Boot problems: Black screen + CMD no explorer.exe

Page 1 of 7 123 ... LastLast

  1. Posts : 24
    Windows 10
       #1

    Boot problems: Black screen + CMD no explorer.exe


    Hi, tonight i ran malwarebytes to scan for malware. After the scan multible threats were detected. After malware bytes took the appropriate actions my computer froze while trying to reboot. After waiting I hold the power button with now this as consequence:

    Boot problems: Black screen + CMD no explorer.exe-vlc_2017-09-27_22-17-22.jpg

    After running the following command:
    Code:
    start explorer.exe
    it looks normal again.

    This problem also occurs in safe mode (what really has me worried).

    I made this video to give you some better insight. https://streamable.com/1z254

    Looking forward to tips, everything is welcome!
    Last edited by lukelumia950XL; 27 Sep 2017 at 16:01.
      My Computer

  2. TairikuOkami's Avatar
    Posts : 4,667
    Windows Home Dev 21xxx x64
       #2

    These entries are required to start Windows, might have been damaged by malware.

    Code:
    reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "explorer.exe" /f
    reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit" /t REG_SZ /d "C:\Windows\System32\userinit.exe," /f
    reg add "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "explorer.exe" /f
    reg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "BootExecute" /t REG_MULTI_SZ /d "autocheck autochk *" /f
    reg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "SETUPEXECUTE" /t REG_MULTI_SZ /d "" /f
      My Computer


  3. Posts : 24
    Windows 10
    Thread Starter
       #3

    All these Registry's exist and have the same value. But just to clarify, windows is starting just not the GUI/ explorer.exe and CMD is randomly starting at boot.
      My Computer

  4. TairikuOkami's Avatar
    Posts : 4,667
    Windows Home Dev 21xxx x64
       #4

    Check out possible explorer's hooks, like via Autoruns.

    I would suggest to remove everything, but that will really remove everything.

    Code:
    takeown /f "%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup" /a /r /d y
    icacls "%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup" /inheritance:r /grant:r Administrators:(OI)(CI)F /t /l /q /c
    del "%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\*" /s /f /q
    del "%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\*" /s /f /q
    reg delete "HKCU\Software\Microsoft\Command Processor" /v "AutoRun" /f
    reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /f
    reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved" /f
    reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies" /f
    reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f
    reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /f
    reg delete "HKCU\Software\Policies" /f
    reg delete "HKLM\Software\Microsoft\Command Processor" /v "AutoRun" /f
    reg delete "HKLM\Software\Microsoft\Policies" /f
    reg delete "HKLM\Software\Microsoft\Tracing" /f
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\AppModelUnlock" /f
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks" /f
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved" /f
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies" /f
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /f
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" /f
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx" /f
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsStore\WindowsUpdate" /f
    reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /f
    reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server" /f
    reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "AppInit_DLLs" /f
    reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /f
    reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit" /f
    reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "VMApplet" /f
    reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells" /f
    reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" /f
    reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman" /f
    reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" /f
    reg delete "HKLM\Software\Policies" /f
    reg delete "HKLM\Software\WOW6432Node\Microsoft\Policies" /f
    reg delete "HKLM\Software\WOW6432Node\Microsoft\Tracing" /f
    reg delete "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
    reg delete "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /f
    reg delete "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce" /f
    reg delete "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx" /f
    reg delete "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Policies" /f
    reg delete "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\WindowsStore\WindowsUpdate" /f
    reg delete "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /f
    reg delete "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v "AppInit_DLLs" /f
    reg delete "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /f
    reg delete "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit" /f
    reg delete "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "VMApplet" /f
    reg delete "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells" /f
    reg delete "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" /f
    reg delete "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman" /f
    reg delete "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" /f
    reg delete "HKLM\Software\WOW6432Node\Policies" /f
    reg delete "HKLM\System\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /f
    reg delete "HKLM\System\CurrentControlSet\Control\SafeBoot" /v "AlternateShell" /f
    reg delete "HKLM\System\CurrentControlSet\Control\Session Manager" /v "BootExecute" /f
    reg delete "HKLM\System\CurrentControlSet\Control\Session Manager" /v "Execute" /f
    reg delete "HKLM\System\CurrentControlSet\Control\Session Manager" /v "SETUPEXECUTE" /f
    reg delete "HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd" /v "StartupPrograms" /f
    reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "explorer.exe" /f
    reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit" /t REG_SZ /d "C:\Windows\System32\userinit.exe," /f
    reg add "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "explorer.exe" /f
    reg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "BootExecute" /t REG_MULTI_SZ /d "autocheck autochk *" /f
    reg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "SETUPEXECUTE" /t REG_MULTI_SZ /d "" /f
    bcdedit /deletevalue {current} safeboot
    bcdedit /deletevalue {current} safebootalternateshell
    bcdedit /deletevalue {default} safeboot
    bcdedit /deletevalue {default} safebootalternateshell
    bcdedit /set {default} advancedoptions false
    bcdedit /set {default} bootems no
    bcdedit /set {default} bootstatuspolicy DisplayAllFailures
    bcdedit /set {bootmgr} displaybootmenu no
    bcdedit /set {current} advancedoptions false
    bcdedit /set {current} bootems no
    bcdedit /set {current} bootstatuspolicy DisplayAllFailures
      My Computer


  5. Posts : 24
    Windows 10
    Thread Starter
       #5

    I ran the code, but didn't fix it. How do i check for possible explorer hooks? (I have autoruns) I uploaded the video My Movie - Streamable
      My Computer

  6. TairikuOkami's Avatar
    Posts : 4,667
    Windows Home Dev 21xxx x64
       #6

    It looks to me like explorer.exe was replaced by cmd.exe, but SFC scan should fix that.

    Check out Autoruns, un-check to hide Microsoft entries and look for CMD, like this:
    Attached Thumbnails Attached Thumbnails Boot problems: Black screen + CMD no explorer.exe-capture_09272017_232309.jpg  
      My Computer


  7. Posts : 24
    Windows 10
    Thread Starter
       #7

    https://i.imgur.com/hOBiwYi.png
    https://i.imgur.com/Z1nfWI4.png

    This is what i get,

    i thought sfc should fix this aswell, but i updated sfc and ran it multible times and still no fix :/
    Attached Thumbnails Attached Thumbnails Boot problems: Black screen + CMD no explorer.exe-image.png  
      My Computer

  8. TairikuOkami's Avatar
    Posts : 4,667
    Windows Home Dev 21xxx x64
       #8

    That "%comspec%" should not be there. If you type it into run, you will get just what you get at startup.

    Did you run my code in cmd as admin, because this one should fix that.

    Code:
    reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "explorer.exe" /f
      My Computer


  9. Posts : 24
    Windows 10
    Thread Starter
       #9

    I ran all 3 codes as admin now, (my mistake before..) But it dit not fix the problem. This is Autoruns now:
    Boot problems: Black screen + CMD no explorer.exe-image.png
    It still shows comspec

    on this file location: HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    which is not changed in the code i believe
      My Computer

  10. TairikuOkami's Avatar
    Posts : 4,667
    Windows Home Dev 21xxx x64
       #10

    Remove it via autoruns, but you might need to run explorer via task manager, if that cmd window will not start.
      My Computer


 
Page 1 of 7 123 ... LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 05:55.
Find Us




Windows 10 Forums