Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 7022 Source: ServiceControlManager

The <service name> service hung on starting.
Service: Automatic Updates - We are experiencing a delay at startup time on all our XP clients with Automatic Update version 7.4.7600.226 with an entry in the event log event id 7022 - "The Automatic Updates service hung on starting." After a few seconds the system log shows that this service is successfully started.

Workaround/fix (maybe temporary depends on environment):
It looks like we found the Policy/Agent conflict for our environment. We have the "Download missing COM components" policy enabled in our GPO (Computer Configuration -> Administrative Templates -> System) Disabling or setting to Not Configured appears to be resolving the slowness/service hanging.
Service: Adaptec I/O Manager Server - This error comes together with 7034 ("The Adaptec I/O Manager Server service terminated unexpectedly.  It has done this n time(s)"). To resolve this modify the following registry entry:
Remove the quotes at the beginning and the end of the REG_EXPAND_SZ value of ImagePath
See also the "I/O Manager Server Service hung on starting" link.
Service: Office Communications Server Front-End. As per ME968100, this problem occurs because the cross-database chaining option has been disabled for the RTC database and for the RTCDyn database. The article describes how to allow cross-database ownership chaining for the RTC database and for the RTCdyn database.
- Service: "COM+ Event System" - See ME930220.
- Service: "World Wide Web Publishing" - See ME922727.
- Service: "Simple Mail Transport Protocol (SMTP)" - See ME922727.
- Service: "FTP Publishing Service" - See ME922727.
- Service: "Messenger" - See WITP73417.
- Service: "SMS Remote Control Server Agent" - See ME265887.
- Service: "DHCP Client" - See ME927269.
- Service: Messenger - See ME268091.
- Service: User Name mapping - See ME833605.
- Service: SNMP - See ME163595.
- Service: SMS Remote Control Agent - As per Microsft: "This problem may occur if the Systems Management Server site property setting for Windows NT Remote Control is configured to use a protocol that is not installed on the Windows NT target system". See ME191335 for more details.
- Service: Server - See ME266054.
- Service: Backup Exec Job Engine - See the link to "Veritas Support Document ID: 23870".
- Service: Backup Exec Server - See "Veritas Support Document ID: 269216".
- Service: Backup Exec (tm) Remote Agent for Windows Servers - See "Veritas Support Document ID: 276906".
- Service: Citrix Licensing WMI - See "Citrix Support Document ID: CTX108390".
- Service: OfficeScanNT RealTime Scan - See "Trend Micro Support Solution ID: 127190".

- Service: Kerberos Key Distribution Center - From a newsgroup post: "Per my research, Event ID 20 and 7022 could occur if the current Win2k3 SP1 machine cannot contact a valid CA (Certificate Authority). CA can issue many different types certificate and smart card is a one among them. For example, you installed CA on one DC and removed CA from it; however, the Win2k3 SP1 machine still wants to contact the original CA. In this case, Event ID 20 is logged.
Once the CA has been taken down, the certificates that have been issued to all the domain controllers need to be removed. This can be done quite easily using DSSTORE.EXE from the Resource Kit. To remove old domain controller certificates, use the following steps.

Step 1:
At the command prompt on a domain controller, type "certutil -dcinfo deleteBad"

To do so:
1. Install the Windows Support Tools from the Support\Tools folder in the Windows Server 2003 DC.
2. Go to command prompt, type "certutil - dcinfo deleteBad" (without the quotation marks)
3. Clean out KDC 20 warnings in the System Event Log.
4. Restart the DC and then check if the issue is fixed.

Step 2:
I suspect that the issue may be related to the DCOM protocol. Windows Server 2003 SP1 introduces enhanced default security settings for the DCOM protocol. Specifically, SP1 introduces more precise rights that give an administrator independent control over local and remote permissions for launching, activating, and accessing COM servers.
Windows Server 2003 SP1 introduces enhanced default security settings for the DCOM protocol. Specifically, SP1 introduces more precise rights that give an administrator independent control over local and remote permissions for launching, activating, and accessing COM servers.
As the Windows Server 2003 Certificate Services provides enrollment and administration services by using the DCOM protocol, I suspect that it may be the cause of the problem.
1. Please check to ensure that a new security group, CERTSVC_DCOM_ACCESS, has been created after applied the SP1.
2. Please add the "Domain Users", "Domain Computers", "Domain Controllers" groups to the new CERTSVC_DCOM_ACCESS security group.
3. Then, we can have Certificate Services update the DCOM security settings by running the following commands:
certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
net stop certsvc
net start certsvc
Please check if the problem has been fixed.

Step 3:
Reissue a domain controller certificate:
1. Click Start -> Run -> type "mmc" (without the quotation marks) and press Enter.
2. Click File -> Add/Remove Snap-in. Click the Add button and select Certificate snap-in. Select Computer account.
3. In the certificate console, navigate to Personal\Certificates. Right-click the folder and choose Request new certificate.
4. Follow the wizard to request a Domain Controller certificate.
5. Reboot the computer to see if the problem is resolved".

This event appears when a service is stuck in the start pending state. The service failed to indicate that it is making progress within the time period indicated in its last status message. See MSW2KDB for more details on this problem.

- Service: "Distributed Link Tracking Client" - This event started to appear after the computer hardware monitoring software named Supero Doctor III Client was installed. Other symptoms were Windows hanging and Control Panel with blank icons. Uninstall Supero Doctor III Client or obtain a later version.
- Service: World Wide Web Publishing - In my case, this problem by the fact that the metabase file became corrupt (0 bytes in size). The metabase file is kept in “<system32 dir>\inetsrv\metaBase.bin”. To resolve this problem restore the metabase file from the most recent backup. In my case, this was “metaBase.bin.tmp”. Another place to look is “<system32 dir>\inetsrv\MetaBack”.
- Service: DNS - We have encountered this error under Windows 2000 Server on multiple DCs on an enterprise level network. Despite the “hung” notice, the DNS service will start about 10 minutes later. Microsoft has suggested this may be due to the size of the AD Forest. We were already pushing the limits of AD in 2000 and thus have upgraded to Windows Server 2003. This seems to have helped us get rid of this error.
- Service: BITS - See ME839091 for information about this problem on Microsoft Windows Server 2003.
- Service: Terminal Services - I received EventID 7022 on the server during an attempt to start the Terminal Services service. According to Microsoft, this behavior can occur if the Terminal Services component is not installed or is disabled. To fix this problem add the Terminal Services component by using the Add/Remove Programs tool in Control Panel before attempting to start the service. For reference, see ME222146.
- Service: McAfee Framework Service - This behavior can occur if the McAfee Framework service takes more than 30 seconds to start. Microsoft Windows NT is designed to log any service taking more than 30 seconds to start as an error. This issue only occurs on some Windows NT systems and is resolved in Windows 2000 and above.
- Service: Microsoft Exchange Management: This occurred on a production two-node cluster, running Microsoft Exchange 2000 on one node and SQL 2000 on another. Someone had installed an SQL application that "updated" some system files on node one. During a failover test, from node two, the exchange services could not start on node one. Upon rebooting node one, the 7022 error would appear in the system event log. I re-applied service pack 3 for exchange 2000. The error went away and the service restarted successfully.
This message indicates that a specific service attempted to start but hung. It is a Service Control Manager message and not a message from the application or service that did not start. Look for more errors from the application or service itself in order to troubleshoot this problem.

- Service: "Background Intelligent Transfer Service" - See ME314862.
- Service: "Commerce Server Predictor" - See ME298550.
- Service: "Computer Browser" - See ME135345.
- Service: "Distributed File System" - See ME307734.
- Service: "Distributed Transaction Coordinator" - See ME290637.
- Service: "Messenger" - See ME224083, ME199352.
- Service: "Microsoft Exchange IMAP4 Service" - See ME233042.
- Service: "Microsoft Exchange Information Store" - See ME308601.
- Service: "Microsoft ISA Server Control Service" - See ME288247.
- Service: "MS Exchange Information Store". See ME308601
- Service: "PRLNTSS.SYS". - See ME129115.
- Service: "Removable Storage" - See ME316500.
- Service: "RPC" - See ME266208.
- Service: "Server" - See ME137399, ME319127.
- Service: "Service Control Manager" - See ME315951.
- Service: "Site Server LDAP Service". See ME317497.
- Service: "SNA DDM" - See ME183556.
- Service: "SNMP" - See ME163595.
- Service: "Windows Internet Name Service" - See ME205100.
- Service: "World Wide Web Publishing" - See ME295162, ME328512, ME278959.
- Services (Several): Exchange and IIS services: The ME322835 article solved my problem.

- Service: "Netlogon". See ME315951.
- Service: World Wide Web Publishing Service. See ME328512.
- Service: "Removable Storage". See MS Article ME316500.
- Service: License Logging - See ME153140.
- Service: World Wide Web Publishing Service. See ME251143.
- Service: BITS: I found the ME314862 on Technet regarding this "BITS" service and they have a service pack mini update for download and install. I checked the service prior to installing the update and sure enough it was in "starting" mode for approx 2.5 minutes. Applied the fix and started with no errors in event viewer.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.