locked
Internet Explorer 11 / EMET 4.1 / Windows 8.1 SEHOP has to be disabled RRS feed

  • Question

  • After installing EMET 4.1 I find Internet Explorer 11 will not start unless I disable SEHOP for the app.

    Is this expected?Settings for IE 11


    CarolChi

    Wednesday, February 5, 2014 9:51 AM

All replies

  • Can we get a bit more information on the crash?

    Can you open the Action Center on the taskbar > Maintenance > View reliability history > View all problem reports

    Can you right-click on a couple of the "Internet Explorer"  "Stopped working" errors > View technical details

    What are the details of the errors?

    There is a "Copy to Clipboard" link at the bottom.

    Paste the information first into Notepad and then recopy the information from Notepad to post here.

    Wednesday, February 5, 2014 5:56 PM
  • Description

    <dir>

    </dir>
    <dir></dir><dir></dir><dir>

    Faulting Application Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe


    </dir>

    Problem signature

    <dir>

    </dir>
    <dir></dir><dir></dir><dir>

    Problem Event Name: APPCRASH

    Application Name: IEXPLORE.EXE

    Application Version: 11.0.9600.16384

    Application Timestamp: 52157231

    Fault Module Name: KERNELBASE.dll

    Fault Module Version: 6.3.9600.16408

    Fault Module Timestamp: 523d4548

    Exception Code: e06d7363

    Exception Offset: 00012eec

    OS Version: 6.3.9600.2.0.0.256.4

    Locale ID: 2057

    Additional Information 1: 05bf

    Additional Information 2: 05bfe6281c855a335e8d105a4293d56e

    Additional Information 3: 566e

    Additional Information 4: 566e6a0ade3168664921470caeb56d29


    </dir>

    Extra information about the problem

    <dir>

    </dir>
    <dir></dir><dir></dir><dir>

    Bucket ID: 1c6739c5edb8781302ec8725f248b9fe (-436902602)

    </dir>

    CarolChi

    Wednesday, February 5, 2014 6:09 PM
  • I think it may be related to either Citrix or McAfee. I have another similar system with EMET 4.1 but no McAfee Site advisor, no McAfee VSE and no Citrix plug in.

    I removed the Citrix, but IE continued to crash.

    In the end disabling SEHOP solved the problem.


    CarolChi

    Wednesday, February 5, 2014 6:11 PM
  • The error points to the KERNELBASE.dll which is a component of Windows:

    Fault Module Name: KERNELBASE.dll

    Fault Module Version: 6.3.9600.16408

    If you are interested it may help to generate a user mode dump of the crash to see exactly what modules are involved in the crash and may offer some insight into why disabling SEHOP helps.

    You can configure Windows to create user-mode dumps. Create a System Restore Point first.

    If you copy and paste the following in Notepad and save as a .reg file (save with the .reg extension and give it any name such as iedump.reg), then right-click the .reg file and select "Merge" to add to the registry, a .dmp file at the time iexplore.exe crashes should be created in the C:\CrashDumps folder:

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\iexplore.exe]
    "DumpFolder"=hex(2):43,00,3a,00,5c,00,43,00,72,00,61,00,73,00,68,00,44,00,75,\
    00,6d,00,70,00,73,00,00,00


    After Internet Explorer (iexplore.exe) crashes, can you then make the .dmp file available (provide link) via Windows Live SkyDrive or similar site?

    The following link has information on using Windows Live SkyDrive:

    http://social.technet.microsoft.com/Forums/en-US/w7itproui/thread/4fc10639-02db-4665-993a-08d865088d65


    More info on collecting user-mode dumps:

    msdn.microsoft.com/en-us/library···85).aspx

    You will have to re-enable SEHOP for IE and then have a crash to generate the dump file.

    Then disable SEHOP afterward.

    Wednesday, February 5, 2014 7:41 PM
  • What e-mail address can I use to share the skydrive?

    CarolChi

    Monday, February 17, 2014 2:04 PM
  • Can you make the folder where the files are public (shared with everyone) and then post a link here?

    Right-click the folder with the minidump files > Sharing > Get a link > Make Public

    Then copy and paste the link here.

    Monday, February 17, 2014 3:29 PM
  • It appears McAfee modules are involved in the error (bolded):

    *** WARNING: Unable to verify timestamp for EMET.dll
    *** ERROR: Module load completed but symbols could not be loaded for EMET.dll
    Unable to load image C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20130326165744.dll, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for ScriptSn.20130326165744.dll
    *** ERROR: Module load completed but symbols could not be loaded for ScriptSn.20130326165744.dll
    *** WARNING: Unable to verify timestamp for McBrwCtl.dll
    *** ERROR: Module load completed but symbols could not be loaded for McBrwCtl.dll
    *** The OS name list needs to be updated! Unknown Windows version: 6.3 ***
    Probably caused by : SmartcardCredentialProvider.dll ( smartcardcredentialprovider!RdrSelProvider::SetSerialization+f3 )

    *** WARNING: Unable to verify timestamp for EMET.dll
    *** ERROR: Module load completed but symbols could not be loaded for EMET.dll
    Unable to load image C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\saHook.dll, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for saHook.dll
    *** ERROR: Module load completed but symbols could not be loaded for saHook.dll
    Unable to load image C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20130326165744.dll, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for ScriptSn.20130326165744.dll
    *** ERROR: Module load completed but symbols could not be loaded for ScriptSn.20130326165744.dll
    *** WARNING: Unable to verify timestamp for McBrwCtl.dll
    *** ERROR: Module load completed but symbols could not be loaded for McBrwCtl.dll
    *** The OS name list needs to be updated! Unknown Windows version: 6.3 ***
    Probably caused by : mshtml.dll ( mshtml!CFastDOM::CElement::Trampoline_msMatchesSelector+95 )

    Are you able to obtain a dump file from a computer that does not have any McAfee products installed?

    Also, are you able to obtain Windows Updates for the Operating System as many modules have been updated such as the kernelbase.dll and mshtml.dll

    Problems with EMET 4.0 have been reported before such as in the following links:

    http://www.dslreports.com/forum/r28328108-EMET-saves-the-day

    http://social.technet.microsoft.com/Forums/security/en-US/95843b73-e6ee-4da2-9caf-55587497a109/ie-10-emet-40-win7-sp1-kernelbasedll-error?forum=emet

    There may be an issue with EMET 4.0 in certain setups whereas EMET 3.0 may work.

    Tuesday, February 18, 2014 1:10 AM
  • It only crashes on computers with McAfee.

    Windows is fully updated.

    I will wait for the next McAfee engine which is supposed to be more compatible with Windows.


    CarolChi

    Tuesday, February 18, 2014 6:09 AM
  • OK, thanks for the follow-up.

    To follow up on the added registry key, you can delete the C:\CrashDumps folder anytime.

    You can leave the added registry key intact if you wish.

    However you can delete it anytime if you wish.

    You can run the following .reg file to delete:

    Windows Registry Editor Version 5.00

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\iexplore.exe]


    • Edited by auggyMVP Tuesday, February 18, 2014 11:29 PM
    Tuesday, February 18, 2014 11:28 PM
  • please help me...
    Wednesday, April 26, 2017 1:06 PM