 You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
A work colleague brought a friend's laptop to me yesterday for me to have a look at. I've fixed it now, but it was an interesting problem, so I thought you lot might like a punt at diagnosing it.
Symptoms are, every few minutes Explorer shuts down leaving just the desktop (no icons, no task bar). You can restart Explorer from Task Manager (File / Run Task / Explorer), it comes back up normally and is fine for a few minutes before closing again.
If you want to play along, ask me questions and see if you can diagnose the fault. I'll be as honest as I can, but will be a "user" and not volunteer information you don't ask for.
What do we do with it?
Anything in the startup items folder in the start menu?
What do we do with it?
Reply, "ooh, tricky, i can have a look - would you fetch me a coffee and a donut?"
I'll be as honest as I can, but will be a "user" and not volunteer information you don't ask for.
Hello Mister,
I am calling from your bank. To protect your security please confirm your credit card number, PIN and mother's maiden name.
Thanking you.
[img] 
[/img]
If some media players don't get a response from what they are asked to play, they can cause Explorer to restart & you'll loose taskbar etc whilst this happens.
Is it a corrupt media file?
Anything in the startup items folder in the start menu?
Nope.
If some media players don't get a response from what they are asked to play, they can cause Explorer to restart & you'll loose taskbar etc whilst this happens.Is it a corrupt media file?
It's not playing media. It happens continually.
Corruption in the registry? Something wrong with explorer.exe?
What OS, version and build?
Needs switching off and then back on again.
Multiple AV programs installed?
Did you try turning it off and then on again?
Edit : Bollocks! 30 seconds too slow.
have you installed anything like winzip, winrar or a new anti virus program recently?
What version of windows?
What services & programs are running?
When did it start happening?
I'll go with Malware for the moment, or a corrupt dll..
[code]sfc /scannow[/code] should fix a corrupt dll
Anything in the windows event logs?
PICNIC
Problem In Chair Not In Computer
I would be looking in the logs for something not responding
Turn off windows search
Run a disk check
Unplug all peripherals in case it is choking on something external
But, is there some sort of add on like winzip, c cleaner appearing in the right click menu?
Oh, and is the problem every few minutes when it is idle or when you are working?
Corruption in the registry? Something wrong with explorer.exe?
Dunno, how would we check that?
What OS, version and build?
Good question. It's Windows 7 Home Pro, x64. Didn't check the build.
Multiple AV programs installed?
Webroot is installed, no other AV.
have you installed anything like winzip, winrar or a new anti virus program recently?
Not to my knowledge. I asked what had changed recently and was told "nothing" in a user-y fashion.
What services & programs are running?
When did it start happening?
Various things, what are you looking for?
I'll go with Malware for the moment.
What do we do about that then?
Anything in the windows event logs?
Another good question. Nope.
Turn off windows search
I didn't think to do that, but it's not relevant here.
Run a disk check
Good. Chkdsk finds no problems.
Unplug all peripherals in case it is choking on something external
Only thing attached is keyboard and mouse.
But, is there some sort of add on like winzip, c cleaner appearing in the right click menu?
I can't remember exactly but probably not. Nothing that raised suspicion, anyway.
Oh, and is the problem every few minutes when it is idle or when you are working?
Both.
Did your coputer update itself reently? Did windows update run, or did your anti virus software suggest any application should be updated?
Does it do it in safe mode too?
Are the intervals very regular?
Tried SFC?
What brand/model of laptop is it?
Did your coputer update itself reently? Did windows update run, or did your anti virus software suggest any application should be updated?
It's not had a Windows Update in a while as far as I can see. The AV hasn't reported anything for a while either.
Does it do it in safe mode too?
No.
Are the intervals very regular?
It seems to be pretty regular, yes. You can't work on it for more than a few minutes without it happening.
despite it being suggested twice already . inkeeping with what my it department do when ever you progress through the levels of " i cant fix this heres my supervisor"
have you tried turning it off and back on again 😀
Various things, what are you looking for?
At this point, I would probably do what you are doing and ask for the laptop, there are too many services and processes to check which a glance can quickly see if there are any abnormal things running. 😉
Still interested in the solution though!
Did [code]sfc /scannow[/code] fix a corrupt dll?
Tried SFC?
Good. SFC reports no issues.
Are there any local security policies setup? Does it have the same problem with a different user?
What brand/model of laptop is it?
It was an Acer that looked like it'd had a hard life, I don't remember the exact model though.
there are too many services and processes to check which a glance can quickly see if there are any abnormal things running.
Nothing jumped out as being obviously abnormal.
I'll go with Malware for the moment.
What do we do about that then?
If it's malware, I would probably download a bootable virus/malware checker and let that run. Sometimes I find it quicker to just re-install the system than spending hours trying to find the problem, some malware can be long-winded to remove.
Does it do it in safe mode too?
No.
So it's not explorer itself at fault, it's a driver or something that happens regularly.
I'd be timing it. If it's very regular then it's some job that's set to happen on a regular basis that is crapping out.
What's in the startup programs list? Post a list? Or just tell me if it's not one of them.
Are there any local security policies setup? Does it have the same problem with a different user?
Ooh, interesting thinking. I didn't check secpol, but I'll say "no." There was only one user account and it didn't occur to me to create another to see, but I'd expect it would still be symptomatic.
Is it supplied by Plusnet? (who'll "do you [s]in [/s]proud?") - If so you'll never find out what's wrong with it and the only solution is to move country.
Is there a scheduled task or app trying to shutdown the 'puter?
Is the battery/power supply ok - no flames or billowing smoke?
It was an Acer that looked like it'd had a hard life
Fan exhausts full of crap? Heat bad 🙂
Install the latest display drivers.
Has that fixed it?
Have you whacked it really hard with your elbow?
Always worked for the Fonz.
... resource exhaustion? (Disk Full).
Have you hoovered the keyboard?
If it's malware, I would probably download a bootable virus/malware checker and let that run.
Malwarebytes was already installed at the advice of the colleague who brought it to me. It found "a couple of things" but I've no idea whether these were problems or false positives.
I'd be timing it. If it's very regular then it's some job that's set to happen on a regular basis that is crapping out.
It's every five minutes.
What's in the startup programs list? Post a list? Or just tell me if it's not one of them.
I did a selective startup via msconfig, disabling all non-MS services. Still symptomatic.
run msconfig and disable everything in the startup.
reboot.
working?
if so, enable one at a time until it breaks 🙂
Does it still occur if you disable all network adaptors?
Is there any removable media inserted? SD card, CD etc.
Is there a scheduled task or app trying to shutdown the 'puter?
We have a winner! Though, credit should also go to Molgrips who was on the same lines. I thought that would take a lot longer, curses. (-: Here's the first part of the story:
In Scheduled Tasks there was an oddly named task, "vyi" or something. This task was scheduled to run every five minutes, and executed c:\ch.vbs. ch.vbs is a one-liner script which launches c:\ch.bat. ch.bat is another one-liner, TASKKILLing Explorer.exe.
The next question is... how / why?
Petty virus?
Nerdgasm. 😀
Because it was using too many resources ?
... was it trying to connect to a network resource that was being a bit tardy in responding?
Trying to get US Netflix lol 🙂
disgruntled sysadmin that's recently left? Look for another VBS that runs itself, queries AD for comoputers, copies itself to any that are reachable and repeats.
Some IT bod has been trying to limit the users internet access to less than 5 minutes a day as petty revenge for the user being a bit of a nobber?
The digital version of a mechanical hiding a marble inside the door of a "difficult" customer's car.
disgruntled sysadmin that's recently left?
It's a home machine. No-one else has used it in months.
What happens after you disable the task and wait (from a safe distance)?
Killing the task, of course, fixes the issue. I knew as soon as I saw it (and kicked myself for not thinking of it earlier).
Set-Service -Name Schedule -StartupType Disabled
return to browsing ebay
Is the task terminating some active content - desktop, widgest etc?
Was it supposed to be [b]i[/b]explorer.exe being killed to feebly attempt to stop people from browsing for long periods? Or nudge you to use another browser?
It was literally 'taskkill /f explorer.exe' (may have had other switches, I can't remember).
Though, credit should also go to Molgrips who was on the same lines
I doubt I'd have looked at scheduled tasks - who the hell uses those? 🙂
The question of why such a thing exists is far more bizarre tbh.
Is it ransomeware of some kind?
Windows explorer verses, not IE
Silly little trojan/virus by the sounds of it, designed for maximum annoyance but no real damage.
Yes, I was wondering if it was a poor typoWindows explorer verses, not IE
Was it designed to stop other members of the family using the puter? the person who installed it knows to kill the task but to everyone else the machine is unusable. Pretty silly though
Has the owners cat ever been to Sub-Saharan Africa?
Can you wipe it and install Linux? I think that will fix it.
Don't make me hurt you.
You're all missing something. I asked how / why, perhaps that's the wrong question?
They've been browsing those Danish "art" websites havent they?
That wasn't wallpaper paste sticking the keys down, either
User has watched The Manchurian Candidate too many times 🙂
Was the task/batch file combo created for a [i]specific [/i]reason? - Rather than a fat finger/wrong script issue?
^^ was explorer getting in the way of something? A game maybe?
You're all missing something. I asked how / why, perhaps that's the wrong question?
The user did it himself?
The c: location certainly points to inept programming userness.
Or a prank from a mate?
Agreed, it looks to me like the user did it. Just not sure why!!?
I guess they must have had admin privs to create in the root of C
"why there?" I ponder - not "usually" a location for a non techy user to use - many things would default to one of the librarys.
"why there?"
So they don't have to remember (or know) to quote the path to avoid issues with spaces in the directory names? On a home edition of Windows you can pretty much do what you like in any part of the filesystem IIRC! Can't imagine *NIX allowing any old user to drop a file in / 😉
If you open Task Scheduler as admin, what is in the Author column for this particular job? Is the author the same as the (main) user?
Who's the Owner (security) of the .vbs file?
I'll repeat something I said earlier.
It's a home machine. No-one else has used it in months.
Yet the 'fault' only manifested a couple of weeks back...?
If you open Task Scheduler as admin, what is in the Author column for this particular job? Is the author the same as the (main) user?Who's the Owner (security) of the .vbs file?
I didn't think to check TBH. There's only one user account on the laptop though (and it was something lame like "user," presumably an OEM preconfiguration). EDIT - "Owner" I think it was.
Erm.
Has Windows Explorer been set to launch each folder in a separate process, so basically "loads" of explorer.exe processes are created... and this task is to hoof them all in the slats?
Or something's spawning multiple explorer.exe?....
Straws! My straws! They slip thru my fingers!...
millennium bug.
Are we to presume it's the user/owner wot dunnit?
There seem to be two steps configured (.vbs then .bat) - wouldn't just the .bat have been sufficient?
Why might I want explorer to be terminated (and not restart)? An obscure way of stopping something else happening? Gaslighting someone else? Danger**** timer?
What's the relationship between work colleague and laptop owner?
Your colleague is testing you and you're about to be initiated into some secretive team / cult / mission and flown to a distant world to become a hero like in the [i]Last Starfighter[/i].
Are we to presume it's the user/owner wot dunnit?
I don't believe so. It'd be a nonsense to do that knowingly and then wonder why it was playing up?
There seem to be two steps configured (.vbs then .bat) - wouldn't just the .bat have been sufficient?
IIRC it can be awkward to get the syntax just right when scheduling batch files, you need to invoke command.com /c to launch them. I'm assuming this was a workaround (though I'd have thought launching external scripts from VB required greater knowledge than scheduling a task).
What's the relationship between work colleague and laptop owner?
They're friends. The colleague is a techie, she was the one who advised her to throw MBAM at it.
Your colleague is testing you and you're about to be initiated into some secretive team / cult / mission and flown to a distant world to become a hero like in the Last Starfighter.
Initiate Death Blossom?
It'd be a nonsense to do that knowingly and then wonder why it was playing up?
Badly phrased Q. on my part- I was guessing the owner of the machine had done it, but the user (your colleague) wanted the help to fix it.