Windows Explorer crashing
My pal Hans has a strange problem on his newish Win 7 PC, with Explorer crashing. It's only been happening for the past couple of weeks. It may be associated with a software update: there's no way of knowing that for sure since he didn't realise for a while what was happening.
The symptom is fairly simple: if he opens explorer and right-clicks on any drive letter (the way you might check what percentage of the drive is full), explorer will close, an error message appear saying so, and the desktop will clear. After a few seconds, the desktop returns and the machine is back to normal until he tries explorer again. We tried sfc /scannow which found a batch of several weeks' worth of updates that hadn't completed. It fixed those and reported "all resolved". The explorer crashed the second time we tried a right-click after that. Another sfc /scannow reported no errors found. Explorer started from the icon on the desktop crashed every time we did the right-click. I tried starting from the start menu: and it worked OK once, then crashed every time thereafter. I tried to boot into Safe Mode to see what that would reveal. The machine went instead into "Repair Mode" and chuntered for a very long time before restarting normally. Explorer crashed the first time we tried a right-click. I created a new desktop icon with Explorer set to "Run with Admin privileges", and it seems to work OK every time at the moment. I fear it may be a matter of time... We spent a fair old while with Google, looking at similar experiences with the same error number and message, back into the distant past. Only one matched our symptoms closely, and that thread ended inconclusively some years ago. I'm hoping the kludge of running Explorer in Admin mode will work, but would prefer to fix it. Has anyone come across this, or has anyone any ideas? This is the message from the error log: Error 20/02/2013 16:19:46 Application Error 1000 (100) Faulting application name: Explorer.EXE, version: 6.1.7601.17567, time stamp: 0x4d672ee4 Faulting module name: SHELL32.dll, version: 6.1.7601.17859, time stamp: 0x4fd2dfec Exception code: 0xc0000005 Fault offset: 0x00000000000504aa Faulting process id: 0xe00 Faulting application start time: 0x01ce0f85b3506904 Faulting application path: C:\Windows\Explorer.EXE Faulting module path: C:\Windows\system32\SHELL32.dll Report Id: 56e2e705-7b79-11e2-a8cf-f46d047192d4 <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> - <System> <Provider Name="Application Error" /> <EventID Qualifiers="0">1000</EventID> <Level>2</Level> <Task>100</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2013-02-20T16:19:46.000000000Z" /> <EventRecordID>51774</EventRecordID> <Channel>Application</Channel> <Computer>Deskentoppen</Computer> <Security /> </System> - <EventData> <Data>Explorer.EXE</Data> <Data>6.1.7601.17567</Data> <Data>4d672ee4</Data> <Data>SHELL32.dll</Data> <Data>6.1.7601.17859</Data> <Data>4fd2dfec</Data> <Data>c0000005</Data> <Data>00000000000504aa</Data> <Data>e00</Data> <Data>01ce0f85b3506904</Data> <Data>C:\Windows\Explorer.EXE</Data> <Data>C:\Windows\system32\SHELL32.dll</Data> <Data>56e2e705-7b79-11e2-a8cf-f46d047192d4</Data> </EventData> </Event> |
the symptoms suggest that the windows shell defaults have been changed, either by a virus, or else by a third party extension
Symantec have a tool which should reset this - it was designed for WinXP but still seems to work in Win7 Tool to reset shell\open\command registry keys | Symantec if problems persist after using it, then I'd consider an infection which needs remedial work |
MANY thanks, Milo. Your diagnosis fits better than you realise.
Hans had two of those "forceware" browser menu bars that had appeared from nowhere that he could remember authorising (he's pretty careful like that). I removed them both - one using Windows "uninstall"; the other wouldn't go that way so I uninstalled Chrome (which is the one it had hooked to), then deleted its files. It looks as if it has done things in the registry. I've passed that information on to Hans with a copy of the .inf file. I compared the entries in the .inf file with my (apparently healthy) Win 7 64-bit. The first five entries are the same as I have. The scrfile line in the Symantec has HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*" whereas my PC has "%1" /S The last entry has HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,Di sableRegistryTools,0x00000020,0 whereas my PC doesn't have that entry - but then, mine hasn't been infected. I've sent him two versions, one with those last two entries omitted, one with them in, and the suggestion to try the first one to see if it fixes the problem, and if not to run the second. I didn't try to run Regedit while I was up there yesterday, so I don't know if anything was trying to block that. I'll report back if I hear more from Hans. |
Its not unusual for those rogue toolbars which do that, to hijack/replace explorer.exe or userinit.exe as well.
As a belt & braces approach it would be worth replacing both with "good" copies, besides fixing the registry |
A good thought! I can send him the good ones from my PC (which I'm pretty sure is clean). They're close to identical machines and setups.
|
Well, the registry edits didn't fix it, but the next steps did reveal a lot of rogue toolbars on the Hansipooter. I'm up there next week and have a memory stick with the relevant .exe files. I tried e-mailing them but ISP said no. Didn't bother zipping them, since the "Run as administrator" kludge woks for now.
|
try Combofix & Hitman Pro....
|
Yes, he did that. Very good they were, too, at getting rid of Combo and Ask toolbars.
We know, now, where those two came from. He's removed Java and Adobe Reader and is waiting to see if anything he needs stops working. |
All times are GMT. The time now is 00:11. |
Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.