Windows Explorer is a beast. It does so many things when it starts that it hurts…

Sometimes, literally.

One of the things it checks during its startup routine is the comparison of the Registry value HKEY_CURRENT_USER\Control Panel\Appearance\SchemeLangID and the result of the call to GetUserDefaultUILanguage API. If they do not match, it attempts to load a ‘desk.cpl’ library and call its UpdateCharsetChanges function.

So….

We can create a dodgy desk.cpl, copy explorer.exe to the same folder, kill all the explorer.exe instances, and then make sure the Registry value doesn’t match the the result of the call to GetUserDefaultUILanguage API. Then we can run explorer.exe from that folder and the lame lolbin magic happens: