Hey @mupolat, thanks for running the test through to the end with IT. Since turning off HVCI and Memory Integrity didn’t help, we can rule out virtualization-based security. That narrows it down.
Let’s go through diagnostics, sorted from quickest and most informative to deeper checks. The first two take about 15 minutes and usually give the answer.
- Control test with VS Code
Install the regular Microsoft VS Code on the same machine and open any project. This is the cheapest and most decisive test:
- VS Code works, then the issue is in our
cursor-socket bundle, focus shifts to our binary.
- VS Code also hangs, then it’s a broader block at the Electron Node IPC level or a kernel filter driver.
- Specifically version 3.1.14
You said 3.1.14 was the last working one. Download exactly that version’s User Installer from https://cursor.com/download, not the latest. User Installer installs to %LOCALAPPDATA%\Programs\cursor\, not C:\Program Files\, which immediately rules out Program Files policies.
- 3.1.14 launches, then it’s a regression on our side between 3.1.14 and 3.2.x.
- 3.1.14 also hangs, then something changed in the machine environment over the last few weeks, not in Cursor.
- Winsock LSP catalog
Corporate security agents like Trend Micro, 360-family, Forcepoint, and similar often inject Winsock Layered Service Providers that intercept traffic to 127.0.0.1 even when the agent is “disabled” in the UI. This is the most likely candidate in a financial environment. Open Command Prompt as admin:
netsh winsock show catalog > C:\winsock-catalog.txt
Send the file. If it has anything besides the standard MSAFD and RSVP-TCPv4 v6 entries, that’s a potential blocker. Reset requires a reboot, confirm with IT:
netsh winsock reset
- DLL injection via Process Explorer
Download Process Explorer from https://learn.microsoft.com/sysinternals/downloads/process-explorer
Run it as admin, wait for Cursor.exe to appear in the process tree after starting Cursor, then click it. View > Lower Pane View > DLLs. In the lower pane, look for anything not signed by Microsoft or Anysphere, for example tmmon*.dll for Trend Micro, 360*.dll, fp_*.dll for Forcepoint, or any EDR agent DLLs. These DLLs can keep injecting even after disabling the agent in the UI. Only IT can remove them via policy or uninstall.
- Second local Windows account
If steps 1 to 4 don’t give a clear picture, ask IT to create a second local Windows account on the same machine, not domain-joined, with no MDM profiles. If Cursor starts there, the block is coming from a user-level policy or MDM config on your main account.
- Quick check for AppLocker and ASR
In admin PowerShell, for completeness:
Get-AppLockerPolicy -Effective -Xml | Out-File C:\applocker-policy.xml
Get-MpPreference | Select-Object AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_Actions
AppLocker via MDM can stay active even after policies are “removed.” ASR rules sometimes block child process creation for Electron apps.
- Last resort, Safe Mode with Networking
If nothing else works: Shift + Restart > Troubleshoot > Advanced > Startup Settings > F5. Only Microsoft signed drivers load, so corporate kernel-level stuff is cut out. If Cursor starts there, the block is definitely in a filter driver from some security product.
Realistically, if steps 3 to 5 point to a Winsock LSP or a kernel filter driver, the next step needs IT engagement at the vendor console level for the security products like Trend Micro Apex One, Forcepoint, and so on, not via Windows Settings. Those deep hooks can’t be disabled from the Windows UI. In @ymzx’s thread, switching to a machine without the corporate agent ended up working, that’s a fallback if exclusions can’t be granted under current policy.
Start with steps 1 and 3, they take about 10 minutes together and usually give enough data to see where the block is. Waiting for your results.