Explorer.exe does not load upon startup/login

Discussion in 'Windows Update' started by Kirk, Feb 28, 2007.

  1. Kirk

    Kirk Guest

    Windows XP Pro SP2 on Win2k3 domain.
    Since January's updates/patches, I've got 4 computers that sometimes will
    not load explorer.exe upon reboot or login. All you see is the wallpaper.
    It is intermittant, and there are no errors in any logs or popups. If you
    launch Task Manager and start EXPLORER.EXE manually using "File, New Task
    (Run)", everything comes up as it should.
    This started on just 1 PC every couple of days, but is now on 4 and is
    happening at least once per day. Anyone else have this problem or know of a
    solution?
     
    Kirk, Feb 28, 2007
    #1
    1. Advertisements

  2. Kirk

    matt.larson Guest

    I don't have an answer for this, but I have been seeing the exact same
    problem. It seems to be a growing issue. It also seems to happen
    sometimes and not others.
     
    matt.larson, Mar 1, 2007
    #2
    1. Advertisements

  3. (cross-post added to XP General)

    Any clues in Event Viewer?

    BTW this is not the best newsgroup for diagnosing problems with your OS.
    Cross-posting to XP General.


    ---
     
    Robert Aldwinckle, Mar 1, 2007
    #3
  4. Kirk

    Kirk Guest

    Thanks for cross-posting this Robert.
    I see that others are also experiencing this problem.

    On one of the machines having the issue, I re-applied SP2.
    I have not had the Explorer.exe startup problem since doing so, but do get
    other various issues.
    Because of this, I'm concerned I may have negated some recent security
    patches but WSUS reports that the computer is fully patched.
     
    Kirk, Mar 5, 2007
    #4
  5. I observered this problem also here. Your situation may be different, but
    here's what I found:

    1. in the Application Event Log , the following entries each time the
    computer was restarted:

    Source: MsiInstaller, Event ID: 11327, User:
    computer\SMSCliToknLocalAcct&, Description: Product: Sun Java2Runtime
    1.4.2_07 -- Error 1327. Invalid Drive: h:\
    Source: MsiInstaller, Event ID: 11327, User:
    computer\SMSCliToknLocalAcct&, Description: Product: IBM eGatherer 3.19.
    Invalid Drive: h:\

    2. in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    NT\CurrentVersion\ProfileList, I found the GUID for the user accounts:
    SMSCliToknLocalAcct& and SMSCliSvcAcct& - the Value "ProfileImagePath"
    inside the key for the GUID has the corresponding user account name
    e.g. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    NT\CurrentVersion\ProfileList\S-1-5-21-2745678790-2165517387-3308722516-1026\ProfileImagePath
    has the content - %SystemDrive%\Documents and
    Settings\SMSCliSvcAcct&.WBCA29414.001

    3. in the registry, the key
    HKEY_USERS\GUID\Software\Microsoft\Windows\CurrentVersion\Explorer\User
    Shell Folders had the content "h:\Faavorites" for Favorites and (in one
    case) Personal
    e.g. for teh SMSCliSvcAcct& user account, the key:
    HKEY_USERS\S-1-5-21-2745678790-2165517387-3308722516-1026\Software\Microsoft\Windows\CurrentVersion\Explorer\User
    Shell Folders
    had the value "Favorites" set to "h:\"

    4. I changed the value of Favorites to %USERPROFILE%\Favorites for the two
    SMS related accounts and, for one of them, Personal from h:\ to
    %USERPROFILE%\My Documents.

    5. restarted the computer

    This seems to have cured the problem - I'll post again if the problem
    re-appears. I no longer get the Application Event Log entries (1 above) and
    explorer starts automatically at logon. I've tried logging on and off with
    different domain user accounts (both members of the local Administrators
    group and not) and explorer started each time. I've also done a couple of
    restarts then tested logon again with success.

    I don't know exactly why, but, independently of the problem with explorer
    not starting at logon, I've observed that some application installation
    packages give the "Invalid drive: h:\" error and stop working if the
    Favorites special folder (or somtimes the My Documents special folder) is
    redirected to a network drive. In our logon script we map the drive letter
    h to the user's "Home Directory", redirect My Documents to h:\ and redirect
    Favorites to h:\Favorites. So, we observe this installation package failure
    frequently. The cure is to temporarily redirect the My Documents and
    Favorites back to the corresponding folders in the local copy of the user's
    profile.

    I suspected that the SMS accounts acquired the settings for the User Shell
    Folders from the "Default User Profile" - I verified this in regedit by:

    1. click HKEY_USERS
    2. click File, Load Hive
    3. browse to c:\Documents and Settings\Default User
    4. select ntuser.dat; click Open
    5. key the name def
    6. navigate to
    HKEY_USERS\def\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell
    Folders
    7. observe the content of the Values Favorites and Personal
     
    Bruce Sanderson, Mar 22, 2007
    #5
  6. Kirk

    Kirk Guest

    Thanks Bruce,

    There is nothing in the logs that would indicate anything failing or even a
    hiccup.
    A user can be logged in just fine and when I log them off, and log on myself
    (or another user) the desktop never initializes. Start explorer manually,
    and you're off an running.

    We don't use SMS or home directories and very little is even installed from
    a network share that would cause the pointers that you're experiencing.

    I appreciate your information.
    Kirk
     
    Kirk, Mar 22, 2007
    #6
  7. Well, the problem came back this morning, so the cure was not a cure!

    --
    Bruce Sanderson MVP
    http://members.shaw.ca/bsanders/
    It's perfectly useless to know the right answer to the wrong question.


     
    Bruce Sanderson, Mar 26, 2007
    #7
  8. Kirk

    Kevin Murphy Guest

    Bruce,

    Have you double checked the value for 'Shell' under
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ?

    Have you tried setting 'AutoRestartShell' set to 1 under
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ?

    Kevin
     
    Kevin Murphy, Mar 26, 2007
    #8
  9. Robert Aldwinckle, Mar 26, 2007
    #9
  10. The problem is intermittent, it does not happen at every logon. For
    example, when I first logged on this morning, explorer did not start, but
    after I restarted XP, explorer started automatically at logon, even after
    two subsequent logoff, logon sequences. Based on recent experience, I
    suspect the problem will come back again sometime in the near future.

    At this point in time:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    NT\CurrentVersion\Winlogon\Shell is "explorer.exe"

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    NT\CurrentVersion\Winlogon\AutoRestartShell is 1 (DWORD).
     
    Bruce Sanderson, Mar 28, 2007
    #10
  11. From what I can see, hotfix for KB925902 is NOT installed on the computer I
    have with this problem.

    I've used Safe Mode and uninstalled the hotfix for 935448 as suggested by
    Winfried Sonntag in the thread "KB925902 installed, pc won't boot back up"
    in the microsoft.public.windows.server.update_services newsgroup.

    Since the problem does not happen immediately after a restart (only happpens
    after XP has been running for some (undefined) length of time, I don't know
    at this point if the problem is still present or not.
     
    Bruce Sanderson, Apr 12, 2007
    #11
  12. The following hotfixes were installed last night via SMS - not sure if this
    will make a difference or not - the problem was still present yesterday
    (before these hotfixes were installed).

    925902 MS07-017: Vulnerability in GDI could allow remote code execution
    930178 MS07-021: Vulnerability in Windows CSRSS could allow remote code
    execution
    932168 MS07-020: Vulnerability in Microsoft Agent could allow remote code
    execution
    931261 MS07-019: Vulnerability in UPnP could allow remote code execution
    931784 MS07-022: Vulnerability in the Windows kernel could allow elevation
    of privilege

    The SMS environment, including which and when hotfixes are installed is
    managed by someone else - it's out of my control!

    --
    Bruce Sanderson MVP
    http://members.shaw.ca/bsanders/
    It's perfectly useless to know the right answer to the wrong question.


     
    Bruce Sanderson, Apr 18, 2007
    #12
  13. Explorer failed to start automatically this morning,so the problem is still
    present.

    --
    Bruce Sanderson MVP
    http://members.shaw.ca/bsanders/
    It's perfectly useless to know the right answer to the wrong question.


     
    Bruce Sanderson, Apr 23, 2007
    #13

  14. How can you get diagnostics for something which happens so infrequently?

    Have you looked at using audit events?


    Good luck

    Robert
    ---
     
    Robert Aldwinckle, Apr 23, 2007
    #14
  15. Well, the problem did NOT happen this morning.

    Robert: I really don't know; I'm hoping that someone will have a clue, at
    least of where to look for diagnostics or some "logging" or "tracing" that
    can be turned on to help track it down.
     
    Bruce Sanderson, Apr 24, 2007
    #15
  16. Problem re-appeared this morning - frustrating that it is so intermittent
    and so no obvious evidence of a cause.
     
    Bruce Sanderson, Apr 26, 2007
    #16

  17. Bruce,


    It's time to be a trailblazer...



    <eg>

    Do you have a trace of a normal startup of explorer.exe?
    E.g. using RegMon and its Log Boot option.
    I don't think that ProcMon has an equivalent feature
    but if it does its trace (e.g. interleaved RegMon, FileMon
    and ProcExp) would be even better.

    (!) You might be able to get a good enough idea of what needs to happen
    simply by restarting explore.exe *after* a boot, in which case you *could*
    use ProcMon to do the tracing.

    Then you could use that to pick key registry and file accesses in that
    sequence to "audit". E.g. if you had two normally reliable audit events
    and only got one during the problem boot, you would have a better idea
    of *when* in the startup sequence (as reflected by your trace) the problem
    was happening. Etc.


    So, how exactly does auditing work? <eg>

    Hmm... setting the permissions seemed easy...

    <message source="regedit, Advanced Security Settings dialog">
    The current Audit policy for this computer does not have auditing turned on.
    ....use Local Computer Policy Editor to configure the audit policy locally
    on this computer.
    </message>

    <voice actor="Obi wan"> Use the Help... </voice> ; )

    Wow! That works. The Help opened up Local Security Settings dialog
    in the Security Options folder and allowed me easy access to enable:

    Audit: Audit the access of global system objects

    I hope that's the right policy. ; )

    We shall see. Assuming that the audit events are written in the Security log
    it looks as if a reboot may be needed to put the new policy into effect.


    Good luck

    Robert
    ---
     
    Robert Aldwinckle, Apr 27, 2007
    #17
  18. Kirk

    Ron Myers Guest

    Bruce,
    I don't see anything for the past 4 months on this issue. Has it been
    resolved? Did you find the root cause?

    I have (had) a friend with the same problem.. After several days of research
    I concluded no one knew what caused this or how to fix it so performed a
    system restore from the restore partitian (HP A622N 2.8ghz 512mb P4). I will
    keep in touch with him to see if it comes back.

    I applaud your patience in tracking this issue down.
     
    Ron Myers, Aug 27, 2007
    #18
  19. Kirk

    antioch Guest

    antioch, Sep 14, 2007
    #19
  20. Kirk

    antioch Guest

    Do you think a recent security/critical update caused this problem??
    Antioch
     
    antioch, Nov 16, 2007
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.