Hi all, I was trying to confirm that, but under Windows XP MCE (lang: German and English) with all patches, overflows on other address. Can anybody confirm that? I agree with JohnDo, why just don't send user a specially crafted kernel32.dll :). For me, this is just design bug. Regards, Emacs