My Windows 7 desktop PC, built by me, started acting very weird in the last couple of days. I use it quite often, about half of the time through TeamViewer. Explorer would crash and restart randomly, almost always through TeamViewer. This made me suspect that TeamViewer was the problem but I have reproduced it with and without TeamViewer several times. The only way I can seem to get the problem not to occur is by booting into Safe Mode.
I have used CCleaner and Malwarebytes to make sure it wasn't a registry error or malware causing the problem, and I have tried the fix in the seemly related issue here as well every other fix I have found online including removing security updates KB980408 and KB2926765 as well as using "sfc /scannow" and a bunch of other things I can't remember.
More recently when I try to start explorer it is popping up a small window that says "Personalized Settings" on the top, but is completely empty and crashes instantly. The only way I can get it to disappear is to kill the explorer.exe process. I wish I could take a screenshot but I can't seem to open paint or even find the exe. I have tried restarting it, I have tried starting it while the personalized settings window was open.
I have come up with two lists of processes the first is the list of active processes when I boot into safe mode and explorer seems to work fine. The second is the list of processes that I can narrow it down to in normal boot and still replicate the problem. There is one process that I can't seem to close. NisSrv.exe which is describes as "Microsoft Network Realtime Inspection Service". When I try to close the process NisSrv.exe it says "The operation could not be completed. Access is denied." When I try to close the related service it gives the same message.
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 Services 0 24 K
System 4 Services 0 2,660 K
smss.exe 304 Services 0 1,196 K
csrss.exe 408 Services 0 4,156 K
wininit.exe 444 Services 0 4,608 K
csrss.exe 452 Console 1 8,700 K
services.exe 492 Services 0 7,700 K
winlogon.exe 524 Console 1 5,756 K
lsass.exe 536 Services 0 10,644 K
lsm.exe 544 Services 0 4,316 K
svchost.exe 652 Services 0 8,976 K
MsMpEng.exe 804 Services 0 40,696 K
explorer.exe 1332 Console 1 85,220 K
ctfmon.exe 1376 Console 1 3,680 K
dllhost.exe 1624 Console 1 8,656 K
chrome.exe 1408 Console 1 98,504 K
WmiPrvSE.exe 2352 Services 0 6,472 K
chrome.exe 1744 Console 1 65,116 K
taskmgr.exe 372 Console 1 14,948 K
cmd.exe 2776 Console 1 2,960 K
conhost.exe 1816 Console 1 3,580 K
tasklist.exe 2308 Console 1 5,868 K
And the list of processes I have narrowed it down to.
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 Services 0 24 K
System 4 Services 0 2,808 K
smss.exe 316 Services 0 1,216 K
csrss.exe 484 Services 0 4,532 K
wininit.exe 596 Services 0 4,604 K
csrss.exe 604 Console 1 23,676 K
services.exe 652 Services 0 11,344 K
lsass.exe 668 Services 0 12,692 K
lsm.exe 676 Services 0 4,464 K
MsMpEng.exe 972 Services 0 68,436 K
winlogon.exe 168 Console 1 7,784 K
svchost.exe 496 Services 0 19,140 K
NisSrv.exe 3176 Services 0 808 K
svchost.exe 1684 Services 0 11,260 K
taskmgr.exe 4524 Console 1 20,696 K
cmd.exe 4764 Console 1 7,224 K
conhost.exe 4772 Console 1 6,916 K
sublime_text.exe 2340 Console 1 45,012 K
dllhost.exe 4476 Console 1 8,736 K
tasklist.exe 3796 Console 1 5,768 K
WmiPrvSE.exe 1768 Services 0 6,344 K
Here is the event data xml from event viewer for the error I am getting.
<EventData>
<Data>explorer.exe</Data>
<Data>6.1.7601.17567</Data>
<Data>4d672ee4</Data>
<Data>vrfcore.dll</Data>
<Data>6.3.9600.16384</Data>
<Data>5215f8f5</Data>
<Data>80000003</Data>
<Data>0000000000003a00</Data>
<Data>12e4</Data>
<Data>01cfb84fa70f89dc</Data>
<Data>C:\Windows\system32\explorer.exe</Data>
<Data>C:\Windows\SYSTEM32\vrfcore.dll</Data>
<Data>e5957093-2442-11e4-9f8a-94de806ed9cb</Data>
</EventData>
I was looking through the eventvwr log again and I found this, possibly related
<EventData>
<Data>runonce.exe</Data>
<Data>6.1.7601.17514</Data>
<Data>4ce7a253</Data>
<Data>MSVCR100.dll</Data>
<Data>10.0.40219.325</Data>
<Data>4df2bcac</Data>
<Data>c0000005</Data>
<Data>000000000003c145</Data>
<Data>670</Data>
<Data>01cfb8dabbd85942</Data>
<Data>C:\Windows\system32\runonce.exe</Data>
<Data>C:\Windows\system32\MSVCR100.dll</Data>
<Data>fa6f82b9-24cd-11e4-80a8-94de806ed9cb</Data>
</EventData>
And the general error details
Faulting application name: Explorer.EXE, version: 6.1.7601.17567, time stamp: 0x4d672ee4
Faulting module name: vrfcore.dll, version: 6.3.9600.16384, time stamp: 0x5215f8f5
Exception code: 0x80000003
Fault offset: 0x0000000000003a00
Faulting process id: 0xc38
Faulting application start time: 0x01cfb84e5e852c5f
Faulting application path: C:\Windows\Explorer.EXE
Faulting module path: C:\Windows\SYSTEM32\vrfcore.dll
Report Id: 9dc19e6d-2441-11e4-9f8a-94de806ed9cb
Another probably unrelated error that I seem to be getting pretty often.
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60
WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99"
could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003.
Events cannot be delivered through this filter until the problem is corrected.
My explorer tab in Autoruns seen below along with the error when I try to uncheck something. I should add that I seem to be able to disable shell extensions with ShellExView but I still can't get explorer to start correctly.
EXPLORER SHELL UPDATE - See screenshot below
I can access the explorer right click menu through a file manager I downloaded called NexusFile, but still no luck starting explorer.
Another round of errors that I am getting regarding Windows Search Service
The search service has detected corrupted data files in the index {id=4700}.
The service will attempt to automatically correct this problem by rebuilding the index.
Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)
followed by
The Windows Search Service is being stopped because there is a problem with the
indexer: The catalog is corrupt.
Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801
and
The plug-in in <Search.JetPropStore> cannot be initialized.
Context: Windows Application, SystemIndex Catalog
Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)
and
The gatherer object cannot be initialized.
Context: Windows Application, SystemIndex Catalog
Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)
and
The Windows Search Service cannot load the property store information.
Context: Windows Application, SystemIndex Catalog
Details:
The content index database is corrupt. (HRESULT : 0xc0041800) (0xc0041800)
WER Log
http://pastebin.com/WXKGDT4Q
I'll add information as I remember it or people request it.
