HP ProBook 6560b Fails to load EXE's Correctly

Hey guys, Ive got an interesting one here.
I have a customer with Multiple HP 6560b laptops and a few of these have all experienced the issue below. So far we have been fixing these with a reload of Windows.

Machines are running Windows 7 Pro x32, are joined to a domain and have Sophos anti-malware

EXE files themselves are fine so its not the file association (I can load stuff like IE, and Control) but alot of other apps start loading.. consume a small amount of ram (Less than 1MB) and hang.

I've noticed that the c# debuger and CSC both appear to have alot of threads when viewed in process explorere

The affected apps have no child processes and dont "Hang" they just present nothing at all to the user

Machines have been scanned with MSSE offline scan and Malware bytes
The issue affects all profiles on the machine and Extremely long startup and shutdown times are experienced.

No high CPU time, No high disk usage..

Its like a debugger is running but I cant find where from (no visual studio or similar)

Any ideas where to start
JimmyDailyAsked:
Who is Participating?
 
JimmyDailyAuthor Commented:
Turns out it was the installation of Sophos causing the problem.
Removed it using "Autoruns" from app-init in safe mode. Bang! machine is as good as new.
Re-added it for good measure.. problem comes back

The offending process was "sophos_detoured.dll" called "Sophos Buffer Overrun Protection"

After removing it and installing Updates for Windows and Sophos the App-init hook re-appeared. However normal boot times and application behavior was observed.

Im guessing this was a bug in sophos and it couldnt update itself as the updater was an EXE

If anyone else is running into this issue, here is a more permanent way to disable detoured


[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\SAVService\SetupOptions]
"DetourDLLState"="excluded"
Note: Adjust path for 32bit.
 
Then remove the reference from:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
to the Sophos dll, leaving other entries as they are if present.
 
You would then need to reboot to unload detoured from existing processes.
 
The above registry key will prevent detoured being rewritten on updates as just removing it from the AppInit_DLLs will not prevent it being re-created.
0
 
JimmyDailyAuthor Commented:
Interestingly further troubleshooting shows, if an app wont load.. Kicking it off in any kind of compatability mode makes it load perfectly.

Processmonitor shows a ton off calls to google desktop and sophos.. then CSC takes over
0
 
JimmyDailyAuthor Commented:
I should also mention, the customer has a bunch of macbooks in the same network running Windows 7 via Vmware Fusion and they dont appear to be affected.. Im thinking its some HP specific software.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
WotanAUCommented:
Try uninstalling the HP Security software and just leave the bundled drivers in there. The HP Security platform can be more troublesome than it's worth. Sophos will ensure the laptop is still secure. Also ensure there are no other antivirus tools running such as Microsoft Security Essentials.

Also ensure it's fully patched.
0
 
JimmyDailyAuthor Commented:
We remove HP Protect tools as part of our standard "build"'s on these laptops.. but ill try removing the rest of the HP bloatware when I'm back at the office tommorow.

Sorta hoping I can run hijack this tomorrow in compatibility mode.
0
 
JimmyDailyAuthor Commented:
Self Diagnosis
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.