Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
The winlogon notification subscriber <TrustedInstaller> was unavailable to handle a critical notification event.
|English: Request a translation of the event description in plain English.|
I did some investigation with a debugger when the problem occurred again on my computer and here is what I found so far:
1. Although Vista no longer supports Winlogon Notification Packages, there is still a similar mechanism in place used internally by Windows components (see HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Winlogon\Notifications\Components).
It is quite different though - instead of loading each component as an in-process DLL, the new mechanism uses RPC to communicate with the registered components, and each of them runs as a separate service.
What's interesting, the System Event Notification Service, which is the official replacement for now-unsupported Winlogon notification packages depends on this mechanism (see HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Winlogon\Notifications\Components\Sens).
2. When a logon event occurs (this can be a logon, logoff, lock, unlock, etc.) Winlogon calls each of these 'components' (by binding to a predefined RPC endpoint, the endpoint name seems to be derived from the service SID of each service that is registered for the logon notifications).
There seems to be a timeout if the registered service does not respond quick enough - about a couple of minutes.
3. If some service fails to respond to the logon event, it may cause the logon to fail.
However, it seems that if the user is a local administrator, the logon does not fail (although it may be slow due to the timeouts).
4. It seems that the service which causes the most problems is the TrustedInstaller service.
This service is used to install Windows components, including Windows updates (.MSU files).
It is not used for the installation of 'normal' Windows Installer (.MSI) packages.
What I found is that sometimes, after installation of an update the TrustedInstaller service stops responding to the Winlogon notifications, causing the problem.
The Windows Defender service is not the cause of the problem.
However, when Windows Defender in enabled, most updates installed by Windows Update are the Windows Defender definition updates.
5. The workaround is to kill the TrustedInstaller.exe service using Task Manager (it cannot be stopped otherwise).
Of course, you should not do that while an update is being installed.
The TrustedInstaller service will be automatically restarted when needed (for example, when you use Windows Update).
|Private comment: Subscribers only. See example of private comment|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
Send comments or solutions
- Notify me when updated