How to fix this error "The shell stopped unexpectedly and Explorer.exe was restarted"?

Posted on 2006-04-26
Last Modified: 2007-12-19
Immediately any user logs onto my PC (even new users) explorer starts to restart every 5 seconds with the error below:

Event Type:      Information
Event Source:      Winlogon
Event Category:      None
Event ID:      1002
Date:            26/04/2006
Time:            08:24:34
User:            N/A
Computer:      CLABERT2
The shell stopped unexpectedly and Explorer.exe was restarted.

For more information, see Help and Support Center at


I have checked the event logs and there were some errors relating to the IMAPI.exe service but with that disabled the error still occurs.  It seemed to occur on the odd occasion before yesterday but then in the afternoon (not following any particular install) it started failing continually.  The only minor change I can think of was removing internet explorer from the quick start area on the task bar.

I have searched for solutions on this site and across the web and I have tried the following:

1) Replace explorer.exe with a new copy from install CD (I replaced the dllcache copy as well to prevent the original coming back)
2) Replace explorer.exe with a working copy from another PC
3) Uninstall any recently installed software
4) Virus scan entire machine
5) Spyware scan entire machine (used Steganos anti-spyware 2006 and AdAware)

If anyone has any suggestions that result in a fix I would be grateful as I really don't want to rebuild from scratch.

Question by:tudorr
    LVL 15

    Expert Comment

    imapi.exe is a part of the Microsoft Windows operating system, more specifically the Image Mastering Applications Programming Interface, which is used for CD recording. This program is important for the stable and secure running of your computer and should not be terminated.
    probably in your burning program you have installed or the burner drivers.
    LVL 27

    Expert Comment

    > The shell stopped unexpectedly and Explorer.exe was restarted <

    If you take a look at this forum and study the last commenty by FKlassen 2005-06-28, 9:14 pm, you'll see reference to "most likely a new Bagle variant"!

    If it's "Trojan.Tooso.J"as suggested, see this link for help:
    LVL 27

    Expert Comment

    Have put some 'highlights' in the previous url to assist you:

    You may initially like to try this online Trojan scanner "a-squared Free", which is specialized in Trojans & Dialers removal:

    Author Comment

    Thanks for the comments - it appears that the problem was related to ISS BlackIce PC protection (my firewall and intrusion detection software).  I used MSCONFIG to stop various things loading and was able to remove / reproduce the error by adding / removing the services.  The strange thing is that I simply emptied the firewall logs and restarted and now all is fine - bizare!
    LVL 27

    Expert Comment

    Thanks for the update, it could help others.    
    As you appear to have answered the question yourself you may wish to retrieve your points. Check this link under the heading "Closing Questions":

    Then ask for a refund with reference to thread Q_21827735  posting a 0 points question here >                Thanks.
    LVL 27

    Expert Comment

    No objections, PAQ-ing the question and refunding 500 points is fine.

    Accepted Solution

    Closed, 500 points refunded.
    The Experts Exchange
    Community Support Moderator of all Ages

    Author Comment


    I should add that further investigation revealed that the Application Protection component of the software had decided that explorer.exe was a problem as below:

    04/27/2006 09:41:24.296 [ 1792]: Notification: explorer.exe (C:\WINDOWS\explorer.exe) has been terminated because it is a privacy violation

    It was simply closing down what it thought was a problem application.  That information was contained in RAPPAPP.LOG but as there are so many log files I didn't manage to check it earlier!

    Hopefully if someone else experiences this they can check the log first.....

    In order to fix, I had to re-baseline the system as follows:

    Right click the shield in the System Tray and select Stop BlackICE Application Protection. A red slash may appear over the shield. Now, find the Actlcl (may or may not exist) and Checksum .txt files in the BlackICE folder which are within the ISS folder. Delete them and then baseline.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    iTunes uses a third party component from  GEAR Software ( for accessing the CD/DVD drives in Windows computers.  This component is registered as a filter driver for all CD/DVD drives.  Sometimes the iTunes installation or…
    We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now