Home  ›  Windows Service Failed to Start in a Timely Fashion

Windows Service Failed to Start in a Timely Fashion

Written By Sunday, February 27, 2022 Add Comment Edit

Troubleshooting with Windows Logs

The about common reason people await at Windows logs is to troubleshoot a trouble with their systems or applications.

This article presents common troubleshooting use cases for security, crashes, and failed services. Examples demonstrate diagnosing the root cause of the trouble using the events in your logs. Remember to check warnings and errors proceeding a critical event to see the bigger picture.

Security Log Events

The Security log includes security-related events, especially those related to authentication and access. These logs are your best place to search for unauthorized access attempts to your organization.

The post-obit events are of detail value in the Security log:

Successfully Logged On

These events include all successful logon attempts to a system. Each effect includes categories of information:

  • Log details – log name, source, severity, event ID, and other log data.
  • Subject – business relationship name, domain, and security data about the login.
  • Logon data – type is the method used to log on, such as using the local or remote keyboard (over the network). This field value is expressed every bit an integer, the near common beingness 2 (local keyboard) and 3 (network). Additional details about the logon are also available.
  • Impersonation Level – how much authority is given to the server when it is impersonating the client.
  • New Logon – name, domain, and other details for the new logon for the business relationship that was logged on.
  • Process Information – name and ID of the originating process.
  • Network Information – name, IP address, and port where the remote logon request. originated. These values are left blank for local logins, or if the information tin can't be establish.
  • Detailed Authentication Information – details about this specific logon request.

For an explanation of all possible fields, search for your log'due south event ID. For example, successful login attempts have an issue ID of 4624, which are described here. This example shows a successful login event generated on the accessed system when a logon session is created.

Log Proper name:      Security  Source:        Microsoft-Windows-Security-Auditing  Date:          half-dozen/26/2019 4:32:47 AM  Outcome ID:      4624  Task Category: Logon  Level:         Information  Keywords:      Audit Success  User:          N/A  Computer:      EC2AMAZ-ES915Q9  Clarification:  An account was successfully logged on.     Subject area:  Security ID:         Cipher SID  Account Name:        -  Account Domain:      -  Logon ID:       0x0     Logon Information:  Logon Blazon:          3  Restricted Admin Mode:     -  Virtual Account:     No  Elevated Token:      Yes     Impersonation Level:       Impersonation     New Logon:  Security ID:         EC2AMAZ-ES915Q9\Ambassador  Business relationship Name:        Administrator  Business relationship Domain:      EC2AMAZ-ES915Q9  Logon ID:       0x2CA1ED0  Linked Logon ID:     0x0  Network Business relationship Name: -  Network Account Domain:    -  Logon GUID:          {00000000-0000-0000-0000-000000000000}     Process Information:  Procedure ID:          0x0  Process Proper noun:        -     Network Information:  Workstation Name:     EC2AMAZ-ES915Q9  Source Network Address:    -  Source Port:         -     Detailed Hallmark Information:  Logon Process:       NtLmSsp  Authentication Bundle:    NTLM  Transited Services:   -  Parcel Proper name (NTLM simply):  NTLM V2  Primal Length:          128

Failed to Log On

Cheque Windows Security logs for failed logon attempts and unfamiliar access patterns. Authentication failures occur when a person or application passes incorrect or otherwise invalid logon credentials. Failed logins have an outcome ID of 4625.
These events evidence all failed attempts to log on to a system. This could be due to someone trying to hack into a organization. However, it could also mean someone forgot his or her password, the business relationship had expired, or an application was configured with the wrong countersign. These events include the following pieces of data.

  • Log details – name, source, and other log information.
  • Subject field – account name, domain, and security information well-nigh the logon.
  • Logon type – method used to log on, such every bit using the local or remote keyboard (over the network). This field value is expressed as an integer, the most mutual being 2 (local keyboard) and 3 (network).
  • Account for Which Logon Failed – proper name, domain, and other details for the failed logon.
  • Failure Data – failure reason and condition of the try.
  • Process Information – name and ID of the originating process.
  • Network Data – name, IP address, and port where the remote logon asking originated. These values are left bare for local logins, or if the information can't be found.
  • Detailed Authentication Information – details almost this specific logon asking.

To learn more, y'all tin read a description of all the fields of this event.

Here is an example of an unsuccessful logon attempt generated by the accessed system when the attempt failed:

Log Proper noun:      Security  Source:        Microsoft-Windows-Security-Auditing  Engagement:          6/26/2019 4:42:52 AM  Event ID:      4625  Task Category: Logon  Level:         Information  Keywords:      Audit Failure  User:          N/A  Figurer:      EC2AMAZ-ES915Q9  Clarification:  An account failed to log on.     Subject:  Security ID:         Nil SID  Business relationship Name:        -  Account Domain:      -  Logon ID:       0x0     Logon Blazon:               iii     Account For Which Logon Failed:  Security ID:         NULL SID  Business relationship Name:        ADMINISTRATOR  Account Domain:     Failure Information:  Failure Reason:      Unknown user name or bad password.  Condition:              0xC000006D  Sub Condition:          0xC000006A     Procedure Information:  Caller Process ID:    0x0  Caller Process Name:  -     Network Information:  Workstation Proper name:     -  Source Network Address:    80.64.102.xix  Source Port:         0     Detailed Authentication Information:  Logon Process:       NtLmSsp  Authentication Package:    NTLM  Transited Services:   -  Bundle Name (NTLM only):  -  Cardinal Length:          0

Application Failed to Log On

Well-written applications as well log hallmark failure events. Here's an example of a failed logon effort in SQL Server. It includes information nigh who attempted to log on and why the endeavor failed.

Log Proper noun:      Application  Source:        MSSQLSERVER  Date:          half-dozen/25/2019 4:42:52 AM  Event ID:      18456  Task Category: Logon  Level:         Information  Keywords:      Classic,Audit Failure  User:          N/A  Computer:      PSQ-Serv-1  Description:  logon failed for user 'sa'. Reason: Password did non lucifer that for the logon provided. [Client: <local automobile>]

Special Privileges Assigned

The Security log captures events when an account has been granted elevated privileges. Several different outcome IDs correspond to privilege assignment events, but outcome ID 4672 is for special privilege assignments. In this example, a user has been granted Local Ambassador privilege. The details show the new privilege, who granted it, and the grouping where the business relationship was added.

You can write custom scripts to filter these events for security audit reporting. You tin can also create a custom view to view these events.

These events include all successful logons by users with administrator privileges. The information includes items such as:

  • Log details – name, source, and other log information
  • Subject – account proper name, domain, and security information most the logon
  • Member – security ID and business relationship name added
  • Group – security ID, group proper noun and domain added
  • Privileges – list of all privileges assigned to the user

To learn more, you tin can read a description of all the fields of this log event.

Here's another instance of an elevated permissions event.

Log Name:      Security  Source:        Microsoft-Windows-Security-Auditing  Date:          six/26/2019 10:09:nineteen PM  Event ID:      4672  Task Category: Special Logon  Level:         Information  Keywords:      Audit Success  User:          N/A  Estimator:      EC2AMAZ-ES915Q9  Description:  Special privileges assigned to new logon.     Subject area:  Security ID:         EC2AMAZ-ES915Q9\Administrator  Account Name:        Administrator  Account Domain:      EC2AMAZ-ES915Q9  Logon ID:       0x38599B0     Privileges:          SeSecurityPrivilege  SeTakeOwnershipPrivilege  SeLoadDriverPrivilege  SeBackupPrivilege  SeRestorePrivilege  SeDebugPrivilege  SeSystemEnvironmentPrivilege  SeImpersonatePrivilege  SeDelegateSessionUserImpersonatePrivilege

Why Did My Server or Application Crash?

If yous're investigating why your server or application crashed, the Event log is a great place to kickoff looking. The Application and System logs tin tell y'all when and why a crash occurred. For example, it can give you a clue if this was due to a organisation or application trouble.

Almost all critical errors generate more than than one outcome log entry. At that place are usually a number of previous warnings or errors prior to the final critical mistake. When troubleshooting, be sure to look at the messages preceding the crash error.

To notice these events, filter your log information for a particular application name, then by critical or error events, and finally sort them by date. These are iii of the nigh mutual events when troubleshooting a crash:

  • Unexpected Reboot
  • Application Hang
  • Awarding Fault

Unexpected Reboot

An unexpected reboot error appears in the log when the system fails to shut down and restart gracefully. A likely cause of this error is the operating system stopped responding and crashed, or the server lost ability. Look for events preceding the reboot to see a possible root cause.

Here is an excerpt from an unexpected reboot event:

Log Name:      System  Source:        Microsoft-Windows-Kernel-Power  Appointment:          25-06-2019 01:13:56  Consequence ID:      41  Task Category: (63)  Level:         Disquisitional  Keywords:      (two)  User:          SYSTEM  Computer:      PSQ-Serv-1  Description:  The system has rebooted without cleanly shutting downwards kickoff. This mistake could exist caused if the organization stopped responding, crashed, or lost power unexpectedly.

Application Hang

An awarding hang fault appears in the Effect log when a plan running in your server stops responding. In this instance, your server'south hardware and the OS were functioning properly, but the application was either stuck in a loop or waiting for a resource that was non available.

This example shows how an awarding stopped responding to Windows and Windows shut it down.

Log Name:      Application  Source:        Awarding Hang  Appointment:          6/19/2019 8:31:53 PM  Event ID:      1002  Task Category: (101)  Level:         Error  Keywords:      Classic  User:          N/A  Computer:      WIN-AOTBQV71KQP  Description:  The program YourPhone.exe version 1.19053.13.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the trouble history in the Security and Maintenance control panel.     Process ID: 1428  Get-go Fourth dimension: 01d529e6311325cf  Termination Time: 4294967295  Awarding Path: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.19053.13.0_x64__8wekyb3d8bbwe\YourPhone.exe  Study Id: 454e89c9-d311-4a7e-8650-da9016851456  Faulting package total proper noun: Microsoft.YourPhone_1.19053.13.0_x64__8wekyb3d8bbwe  Faulting bundle-relative application ID: App  Hang type: Quiesce

Awarding Fault

An awarding fault error appears in Event log when a program running in your server encounters a critical error. This fault is by and large a bug in the application code or an issue with memory running out. Here's an case of a faulty DLL for svchost.exe.

Log Name:   Application  Source:     Application Error  Date:       6/24/2019 8:35:59 AM  Event ID:   1000  Job Category: (100)  Level:      Error  Keywords:   Classic  User:       N/A  Calculator:   WIN-AOTBQV71KQP  Clarification:  Faulting application name: svchost.exe_SysMain, version: x.0.17763.one, time stamp: 0xb900eeff  Faulting module proper noun: sysmain.dll, version: 10.0.17763.503, fourth dimension stamp: 0x572b556e  Exception lawmaking: 0xc0000005  Fault kickoff: 0x000000000004a21c  Faulting process id: 0x798  Faulting application start fourth dimension: 0x01d529e58e7ac36d  Faulting application path: C:\WINDOWS\system32\svchost.exe  Faulting module path: c:\windows\system32\sysmain.dll  Report Id: 1d7447f6-a0bb-40e8-8905-47e79dff220e  Faulting bundle full name:  Faulting package-relative application ID:

Finding the Root Crusade of a Failed Service

A Windows service is a special kind of application that runs in the background and has its ain Windows session. People often want to know why a particular service did non start or run successfully.

You can notice service failures in the Awarding log by filtering on Service Control Managing director source and so filtering for critical or error events. Hither are common examples of failed service events.

  • Service Failed to Start
  • Service Timeout
  • Windows Update Failure
  • Scheduled Job Delayed or Failed

Service Failed to Start

This error is logged when a service fails to get-go normally. In this example, the Group Policy Customer did not outset in a timely fashion. The event and its bulletin indicate when the problem happened. Check the preceding messages to rails downwards the root cause.

Log Proper noun:      System  Source:        Service Control Manager  Date:          06-21-2019 ten:49:27  Issue ID:      7000  Task Category: None  Level:         Error  Keywords:      Classic  User:          N/A  Estimator:      PSQ-Serv-i  Description:  The Group Policy Client service failed to start due to the following error:  The service did not respond to the outset or control request in a timely style.

Service Timeout

A service timeout error appears when a service does not start within the expected menstruation of fourth dimension (default is iii seconds). Normally services are designed to start quickly and run continuously to spread out processing load. This error could be due to the service waiting for a resources that was non bachelor. This example shows an event generated from the Windows Error Reporting Service.

Log Name:      System  Source:        Service Control Manager  Date:          6/23/2019 xi:04:00 AM  Event ID:      7009  Task Category: None  Level:         Fault  Keywords:      Archetype  User:          N/A  Computer:      PSQ-Serv-1  Description:  A timeout was reached (30000 milliseconds) while waiting for the Windows Fault Reporting Service service to connect.

Windows Update Failure

One system administration task is to watch if computers in the network are declining to get Windows updates.

TheWindows Server Update Service (WSUS) is a patch direction tool that automatically downloads and applies patches and security updates for Microsoft products from the Microsoft website. In almost product installations, administrators want some sort of control over what patches are applied and when they go applied. This is to avoid unexpected behavior like automated reboots or applications breaking afterward a patch cycle. In many organizations, a centralized WSUS server is used to download all patches, and administrators then schedule their distribution. The condition of a Windows Update run is important to monitor.

In this example, a Microsoft update failed to install, and has generated an error code (0x80240017) we can wait upward for more data.

Log Proper noun:      Organisation  Source:        Microsoft-Windows-WindowsUpdateClient  Date:          five/31/2019 1:xiii:fourteen PM  Outcome ID:      xx  Chore Category: Windows Update Agent  Level:         Error  Keywords:      Failure,Installation  User:          Organization  Figurer:      nymph  Description:  Installation Failure: Windows failed to install the post-obit update with error 0x80240017: Definition Update for Windows Defender Antivirus - KB2267602 (Definition ane.293.2654.0).

Scheduled Task Delayed or Failed

Another service people often watch is the Windows Job Scheduler. It'southward similar to the Linux cron daemon. You tin can schedule and run programs, scripts, or commands on a recurring footing. Tasks can exist scheduled for specific times or run in response to a trigger. For example, a chore could be running a PowerShell backup script every dark or copying files to an FTP server one time every week.

The events generated from the Windows Task Scheduler tin help confirm if your tasks are running co-ordinate to the triggers and schedules you defined or if they are failing to launch. The Job Scheduler window has its own result viewer. Here is an example event from the log.

Log Name:      Microsoft-Windows-TaskScheduler/Operational  Source:        TaskScheduler  Logged:        half-dozen/26/2019 5:03:xix AM  Event ID:      201  Task Category: Activeness Completed  Level:         Information  Keywords:  User:          SYSTEM  Computer:      EC2AMAZ-ES915Q9  OpCode:        (2)  Description:  Task Scheduler successfully completed job \GoogleUpdateTaskMachineUA" , instance "{57a63bbe-3b27-4367-8f45-8853e7c306a5}" , action "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" with return code 0.

What other troubleshooting use cases exercise you run into? Add your comments and let u.s. know!

0 Response to "Windows Service Failed to Start in a Timely Fashion"

Post a Comment

Subscribe to: Post Comments (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel