I summon the collective #DFIR wisdom of Twitter. User attempts to launch Windows Explorer and another program starts instead. I'm assuming a registry setting, but which one?

Recmd with SA parameter across all hives and search for the executable that launched? Then review the keys individually. May get lucky!