explorer.exe problem Win7

Q

qtqc

Limp Gawd
Joined
Apr 8, 2004
Messages
237
Hello Everyone

I have a problem on my Windows 7 work computer. Had an issue where my explorer.exe was growing is size in my Process's until it was over 3gb in size. Did a spyware/malware/antivirus check with AVG, SuperAnti-Spyware, and Malwarebytes. They found some minor stuff and removed it. Now the explorer.exe crashes every 15 seconds and restarts itself.
Tried rebooting in safe mode but it crashes in safe mode as well
Have tried researching if there is a way to repair the explorer.exe file but no luck. Don't really want to do a fresh install if possible. Anyone have any recommendations?

Thanks
 
What's the error message when it crashes? It should list a faulting module that'll give us a clue as to what's happening.
 
You may want to get an AVG rescue disk (or similar, there are many) and scan for rootkits. Could also try copying explorer.exe from a working Win7 system. Lastly, you could pull the drive, scan it with something other then what you've used, like Avast or Bitdefender, then put the drive back in and try a system restore.

Edit:
Snowknight26 said:
What's the error message when it crashes? It should list a faulting module that'll give us a clue as to what's happening.
Click to expand...

Good idea, I forgot about looking up the BSOD error code.
 
Heres what my screen says when it crashes. After the screen below, it just says Windows Explorer is restarting. It restarts, its ok for 25 seconds and then crashes again

crash.jpg
 
Go to Reliability Monitor in the Control Panel, open the event details for the crash and paste the contents here.
 
You could try running procmon and see what explorer is doing to get up to 3.5gigs of memory usage. I'm going to guess there's some sort of add-on or plugin that isn't behaving correctly. You may also try using Shell Extension Viewer to disable all of the shell extensions and see if those are causing the issue.
 
Hi guys,

Those are good suggestions. The problem I have now, explorer wont stay active more the 15-20 before crashing and restarting. It doesnt grow in size after all the virus/malware/spyware checks, just crashes now. Even the control panel area gets closed during the crash so its hard to do much in there.
 
15-20
Click to expand...
You accidentally a word :). Every 15-20 what?

What's the error code for the crashes? You should be able to launch eventvwr independently of explorer.exe (it runs under mmc.exe), so one going down won't take down the other.
 
Sorry, its every 15 seconds I meant.

Heres what the log says:

- System

- Provider

[ Name] Application Error

- EventID 1000

[ Qualifiers] 0

Level 2

Task 100

Keywords 0x80000000000000

- TimeCreated

[ SystemTime] 2014-03-31T23:53:13.000000000Z

EventRecordID 83076

Channel Application

Computer GeorgeWork-PC

Security


- EventData

explorer.exe
6.1.7601.17567
4d672ee4
unknown
0.0.0.0
00000000
c0000005
00000000042b9914
c54
01cf4d3c5ac07b4f
C:\Windows\explorer.exe
unknown
9e869b46-b92f-11e3-9931-68a3c45350b5
 
And what happens if you use the nirsoft tool to disable shell extensions?
 
And if that fails, we'll have to set it to generate a minidump, and check to see if you're encountering this issue: http://support.microsoft.com/kb/2494427 (however, don't install that hotfix until trying to disable shell extensions, which I am guessing are your problem).
 
I diabled everything and it still crashes. Cant seem to find where to create the minidump file though
 
Well, before doing that, I think it would be a good time to do another sfc /scannow.


Minidumps are usually in C:\windows\minidump. If you don't see any there, let me know.
 
Did the sfc scan, didnt find any integrity violations it said. It the mini dump folder, just have one file from March 17 of this year. Is that the one that is required?
 
qtqc said:
Did the sfc scan, didnt find any integrity violations it said. It the mini dump folder, just have one file from March 17 of this year. Is that the one that is required?
Click to expand...

That seems awfully old, likely from a bluescreen experienced around that time.

You'll have to enable usermode dumps for explorer.exe. To do so, run regedit and create a key under HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting called LocalDumps. Under that, create a key called explorer.exe. In that key, create a REG_EXPAND_SZ that has the location you want the error dumps to be created (or, don't create the value, and they will be dumped under %LocalAppData%\CrashDumps). Once explorer crashes, check the location of the dump for the .dmp file and upload it somewhere so I can take a look at it.

More information about collecting usermode dumps can be found here: http://msdn.microsoft.com/en-us/library/windows/desktop/bb787181(v=vs.85).aspx
 
I got the DMP file. How do I attach it here or open it? I downloaded Blue Screen View but it wont open it
 
Hi, qtqc,

Do a search on "free uploading sites" using your favorite search engine ( I like duckduckgo.com) and choose any of the sites that strike your fancy, open a free account, upload the .dmp to it, and send a PM to Tawnos with the link and he'll check it out and let you know what it says.

Hope this helps.
 
qtqc said:
I got the DMP file. How do I attach it here or open it? I downloaded Blue Screen View but it wont open it
Click to expand...

Use onedrive and share, or email it to my username at gmail dot com if it's under 5MB
 
Do you have filezilla installed? As I suggested earlier, you have a shell extension causing the crash. It appears to be (a very old version of) filezilla:

Code: 
BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_SHELL_EXTENSION_IID_IShellCopyHookW

MODULE_NAME: fzshellext_64

IMAGE_NAME:  fzshellext_64.dll


BUCKET_ID:  X64_APPLICATION_FAULT_INVALID_POINTER_WRITE_SHELL_EXTENSION_IID_IShellCopyHookW_fzshellext_64+177c

FAILURE_ID_HASH_STRING:  um:invalid_pointer_write_c0000005_fzshellext_64.dll!unknown

0:034> lmvm fzshellext_64
start             end                 module name
00000001`80000000 00000001`8001e000   fzshellext_64 T (no symbols)           
    Loaded symbol image file: fzshellext_64.dll
    Image path: C:\Program Files (x86)\FileZilla FTP Client\fzshellext_64.dll
    Image name: fzshellext_64.dll
    Timestamp:        Sat Aug 01 03:34:17 2009 (4A741A29)
    CheckSum:         0001C82E
    ImageSize:        0001E000
    File version:     3.2.7.0
    Product version:  3.2.7.0
    File flags:       0 (Mask 17)
    File OS:          4 Unknown Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
 
Last edited:
Unfortunately, that one is a bit harder to debug. However, since there were clearly shell extensions that weren't removed, can you double check with nirsoft's shell ext viewer and make sure that all of your shell extensions are actually removed?

I'll try to take a deeper look at the dump after dinner. If you get another one, I'd like to analyze them side by side if at all possible. Thanks.
 
Can you share another dump from after uninstalling Teamviewer? In your previous dumps, it looks like explorer is trying to write to already freed memory. I know you said you "disabled almost everything except for some microsoft extensions." What is the "almost" and why not try disabling everything to see if that is at least the root of your issue?

You should probably also try clearing programs that start with your computer to make sure none of them interfere. Debugging this kind of stuff requires getting down to the simplest system possible, then working up from there.
 
I'm not getting much from the dumps - they are showing that something is messing with explorer's memory. Can you run hijackthis and share the log? I need to see a more complete picture of what's going on
 
If you try opening the no plugin IE "Internet Explorer (No Add-ons)" to see if that changes the time before it crashes?
 
You must log in or register to reply here.
Back
Top