nohome made no difference. Hard to tell what IE is doing since any attempts to break into the thread from outside also appear to deadlock.

Yep, already tried all that, but I did it again just to make sure. Alas, it's still a problem. As an aside, I'm not sure why this was moved to Windows 7 networking when I mentioned that this was affecting IE8 on XP and 2003 machines. It may affect Windows 7 but I can't verify that as I don't have any Windows 7 machines handy to test this on. With regards to the process activity: it's completely static. No IO, no CPU, nothing.

I'm also having this problem. What I have found is that it is related to sophos. It wasn't happening until I installed that. Yep, I'd say we've pretty much confirmed this just now. I took a machine that was affected, uninstalled Sophos, rebooted, and now it's not affected anymore. I'll get in contact with Sophos about this problem and post anything helpful back here, or report if this turns out not to be the problem.

In case anyone's interested (I'm not expecting any deep analysis here since I'm already pretty sure this is a Sophos issue), here's the result of attaching to a deadlocked IE process affected by this issue and running !analyze -v against it: ---------------------------- Microsoft (R) Windows Debugger Version 6.12.0002.633 X86 Copyright (c) Microsoft Corporation. All rights reserved. *** wait with pending attach Symbol search path is: SRV*C:\WINDOWS\symbols*http://msdl.microsoft.com/download/symbols Executable search path is: ModLoad: 00400000 0049c000 C:\Program Files\Internet Explorer\iexplore.exe ModLoad: 7c900000 7c9b2000 C:\WINDOWS\system32\ntdll.dll ModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dll ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll ModLoad: 77e70000 77f02000 C:\WINDOWS\system32\RPCRT4.dll ModLoad: 77fe0000 77ff1000 C:\WINDOWS\system32\Secur32.dll ModLoad: 7e410000 7e4a1000 C:\WINDOWS\system32\USER32.dll ModLoad: 77f10000 77f59000 C:\WINDOWS\system32\GDI32.dll ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll ModLoad: 7c9c0000 7d1d7000 C:\WINDOWS\system32\SHELL32.dll ModLoad: 774e0000 7761d000 C:\WINDOWS\system32\ole32.dll ModLoad: 3dfd0000 3e1b8000 C:\WINDOWS\system32\iertutil.dll ModLoad: 78130000 78263000 C:\WINDOWS\system32\urlmon.dll ModLoad: 77120000 771ab000 C:\WINDOWS\system32\OLEAUT32.dll ModLoad: 5cb70000 5cb96000 C:\WINDOWS\system32\ShimEng.dll ModLoad: 6f880000 6fa4a000 C:\WINDOWS\AppPatch\AcGenral.DLL ModLoad: 76b40000 76b6d000 C:\WINDOWS\system32\WINMM.dll ModLoad: 77be0000 77bf5000 C:\WINDOWS\system32\MSACM32.dll ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\VERSION.dll ModLoad: 769c0000 76a74000 C:\WINDOWS\system32\USERENV.dll ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\UxTheme.dll ModLoad: 71590000 71609000 C:\WINDOWS\AppPatch\AcLayers.DLL ModLoad: 73000000 73026000 C:\WINDOWS\system32\WINSPOOL.DRV ModLoad: 76390000 763ad000 C:\WINDOWS\system32\IMM32.DLL ModLoad: 00990000 009ce000 C:\PROGRA~1\SOPHOS\SOPHOS~1\SOPHOS~1.DLL ModLoad: 76bf0000 76bfb000 C:\WINDOWS\system32\PSAPI.DLL ModLoad: 48000000 48023000 C:\PROGRA~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL ModLoad: 71ab0000 71ac7000 C:\WINDOWS\system32\WS2_32.dll ModLoad: 71aa0000 71aa8000 C:\WINDOWS\system32\WS2HELP.dll ModLoad: 773d0000 774d3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ModLoad: 5d090000 5d12a000 C:\WINDOWS\system32\comctl32.dll ModLoad: 42000000 42047000 C:\Program Files\Google\Google Desktop Search\GoogleDesktopCommon.dll ModLoad: 3d930000 3da16000 C:\WINDOWS\system32\WININET.dll ModLoad: 00d10000 00d19000 C:\WINDOWS\system32\Normaliz.dll ModLoad: 62000000 62091000 C:\Program Files\Google\Google Desktop Search\GoogleDesktopResources_en.dll ModLoad: 41000000 4101c000 C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll ModLoad: 3e1c0000 3ec53000 C:\WINDOWS\system32\IEFRAME.dll Break-in sent, waiting 30 seconds... WARNING: Break-in timed out, suspending. This is usually caused by another thread holding the loader lock (12f8.123c): Wake debugger - code 80000007 (first chance) eax=00000000 ebx=00000000 ecx=00000000 edx=00000005 esi=009c69e8 edi=00000000 eip=7c90e514 esp=0013ec04 ebp=0013ec8c iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 ntdll!KiFastSystemCallRet: 7c90e514 c3 ret 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\PROGRA~1\SOPHOS\SOPHOS~1\SOPHOS~1.DLL - *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\PROGRA~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL - FAULTING_IP: +1562faf0111df58 00000000 ?? ??? EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 00000000 ExceptionCode: 80000007 (Wake debugger) ExceptionFlags: 00000000 NumberParameters: 0 FAULTING_THREAD: 00000001 BUGCHECK_STR: 80000007 PROCESS_NAME: iexplore.exe ERROR_CODE: (NTSTATUS) 0x80000007 - {Kernel Debugger Awakened} the system debugger was awakened by an interrupt. EXCEPTION_CODE: (HRESULT) 0x80000007 (2147483655) - Operation aborted MOD_LIST: <ANALYSIS/> NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 CRITICAL_SECTION: 009c69e8 -- (!cs -s 009c69e8) BLOCKING_THREAD: 0000123c LOADERLOCK_OWNER_API: LoadLibraryExW:LdrLoadDll:LdrpLoadDll:LdrpRunInitializeRoutines:LdrpCallInitRoutine: LOADERLOCK_BLOCKED_API: GetModuleHandleForUnicodeString:LdrGetDllHandle:LdrGetDllHandleEx:LdrLockLoaderLock: DERIVED_WAIT_CHAIN: Dl Eid Cid WaitType -- --- ------- -------------------------- x 0 12f8.123c Critical Section --> x 1 12f8.1f70 Critical Section --^ WAIT_CHAIN_COMMAND: ~0s;k;;~1s;k;; DEFAULT_BUCKET_ID: APPLICATION_HANG_DEADLOCK_CrossThreadBoundaryInDLLMain PRIMARY_PROBLEM_CLASS: APPLICATION_HANG_DEADLOCK_CrossThreadBoundaryInDLLMain LAST_CONTROL_TRANSFER: from 7c90df5a to 7c90e514 STACK_TEXT: 00c3f76c 7c90df5a 7c91b24b 00000040 00000000 ntdll!KiFastSystemCallRet 00c3f770 7c91b24b 00000040 00000000 00000000 ntdll!ZwWaitForSingleObject+0xc 00c3f7f8 7c901046 0197e178 7c914a53 7c97e178 ntdll!RtlpWaitForCriticalSection+0x132 00c3f800 7c914a53 7c97e178 00000000 00c3f900 ntdll!RtlEnterCriticalSection+0x46 00c3f83c 7c9168f0 00000000 00000000 00c3f880 ntdll!LdrLockLoaderLock+0x146 00c3f8b0 7c9166b8 00000001 00160920 00000000 ntdll!LdrGetDllHandleEx+0x8b 00c3f8cc 7c80e713 00160920 00000000 00c3f950 ntdll!LdrGetDllHandle+0x18 00c3f91c 7c80e64b 00c3f950 00400000 009c6a00 kernel32!GetModuleHandleForUnicodeString+0x49 00c3fda0 7c80e4fc 00000001 00000002 009e5930 kernel32!BasepGetModuleHandleExW+0x18e 00c3fdb8 009987fb 009e5930 0099a2df 009c69e4 kernel32!GetModuleHandleW+0x29 WARNING: Stack unwind information not available. Following frames may be wrong. 00c3fdc0 0099a2df 009c69e4 009e5930 00400000 SOPHOS_1+0x87fb 00c3fdf0 00998081 00000001 7c80acaf 00001f70 SOPHOS_1!Detoured+0xddf 00000000 00000000 00000000 00000000 00000000 SOPHOS_1+0x8081 FOLLOWUP_IP: IEFRAME!_CRT_INIT+281 3e1c8114 8945e4 mov dword ptr [ebp-1Ch],eax SYMBOL_STACK_INDEX: b SYMBOL_NAME: IEFRAME!_CRT_INIT+281 FOLLOWUP_NAME: MachineOwner MODULE_NAME: IEFRAME IMAGE_NAME: IEFRAME.dll DEBUG_FLR_IMAGE_TIMESTAMP: 4b8617a2 STACK_COMMAND: ~1s ; kb BUCKET_ID: 80000007_IEFRAME!_CRT_INIT+281 WATSON_IBUCKET: 1188882954 WATSON_IBUCKETTABLE: 1 FAILURE_BUCKET_ID: APPLICATION_HANG_DEADLOCK_CrossThreadBoundaryInDLLMain_80000007_IEFRAME.dll!_CRT_INIT WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/iexplore_exe/8_0_6001_18702/49b3ad2e/unknown/0_0_0_0/bbbbbbb4/80000007/00000000.htm?Retriage=1 Followup: MachineOwner ---------

and the wait chain follow up: ------- 0:000> ~0s;k;;~1s;k;; eax=00000000 ebx=00000000 ecx=00000000 edx=00000005 esi=009c69e8 edi=00000000 eip=7c90e514 esp=0013ec04 ebp=0013ec8c iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 ntdll!KiFastSystemCallRet: 7c90e514 c3 ret ChildEBP RetAddr 0013ec00 7c90df5a ntdll!KiFastSystemCallRet 0013ec04 7c91b24b ntdll!ZwWaitForSingleObject+0xc 0013ec8c 7c901046 ntdll!RtlpWaitForCriticalSection+0x132 0013ec94 0099a28c ntdll!RtlEnterCriticalSection+0x46 WARNING: Stack unwind information not available. Following frames may be wrong. 0013ecc0 00998081 SOPHOS_1!Detoured+0xd8c 0013ecf0 3e2624db SOPHOS_1+0x8081 0013f13c 3e2f7464 IEFRAME!LoadMUILibraryW+0x5b 0013f478 3e1c9b67 IEFRAME!LoadMUI+0x90 0013f47c 3e1c9487 IEFRAME!InitSearchActivityProvider+0xe 0013f5b4 3e1c8030 IEFRAME!_ProcessAttach+0x435 0013f5c4 3e1c8114 IEFRAME!DllMain+0x27 0013f624 7c90118a IEFRAME!_CRT_INIT+0x281 0013f644 7c91c4fa ntdll!LdrpCallInitRoutine+0x14 0013f74c 7c916371 ntdll!LdrpRunInitializeRoutines+0x344 0013f9f8 7c9164d3 ntdll!LdrpLoadDll+0x3e5 0013fca0 7c801bbd ntdll!LdrLoadDll+0x230 0013fd08 7c801d72 kernel32!LoadLibraryExW+0x18e 0013fd1c 7c801da8 kernel32!LoadLibraryExA+0x1f 0013fd38 715b9f3a kernel32!LoadLibraryA+0x94 0013fd70 004022c5 AcLayers!NS_IgnoreLoadLibrary::APIHook_LoadLibraryA+0xe1 0013fdcc 004021f6 iexplore!__delayLoadHelper2+0xfc 0013ff2c 0040128e iexplore!_tailMerge_IEFRAME_dll+0xd 0013ffc0 7c817077 iexplore!_initterm_e+0x1b1 0013fff0 00000000 kernel32!BaseProcessStart+0x23 eax=0049a700 ebx=00000000 ecx=7c80a095 edx=0000c000 esi=7c97e178 edi=00000000 eip=7c90e514 esp=00c3f770 ebp=00c3f7f8 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 ntdll!KiFastSystemCallRet: 7c90e514 c3 ret ChildEBP RetAddr 00c3f76c 7c90df5a ntdll!KiFastSystemCallRet 00c3f770 7c91b24b ntdll!ZwWaitForSingleObject+0xc 00c3f7f8 7c901046 ntdll!RtlpWaitForCriticalSection+0x132 00c3f800 7c914a53 ntdll!RtlEnterCriticalSection+0x46 00c3f83c 7c9168f0 ntdll!LdrLockLoaderLock+0x146 00c3f8b0 7c9166b8 ntdll!LdrGetDllHandleEx+0x8b 00c3f8cc 7c80e713 ntdll!LdrGetDllHandle+0x18 00c3f91c 7c80e64b kernel32!GetModuleHandleForUnicodeString+0x49 00c3fda0 7c80e4fc kernel32!BasepGetModuleHandleExW+0x18e 00c3fdb8 009987fb kernel32!GetModuleHandleW+0x29 WARNING: Stack unwind information not available. Following frames may be wrong. 00c3fdc0 0099a2df SOPHOS_1+0x87fb 00c3fdf0 00998081 SOPHOS_1!Detoured+0xddf 00000000 00000000 SOPHOS_1+0x8081

reference for sophos_detoured.dll (part of Sophos's buffer overflow protection): http://www.sophos.com/support/knowledgebase/article/36501.html

arthur or irfan, please can you move this topic back to Internet Explorer where it is relevant (IE under Win7 does not seem to be impacted). thanks, rik

As an aside, I'm not sure why this was moved to Windows 7 networking It's even worse than that. Originally it was under the Answers "brand". Now it's under the TechNet "brand" and now there is no way to move it back even to a more appropriate Answers "brand" forum. <eg> BTW I still think that an OS or Networking forum rather than an IE forum is more appropriate for discussing this symptom. You would certainly never get the sort of task analysis done there that you are doing here. Also, FWIW I'm unclear on what you have found out about your Saphos factor. Otherwise, to continue gathering a symptom description from an IE user's point of view... You say "completely static". Did you specifically check those TM statistics that I mentioned? Also, "-nohome made no difference" is not giving me a clear idea of what you are seeing when you try that. If necessary you may also have to use -extoff (to try to force IE to open a new main control task). E.g. check with W7 TM's (or ProcExp) Command line column that the new iexplore.exe task you are starting is independent of all of the old ones. I suppose you could also try experimenting with TabProcGrowth=0 (e.g. disable both LCIE and Protected Mode) or TabProcGrowth=1 (just disable LCIE) to try to get more independence for your new IE tasks. HTH Robert ---

Hi Robert, Also, FWIW I'm unclear on what you have found out about your Saphos factor. So the latest from Sophos is that they got me to try removing the Sophos_detoured.dll file from the AppInit_DLLs registry entry. Here's what mine looked like before the change: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\] "AppInit_DLLs"="C:\PROGRA~1\SOPHOS\SOPHOS~1\SOPHOS~1.DLL C:\PROGRA~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL" And after: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\] "AppInit_DLLs"="C:\PROGRA~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL" Then I rebooted and tried to get Internet Explorer 8 to deadlock again. I couldn't. I'd say that's fairly conclusive proof that Sophos' Buffer Overflow Protection technology is deadlocking Internet Explorer 8. You say "completely static". Did you specifically check those TM statistics that I mentioned? Yep, I checked all the statistics using process explorer, and none of the values on any of the tabs changed one iota after the process deadlocked. Also, "-nohome made no difference" is not giving me a clear idea of what you are seeing when you try that. If necessary you may also have to use -extoff (to try to force IE to open a new main control task). What I meant by no difference was that the behavior of starting 50 internet explorer windows with "iexplore.exe" vs "iexplore.exe -nohome" was identical: in the case of the day I did those tests on, in both cases approximately 10% of the launched processes were deadlocked (or the child iexplore.exe process was deadlocked.) Since this isn't a 100% deadlock situation, I can't give you anything but overall statistics, and the behavior of the actual processes that are deadlocked, and as far as I can tell, there was no statistical difference between -nohome or not, and no difference in the behavior or stack call tree of the deadlocked processes. So, yeah... "no difference." :) As for -extoff, I also used that in my tests and again "no difference" (note: I thought -extoff disabled extensions, not forced a new main control task to open...) E.g. check with W7 TM's (or ProcExp) Command line column that the new iexplore.exe task you are starting is independent of all of the old ones. They generally were. What I'd typically see is a series of iexplore.exe processes with an iexplore.exe child. In some cases, there was just the iexplore.exe main process: that always meant the main process had deadlocked, rather than the child. In both the parent and child deadlock scenarios, the actual deadlocked process looked the same regardless of whether it was the child or not. If I opened a bunch of new tabs, that seemed to spawn a bunch more iexplore.exe child processes, some of which would deadlock as they were spawned. Again, those deadlocked processes looked the same as all the other deadlocked ones. I suppose you could also try experimenting with TabProcGrowth=0 (e.g. disable both LCIE and Protected Mode) or TabProcGrowth=1 (just disable LCIE) to try to get more independence for your new IE tasks. Is this a debugging suggestion, or a workaround? If a workaround, I was previously just watching process explorer as I started IE8, and killing any runt iexplore.exe processes (as they invariably were the deadlocked ones) until I got a good IE process running. An even better workaround now is to remove the AppInit_DLLs entry for Sophos, as this leaves you with virus protection (sans BOP), and a working Internet Explorer. If debugging, I'll look into it if Sophos gives me the runaround, but for now I think I'd prefer it if Sophos fixed their product :) Thanks for the detailed and insightful reply, Robert, your assistance is much appreciated. Regards, Jon.

Hi Technocrate, Please don't respond to threads unless you can add something intelligent (or at least demonstrate that you've read past the subject line.) Regards, Jon.

I'm experiancing exactly the same accross about 10 machines, uninstall sophos and the problem goes away, reinstall sophos and it comes back. installing free avg does not cause the problem. The problem occurs on some machine more than others and seems to be (in my opinion) part of the end point application or data scanning checks that are also when IE/a new tab is launched. I've rollback and forth between ie 7 & 8 but little change, even starting in no addons mode can experiance the issue - though rarer. I'm speaking to sophos for a few days now but no solution responce other than me passing them logs etc.Stuart

Hi Stuart, I started a Sophos forum thread which might help you - it contains a condensed form of the options for working around this problem with Sophos' Buffer Overflow Prevention System: http://community.sophos.com/t5/Sophos-Endpoint-Security-and/Sophos-9-s-Buffer-Overflow-Protection-System-BOPS-and-Internet/td-p/3208 Regards, Jon.