Tag Archives: windows

Windows: No Shell, Explorer.exe not found

Posted on by

Running Windows XP (2k maybe)? Try to boot your computer and all you get is a background with no icons, no taskbar, no start menu and just a mouse cursor? Try this:

Symptom

When you try to boot your computer: all you get is a background with no icons, no taskbar, no start menu and just a mouse cursor. If you try to launch explorer.exe manually from Task Manager, you get “explorer” could not be found or “explorer.exe” could not be found.

Cause

A registry key that handles how the Windows shell (explorer.exe) loads is corrupt.

Fix

Delete the offending registry key and reboot the computer. Use Task Manager (CTRL+ALT+DEL) to run regedit manually. Then find the following key and delete it:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\explorer.exe

Then, reboot the computer. Problem solved.

Malware Removal causes STOP: C0000135

Posted on by

Symptom

You are running Windows XP and you recently removed some malware. After removing the malware, you get the following message on a blue screen (BSOD):

STOP: C0000135 {Unable to locate component} This application has failed to start because [name] was not found. Reinstalling the application may fix this problem.

… where [name] is a word starting with the letters ‘base’ (not winsrv or user32) and has some random crap on the end of it, and you can’t boot the machine anymore.

Cause

You have inadvertently deleted a file windows ‘thinks’ it needs, but doesn’t really. The malware you removed hijacked a registry entry to ensure it is loaded with every Windows session, so you have to un-hijack the registry it to fix it, basically pointing Windows to the original non-malware version of the file it thinks it needs.

Solution

  • Load the hijacked “SYSTEM” hive file on a clean system. (You can do this any way you wish. You can use Windows PE, or another Windows machine; it basically goes like this)
    • Get access to the file called “system” on the infected machine in the folder C:\windows\system32\config (the previous path may be different if Windows is installed in a different folder or on a different drive letter)
    • Use the clean system to run regedit, highlight the “HKEY_LOCAL_MACHINE” branch at the left, click “File”, then “Load Hive…”, and point it to the “system” file I talked about above.
    • Regedit will ask you for a name. Just call it “FIX”.
  • Next, navigate to: HKEY_LOCAL_MACHINE\FIX\CurrentControlSet\Control\Session Manager\SubSystems
    • The folder above called CurrentControlSet may be called ControlSet1 or ControlSet2, or the like. There may be more than one. If you are unsure which one to use, perform the following steps in all of them.
  • At the right, you will see the value at the right called “Windows”. This is the infected registry value. You must replace the value with the following, all on one line:
    • At the right, right click on the item called “Windows”, and select “Modify”, then paste in the following value:
    • %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
  • When done, go back to the top and highlight the FIX folder underneath HKEY_LOCAL_MACHINE. Then click “File” and “Unload Hive…”
  • Put your fixed machine back together (i.e. put the hard drive back in it, or throw the fixed system file back in the right place . .. or basically reverse whatever you did to get access to the system file )
  • Boot up your fixed computer.