Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 14 subscribers
  • Views 13787 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Internet Explorer 11 - Closing on launch. Leaves iexplore.exe process running.

Oliver Parke-Gailey

Hi all, 

I have a strange issue with a few user's machines (6 out of 120) IE11 opens but closes almost instantly. One of the iexplore.exe processes stays running even after the window has closed / crashed out. 

We are running Windows 7 Pro (x64). All domain joined and fully patched (via WinUpdate)

This iexplore.exe process cannot be stopped (via Task Manager or forced via CMD). It also prevents the machine from responding to shutdown or restart commands. The only way to turn off the machine once IE11 have been run is to hard reset (ie. hold down the power button or pull the plug).

Interestingly, the iexplore.exe properties box in Task Manager shows the process location as:

>>  C:\Windows\winsxs\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.18738_none_8542ae0bf74c22ed

My initial thought was that it was a broken Windows Update or something (since the lingering process is in the WinSXS folder).

We have Sophos Intercept X installed alongside Symantec Endpoint Protection 14 with no alerts from either being raised and full scans have found nothing untoward.

When I uninstall Sophos (and leave SEP14 installed), IE works fine. The same also applies if I uninstall Symantec Endpoint Protection 14 and leave Intercept X installed. This issue only seems to appear when BOTH AVs are installed.

Any ideas why this is happening and how to resolve the issue?



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    If you set the key:

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
    "tabprocgrowth"=dword:00000000

    ...which limits IE to one iexeplore.exe process does this help?  If not, it might make it easier to troubleshoot.

    Regards,

    Jak

  • 0 in reply to jak

    Hi Jak,

    This appears to have solved the issue. Thanks for the tip.

    Can you explain the logic behind it? What is is about IE starting a new process per tab that Sophos doesn't like, or rather, the combination of both Sophos IX and our AV together don't like?

  • 0 in reply to Oliver Parke-Gailey

    Hi,

    I thought it would simplify the debugging rather than offer a workaround but it's good to hear you can use it at least in the short term.

    So is the child iexplore.exe process crashing?

    Do you see an entry in the App Event log from Windows Error Reporting (WER) suggesting this?

    I would be tempted to run the following commands in an admin prompt:

    • mkdir C:\dumps
    • procdump -ma -mk -i C:\dumps

    https://docs.microsoft.com/en-us/sysinternals/downloads/procdump

    Next time any process crashes (if that's what's happening in the case of IE) you should have a full user and kernel mode dump of the process.

    You can remove procdump as the post-mortem debugger with the command:

    procdump -u

    I'd be happy to take a look at the dumps but they may need to go through Support to Dev so they can use the code and symbols to make more sense of what's going on in the Sophos code.

    Regards,

    Jak

     

     

     

Reply
  • 0 in reply to Oliver Parke-Gailey

    Hi,

    I thought it would simplify the debugging rather than offer a workaround but it's good to hear you can use it at least in the short term.

    So is the child iexplore.exe process crashing?

    Do you see an entry in the App Event log from Windows Error Reporting (WER) suggesting this?

    I would be tempted to run the following commands in an admin prompt:

    • mkdir C:\dumps
    • procdump -ma -mk -i C:\dumps

    https://docs.microsoft.com/en-us/sysinternals/downloads/procdump

    Next time any process crashes (if that's what's happening in the case of IE) you should have a full user and kernel mode dump of the process.

    You can remove procdump as the post-mortem debugger with the command:

    procdump -u

    I'd be happy to take a look at the dumps but they may need to go through Support to Dev so they can use the code and symbols to make more sense of what's going on in the Sophos code.

    Regards,

    Jak

     

     

     

Children
  • 0 in reply to jak

    We also have tried to set the regkey for making it easier to get a dump of the IE process and the behaviour (with on-premise Exploit Prevention) disappeared. But we got several other problems (Adobe plugin not loading, unable to move tab out of a window, ...), so it's not a fix.

    I'm in contact with the customer support on this issue. 

Unfiltered HTML