Through out my job of being a computer technician I always seem to come across the famous Windows XP explorer.exe killer. You know the one. As soon as you log into your account, explorer.exe starts (you see the task bar, and all the icons) and just as suddenly you saw them, they disappear just like that. Then, out of no where they appear again, but to, disappointingly disappear again.

Most of the time it can be a nasty little bugger to get removed, and most anti-virus and anti-spyware software doesn’t remove or fix the problem. That is because the bug likes to hide using different techniques.

So today I wanted to share all the types of explorer.exe killers I have found, and how I fix the problem.

Before we begin:

I just want to say before I get started on letting you know how to fix this problem, is the trick to fixing this issue, has more to do with identifying which technique the bug is using, or if it even a bug at all. Explorer.exe can also start to do the same thing if an update didn’t take correctly. So, make sure that it wasn’t an update that killed off Explorer.exe first before assuming it’s a bug. If you think it was an update problem, I suggest reading this article.

The Killer Driver:

The first type of explorer.exe killer I find is simply a bug that installs a startup driver that kills that restarts the explorer.exe process any time it starts up. It is one of the easiest to spot, and is easy to fix. The first process is to find what drivers are being loaded, and which one it is that it is. What I recommend to do is to start up into safe mode (Reboot, hold F8, select Safe Mode). The reason we want to startup into safe mode is safe mode only starts the operating system with the minimum startup items, services, and drivers. So if we indeed do have a startup driver that is causing the issue, we should be able to login into Safe Mode and not have any explorer.exe problems.

First thing is to optimize the machine, so lets have you startup Msconfig. Go to Start > Run > Type in “msconfig” and hit enter.

In the window that appears choose the startup tab, and choose to disable all. Now go over the the “services” tab, and check the box to hide all non-microsoft services. Click “Apply” and hit “Ok”.

What we have done is cleaned out your startup and services, so if by chance the bug is one of those, we have stopped it from starting up, typically it isn’t going to do the trick, but will cover all our bases.

Now lets download a quick tool. Download link. This tool will allow us to see what drivers are currently loaded in Windows.

Reboot your system into Normal mode and run the program. Scroll through the list of drivers that are loaded, and see if you find any with any description or file type that is blank. If a driver has blank information, it may be the file we are looking for. Once you have found one, do a search for it, and delete the .sys file.

The .DLL File:

The majority of the time, this problem comes from a .DLL file. I would say about 90% of the machines I have worked on with this problem comes from a bad .dll file in hidden in the Windows or System32 directory. The technique I use to find the file we want to look for is a simple process as long as you have the right tools. First, we need a tool to help us watch system processes.

Go ahead and download Process Explorer. Process Explorer will allow you to watch system processes, and see what files, directories, etc they are calling for.

Once you have that up and running, make sure that you have the program running when explorer.exe is currently crashing and restarting. What you want to do is watch Process Explorer for the explorer.exe startup, and see if any other processes start up along side of it.

Typically what I see is explorer.exe starts up, then you have x process open up, and explorer.exe quits, and then x process quits. When x process starts up we want to hurry and take a look at what .dll files it is calling for. Once you have that info, go to the location of the file while being booted into a Live CD. and change the x.dll file to x.dll.bak. This way, if by changing the file messes up your system, you can go back and change it back to x.dll.

On the other hand, if it fixes the problem, you can go in and completely remove the file all together.

I know I didn’t get really to technical here and I apologize. If you have any questions or other techniques please leave a comment.

One of 10.5’s new features that I use quite often is the built-in screen sharing. You can use screen sharing from iChat, which is great for family tech support, but I’m referring specifically to screen sharing in the Finder. With multiple machines in the house, I often want to see the screen on a given machine while seated at another. In the pre-10.5 days, this was doable, and not overly difficult—you had to click a couple buttons to enable things, then run a VNC viewer app to make the connection. But with 10.5, the viewer is now built into the system. Screen sharing is based on Apple’s full Remote Desktop package, which offers more control over exactly how remote screens are shared. Luckily for us, Apple left at least some of that functionality in the more-limited screen sharing application—it’s just disabled by default. (more…)

Back in October 12, 2005, I wrote a post on how to bypass Microsoft’s Windows Genuine Validation. I would just like to remind everyone that are is still ways of getting around this nuicence, and there will always will be. Let me remind some people or inform thoughs that already don’t know…

Microsoft’s Windows Genuine Validation is basically code that is slipped onto your PC when you update Windows. If you have automatic updates on, it was even more hidden because Microsoft won’t tell you what they are putting on your computer until it’s there. Anyways…what it does is checks your version of Windows XP for a Genuine CD key. So if you have a pirated version of Windows XP on your computer, it is going to tell that your version isn’t genuine. If it isn’t a genuine version of Windows XP, you will not be able to receive any of the updates (like anyone does update anyways).

For those who just can’t find life without Windows updates (Ya, there are times you need them.) here is the newest, and updated way around it. This will also include the new update of Microsofts’ of making annoying reminders that are copies are not “genuine”.

How To: Turn off the annoying WGA reminders-

This is so simple that It makes me wonder why Microsoft did it in the first place. When you load into a user, you will recieve a bubble on your taskbar, along with a icon. When right clicked, you get a “Change Notifications Settings” menu choice. Click on it. It will take you to the Microsoft site, and you will be given a check box to turn off the reminders that you aren’t running a genuine version of windows.

Like I said simple.

How To: Get Windows Updates With Non-Genuine Version of Windows-

Well, the way to get around WGA has changed since October of 2005, but if you have been checking out the original post I made, you would notice it still gets alot of activity.

The fix is the same as in the recent comments. It is a registery fix, and I’ll let you in on it.

Instructions-

1- Go to the Windows Updates page, and download all updates including windows genuine valdiation.

(You will know that you are ready to move on to step two when you go back to the Windows Updates page again, click “custom” or “express”, and you recieve a page that notifies you that your version of Windows is not Genuine. If this happens move on to step two.)

2- Go to start, run, and type in regedit

3- Locate yourself to HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ EXT \ CLSID

(HKLM= HKEY LOCAL MACHINE)

4. There will be two files, one has no value, and the other one should be set to 1.
Change the file value data that is “1″ to “0″.
5. Open windows update.

6. Select which way you want to go (either custom or express) it doesn’t matter at this point.

7. You will be asked to reinstall the Validation tool. It now thinks you don’t have Windows Genuine Validation installed, but you do. DON’T CLICK THE BUTTON! DON’T CLOSE THE PAGE! DON’T REFRESH THE PAGE! Instead…put the registry data variable string that you deleted back in with a value of “1″. Once you have the value set back to “1″ close regedit and return back to your open Windows Update window.
8. Click back and then click the update method of choice (Custom or Express) and voila! It works!

Deleteing it completely. (Advanced)-
End the process wgatray.exe in Windows TaskManager and restart Windows XP in safe mode. Now delete the following files:

Delete WgaTray.exe from c:\windowss\ystem32
Delete WgaTray.exe from c:\windows\system32\dllcache

Start Windows Registry editor and delete the folder “WGALOGON” located in the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows NT\CurrentVersion\WinlogonNotify. Delete all references in your registry to WgaTray.exe

Another alternative suggest that three files are installed Windows XP System Folder:

\WINDOWS\system32\WgaLogon.dll
\WINDOWS\system32\WgaTray.exe
\WINDOWS\system32\LegitCheckControl.dll

The wgatray.exe process makes the check for genuine windows software. You can disable WGA by removing the execute bit on WgaLogon.dll. That way, winlogon can’t call it as a notification package at boot, and since WgaLogon is responsible for running and maintaining WgaTray.exe, no more tray popups either.

To change the execute bit of WgaLogon.dll, first turn off Simple File Sharing. Now right click the file in Windows Explorer and open the Security Tab. Hit the Advanced button, uncheck the Inherit box at the bottom, hit the Copy button, then hit OK. Go through each listed user/group and remove the “Read & Execute” permission for that file, leaving the “Read” permission as-is.

Hit OK to apply the permission changes and close the file properties dialog. Restart the machine. You can now turn “Use simple file sharing” back on, if you want.

A third alternative posted on the internet suggest that users clear the content of file data.dat located in the following directory:
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage\data

Save the data.dat empty file and change the attributes to “Read Only” – Restart you computer. Or start your PC in Safe Mode and delete the following files from Windows system32 folder – wgalogon.dll spmgs.dll wgatray.exe The WGA setup file is in C:\WINDOWS\SoftwareDistribution\ Download\6c4788c9549d437e76e1773a7639582a

If you don’t use “Fast User Switching”, you can disable the Windows XP Welcome Screen if you are logged in as an Administrator. This will remove the initial WGA Warning Screen:

1. Click on Start -> Control Panel ->User Accounts
2. Click on “Change the way users log on or off”
3. Uncheck “Use the Welcome Screen” – Choose Apply
4. Close the User Accounts window and the Control Panel
5. The next time you reboot your computer, the classic login prompt will be used

I just want to report that I don’t believe the javascript code line in the address bar method works anymore. Neither can you disable WGA in your browser. That is basically what you are doing in the registery. You are making it seem like you didn’t have WGA, hence “0″, downloaded it and passed as genuine, hence the change to “1″.

I’m sure Microsoft will come out with more updates to WGA, and we’ll find ways around it. So if you have problems, just come check out this post comments and I’m sure will have the fix.

Also, you can download the new pirated version of Windows XP Pro SP2 that is out on torrent. That has a fix on it so it looks genuine to Windows all the time. I suggest if you are going to reformat, you download that image and use it on the reinstall.

Good luck my fellow Windows piraters!