Saturday 27 October 2007

Windows Vista - Error - Windows could not connect to the System Event Notification Service service

We have a virtual machine with Vista Business installed on it that is connected to our internal domain.

It is being used for some particular network and application testing for our environment.

Every once in a while, it is impossible for any restricted level user to log onto the machine.

We get the following error:

Windows could not connect to the System Event Notification Service service.
Please consult your system administrator.
Well, we are the system administrator! ;)

After a great deal of searching around, there doesn't seem to be any "fix" for the situation yet.

The workaround is to reboot the system and hope for the best. In our case, it works, but in investigating this problem, there are people out there supporting classroom systems that are having this hiccup during classes on several hundred machines.

Here is a direct quote from user iquazee about half way down this MSDN Forum post Limited User account cannot log on due to error: "could not connect to the system event notification service" (Note that the registry keys are continuous ... they are broken into two lines for formatting reasons):

I did some investigation with a debugger when the problem occurred again on my computer.
And here is what I found so far:

1. Although Vista no longer supports Winlogon Notification Packages, there is still a similar mechanism in place used internally by Windows components (see HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
... \Control\Winlogon\Notifications\Components).
It is quite different though - instead of loading each component as an in-process DLL, the new mechanism uses RPC to communicate with the registered components, and each of them runs as a separate service.

What's interesting, the System Event Notification Service, which is the official replacement for now-unsupported Winlogon notification packages depends on this mechanism (see HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
... \Control\Winlogon\Notifications\Components\Sens).

2. When a logon event occurs (this can be a logon, logoff, lock, unlock, etc.) Winlogon calls each of these 'components' (by binding to a predefined RPC endpoint, the endpoint name seems to be derived from the service SID of each service that is registered for the logon notifications).

There seems to be a timeout if the registered service does not respond quick enough - about a couple of minutes.

3. If some service fails to respond to the logon event, it may cause the logon to fail.

However, it seems that if the user is a local administrator, the logon does not fail (although it may be slow due to the timeouts).

4. It seems that the service which causes the most problems is the TrustedInstaller service.

This service is used to install Windows components, including Windows updates (.MSU files).

It is not used for the installation of 'normal' Windows Installer (.MSI) packages.

What I found is that sometimes, after installation of an update the TrustedInstaller service stops responding to the Winlogon notifications, causing the problem.

The Windows Defender service is not the cause of the problem.

However, when Windows Defender in enabled, most updates installed by Windows Update are the Windows Defender definition updates.

5. The workaround is to kill the TrustedInstaller.exe service using Task Manager (it cannot be stopped otherwise).

Of course, you should not do that while an update is being installed.

The TrustedInstaller service will be automatically restarted when needed (for example, when you use Windows Update).

This is a pretty good description of what is happening in the event logs.

Here is the first error we see:

Event ID 1530: User Profile Service - Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
Process ID 868

It is followed by:

Event ID 6003: Winlogon - The winlogon notification subscriber [TrustedInstaller] was unavailable to handle a critical notification event.

Both errors occurred around the time the restricted user was trying to log onto the Vista virtual machine.

In this case, as indicated in the previous MSDN Forums (above MSDN link starting at the first page) posts, the process ID that was holding onto the registry was indeed Windows Defender.

So, we may be seeing another bug within the Update Services setup within Windows Vista. Not that we are software debuggers by any means! :D

Links: Hopefully we will be seeing at least a hotfix sometime soon!

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.


Anonymous said...

It's been a year into since this bug is discussed, but still I can't find a fix to it on the net. Before, I got this error randomly, but now it just went mad on me - I can't work with my computer after every restart...

Philip Elder Cluster MVP said...

We have not seen it in a very long time.

Are you on a domain?


ViPeR5000(Rui Melo) said...

look to this

How To fix

Anonymous said...

Does anyone know if MS is aware of this issue and is working on it? I have seen this on two machines, one in my home. It is driving me nuts...

Anonymous said...

seeing this problem also, so this is august 2009, just applying Vista SP2 to see if this corrects. I will then try the article

Real pain, error messages does not state why the service doesnt start, only that it times out after 30 seconds. Do wonder that this is a permissions issue. But the service is running under the system account.