It is being used for some particular network and application testing for our environment.
Every once in a while, it is impossible for any restricted level user to log onto the machine.
We get the following error:
Windows could not connect to the System Event Notification Service service.Well, we are the system administrator! ;)
Please consult your system administrator.
After a great deal of searching around, there doesn't seem to be any "fix" for the situation yet.
The workaround is to reboot the system and hope for the best. In our case, it works, but in investigating this problem, there are people out there supporting classroom systems that are having this hiccup during classes on several hundred machines.
Here is a direct quote from user iquazee about half way down this MSDN Forum post Limited User account cannot log on due to error: "could not connect to the system event notification service" (Note that the registry keys are continuous ... they are broken into two lines for formatting reasons):
This is a pretty good description of what is happening in the event logs.
I did some investigation with a debugger when the problem occurred again on my computer.
And here is what I found so far:
1. Although Vista no longer supports Winlogon Notification Packages, there is still a similar mechanism in place used internally by Windows components (see HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
It is quite different though - instead of loading each component as an in-process DLL, the new mechanism uses RPC to communicate with the registered components, and each of them runs as a separate service.
What's interesting, the System Event Notification Service, which is the official replacement for now-unsupported Winlogon notification packages depends on this mechanism (see HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
2. When a logon event occurs (this can be a logon, logoff, lock, unlock, etc.) Winlogon calls each of these 'components' (by binding to a predefined RPC endpoint, the endpoint name seems to be derived from the service SID of each service that is registered for the logon notifications).
There seems to be a timeout if the registered service does not respond quick enough - about a couple of minutes.
3. If some service fails to respond to the logon event, it may cause the logon to fail.
However, it seems that if the user is a local administrator, the logon does not fail (although it may be slow due to the timeouts).
4. It seems that the service which causes the most problems is the TrustedInstaller service.
This service is used to install Windows components, including Windows updates (.MSU files).
It is not used for the installation of 'normal' Windows Installer (.MSI) packages.
What I found is that sometimes, after installation of an update the TrustedInstaller service stops responding to the Winlogon notifications, causing the problem.
The Windows Defender service is not the cause of the problem.
However, when Windows Defender in enabled, most updates installed by Windows Update are the Windows Defender definition updates.
5. The workaround is to kill the TrustedInstaller.exe service using Task Manager (it cannot be stopped otherwise).
Of course, you should not do that while an update is being installed.
The TrustedInstaller service will be automatically restarted when needed (for example, when you use Windows Update).
Here is the first error we see:
It is followed by:
Event ID 1530: User Profile Service - Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
Process ID 868
Both errors occurred around the time the restricted user was trying to log onto the Vista virtual machine.
Event ID 6003: Winlogon - The winlogon notification subscriber [TrustedInstaller] was unavailable to handle a critical notification event.
In this case, as indicated in the previous MSDN Forums (above MSDN link starting at the first page) posts, the process ID that was holding onto the registry was indeed Windows Defender.
So, we may be seeing another bug within the Update Services setup within Windows Vista. Not that we are software debuggers by any means! :D
- Microsoft Live Search: Vista Cannot Connect to the System Event Notification Service.
- Microsoft MSDN Forums: Limited User account cannot log on due to error: "could not connect to the system event notification service"
- Tablet Questions.com: Event 1530, User Profile Service (Specific to the Event ID 1530)
Microsoft Small Business Specialists
*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.