RDP : No Desktop, with a continually crashing Explorer?

If you login to server and when you login you get the taskbar appear without desktop icons then the taskbar vanishes and reappears then you have a problem somewhere, this is hard to explain to let me show you.

You login to a server and you briefly see the start menu as below, notice you will see no desktop icons:

Then before you can do anything your remote desktop session fails to start the taskbar so your end up with a black box at the bottom of the screen:

Then a couple of seconds later it is back again:

Then as quick as it comes back its gone again:

This means something is crashing on the server, however is this not affect all users on certain ones, so you cannot go making server changes for a couple of people.

First is remotely look at the Application Event Log and that will tell you 1000 and 1001 which is a crash and then 1002 which is the "explorer restarted"

That goes like this as a cycle 1000, 1001 then 1002 and over and over it goes and you are not able to access the server at all, while it is in this state.

Event 1000 : Application Crash

Faulting application name: explorer.exe, version: 10.0.14393.4169, time stamp: 0x5ff78df9

Faulting module name: TwinUI.dll, version: 10.0.14393.4530, time stamp: 0x60e33ee9

Exception code: 0x80270233

Fault offset: 0x0000000000573dc1

Faulting process id: 0x129b8

Faulting application start time: 0x01daec95503994c6

Faulting application path: C:\Windows\explorer.exe

Faulting module path: C:\Windows\System32\TwinUI.dll

Report Id: a07bd220-de6f-4ae6-96db-7543dd0912af

Faulting package full name: 

Faulting package-relative application ID: 

Event 1001 : Windows Error Reporting Crash Trace

Fault bucket , type 0
Event Name: APPCRASH
Response: Not available
Cab Id: 0

Problem signature:
P1: explorer.exe
P2: 10.0.14393.4169
P3: 5ff78df9
P4: TwinUI.dll
P5: 10.0.14393.4530
P6: 60e33ee9
P7: 80270233
P8: 0000000000573dc1
P9:
P10:

Attached files:

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_explorer.exe_ec38d9d659de2ddec87dd1da7d3151da54ee5688_1acbb9c2_0e833d6e

Analysis symbol:
Rechecking for solution: 0
Report Id: a07bd220-de6f-4ae6-96db-7543dd0912af
Report Status: 4
Hashed bucket: 

Event 1002 : Explorer Restarted

The shell stopped unexpectedly and explorer.exe was restarted.

This is interesting, so it is only affecting certain people as some people report no problem, restringint, very interesting, so this must to be something unique to the user logging in to the server.

Report Archive for WER

If we navigate to the folder in the error this should show all the active reports  to view what seems to be the problem here:

C:\ProgramData\Microsoft\Windows\WER\ReportQueue 

Well that folder is very empty and the reports are not there as you can see below:

The cause of this is simple, WER only keeps the reports active while its being processed, once this reporting is complete they get moved to the ReportArchive and change this location:

C:\ProgramData\Microsoft\Windows\WER\ReportArchive

Then you can see all the 501 explorer crashes that have been archived as below:

Windows Updates and Hotfixes - Keep up-to-date

This looks like a long running issue that no one has tried to resolve, but I quick check on the server using this command:

Get-Hotfix -ComputerName mysteryserver.bear.local

That will get all the hotfixes installed and for this server it would appear that no hotfixes have been installed for quite a while, in fact not since 2021 - which is far from ideal.

I would there start there, you need to keep up-to-date with your hotfixes and this is one of these reasons why, is there is a reason this server has not had hotfixes installed then it not a reason, more an excuse or a bodge to get something legacy working that a patch could break.

Fix problem per user

First, make sure the user is logged off and not disconnected you can check this with the command:

query session /server:mysteryserver.bear.local

That should return something like this, here we can see no people are "logged" into the server:

SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
 services                                    0  Disc
 console                                     1  Conn
 rdp-tcp                                 65536  Listen

If you get something like this which means someone is still disconnected on the server:

SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
 services                                    0  Disc
 console                                     1  Conn
 affected.user                           25  Disc

This will tell you that the user is disconnected, so you can fix that for this example with this command:

reset session /server:mysteryserver.bear.local 25

That will reset the session 25 for that user, after this command is issued you should have no sessions on this server.

Remove ProfileList and Profile

If you wish to fix this for the individual user without making "system" changes then this is the process I would use to do it, first remotely connect to the server using registry editor then you need to get this location:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Once here, you will need to expand that key and you will see a list of GUID's of users, you will need to go though them all one by one until the find the "username" of the affected user:

When you select the GUID on the right side notice the ProfileImagePath will point at the users location, that is how you tell you have the correct user, the state will also not be "0" it will be some silly high figure as you can see here as well.

Delete the GUID key from the registry and then also delete the path the profile folder, so in this case its will be C:\Users\AffectedUser 

Then when the user logs in again, they will now get a desktop with icons and explorer will no longer crash on login continually.