Explorer does not auto run on login, have to manually run it to get desktop?

By tweaks_sav ยท 12 replies
Jul 17, 2008
  1. I've got a PC with 3 users. It was pretty infected. It's since been totally cleaned. I did scans with Avast, AVG, Spybot, Adaware, A-Squared, Smitfraudfix, Combofix, Malware Bytes, and Hijackthis. Fully clean now.
    I think it was after combofix, but I may be mistaken, explorer shell wouldn't run when logging into windows. When I click on any user to login, their background comes up, but no desktop icons, start bar, or such. I have to ctrl-alt-del and use task manager to run explorer.exe, then everything pops up.

    I've tried:

    1) Re-running combofix to see if it would fix itself

    2) checking: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "shell" is set to: explorer.exe

    3) using the startup "Run" and "RunServices" (ie: msconfig entries) to call a batch file to run explorer.exe. It calls explorer perfect, but those don't run till I run explorer manually, so it just opens the My Documents windows explorer window.

    4) using group policy to set a logon script of a batch file to call explorer.exe, same as #3.

    5) Windows XP Repair Install

    Any more ideas/help? Thanks!
  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

  3. tweaks_sav

    tweaks_sav TS Rookie Topic Starter Posts: 186

    Hmm, attempted all that you had suggested as well.
    Bummer, a wipe/reload, just what I was trying not to do :)
    Oh well, I'll keep bugging with it.

    Any other suggestions?
  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    Yes, I have replied to the other member (having the same issue as you)
    To source where the problem lies in his backup of registry in his working fresh install of Windows.

    You could actually do the same thing, (not sure who's more technically minded)

    Create a registry backup
    Install clean
    Backup the clean registry
    Restore the old (faulty backup)
    Same fault? Must be in the Registry then!

    -> Restore the working backup (or system restore)
    Half the faulty registry backup file (using Notepad)
    Merge the half faulty backup reg
    Same fault
    Start from this paragraph again ->

    Reply back with which reg key it was (eventually!)
  5. drakath

    drakath TS Rookie Posts: 24

    Also, you don't have to wipe, you can just re-install windows. The installation will put in a new registry and you get to keep your files, you'd just have to reinstall everything for registry keys. At least thats what I have done.
  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    I've just sent drakath the following:

    Could you also zip up your "exported" registry file of Winlogon
    Also I need to know what version of Xp you are running, drakath is running Pro
    I have access to any OS!
  7. tweaks_sav

    tweaks_sav TS Rookie Topic Starter Posts: 186

    It's XP Pro SP2. Was SP3, but I did a repair install XP, and it brought it back to SP2.
    Awesome. yea I'm a computer tech as well, with thousands of repair too. :)
    Thanks for the help. I wouldn't mind sending the whole registry, no worries, let me know.
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    Please do the following registry changes

    "Shell"="Explorer.exe" <-change (capitalize E)
    "ShutdownWithoutLogon"=dword:00000001 <-change to
    "UIHost"="C:\\WINDOWS\\system32\\logonui.exe" <-change to
    "DefaultPassword"="" <- remove entire string
    "AutoAdminLogon"="1" <- change to

    The next key, I do not have at all (but leave in for the moment)
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
    And all those numbers under it !!!

    Once you have made the registry changes, restart
    Report back

    Also, you can edit your previous post (advanced edit) and remove the attachment
  9. tweaks_sav

    tweaks_sav TS Rookie Topic Starter Posts: 186

    Damn, thanks for the continued help, but still same thing.

    1)Changed explorer.exe to Explorer.exe
    2)The original key was a REG_SZ so I changed it to ShutdownWithoutLogonOLD and made a new REG_DWORD and named it ShutdownWithoutLogon and set it to 1
    3) Changed UIHost from logonui.exe to C:\WINDOWS\system32\logonui.exe
    4,5) I have 3 users so this doesnt matter. I need to logon, not auto. (http://www.computerperformance.co.uk/Registry/registry_hacks_AutoAdminLogon.htm)

    Hmmm was looking into the WgaLogon/Settings and found this....http://www.threatexpert.com...
  10. tweaks_sav

    tweaks_sav TS Rookie Topic Starter Posts: 186

    Still same issue but I tried this as well:

    2) So I checked my PC here and ShutdownWithoutLogon is a REG_SZ and set to just 0, so I changed that back.

    I also checked my PC for the WgaLogon key and it's not there. So I deleted the whole WgaLogon key. It had exactly what ThreatExpert had. On reboot, the registry key was recreated, but no values or anything are in them now.
    Here is another case of desktop not loading with the same WgaLogon/Settings entry...hmmm! http://forums.techguy.org/malware-removal-hijackthis-logs/564750-windows-xp-sp2-desktop-not.html
    I haven't triend any of the tools they posted in that thread yet.

    All I did was a google search for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings http://www.google.com/search?q=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows+NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings

    I'm going to run online BitDefender scan and AntiVir just in case. Since I've done AVG and Avast.
  11. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

  12. tweaks_sav

    tweaks_sav TS Rookie Topic Starter Posts: 186

    Pssh, legality doesn't bother me :)

    AntiVir and BitDefender didn't find anything.
    I actually already had the RemoveWGA in my tools, but when I ran it I got "The WGA Notification is not active on your system". Which makes sense since this PC was already genuine.

    Still no dice.
  13. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    The WGA Notify, is for genuine Windows. Now that'll mess with you!

    Anyway, I don't think it's in Winlogon key any longer.
    I'm starting to think you should replace Explorer.exe with the Windows CD Explorer.ex_
    This may do it.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...