System Event Notification Service and User Profile Service Failures

Over the last 2 to 3 weeks we've seen an intermittent but increasing rise in the "System Event Notification Service" error appearing on Windows 8.1 devices. Initially it was the odd mobile device (DirectAccess connected) but has expanded to greater number of devices, some LAN connected and even a report of a single Windows 7 device.

When the SENS error is presented to an end user they are unable to logon. An administrative user is able to logon but experiences a blank desktop and no access to any applications. A message is presented relating to an issue with the System Account profile and the desktop folder (we've copied a user profile desktop folder across and there's been no effect).

The solution has been to remotely manage the device and start the offending services which have failed:

  • System Event Notification Service
  • Themes
  • User Profile Service

This resolves the issue and given the intermittent nature, fixes this permanently (no reports for weeks) or fixes for a day or two.

Key points from the investigation so far:

  • The devices are all running Windows 8.1 Enterprise - initially only mobile devices were affected but as of today we've had reports of desktop devices being affected too.
  • Some of the devices affected have been set aside for internal testing; they've worked without issue for over a year and in that period have been excluded from the WSUS managed updates. The only update they receive on a daily basis is EndPoint Protection definitions. There's been no new software deployed.
  • The event logs reveal general warnings relating to connectivity (mobile devices) but this is often because the devices have a waiting period for a Wi-Fi or mobile broadband connection and then the DirectAccess connection
  • A system file scan has only revealed one error relating to a Canon printer driver which cannot be fixed. We don't utilise any Canon printers. Other than that there have been no new drivers or services implemented.

I've noted some other reports in the forum but nothing that definitively identifies the cause so any suggestions would be very much appreciated.

Many thanks

July 29th, 2015 6:51am

To follow up to this, we've now identified the cause, the Windows Update Service is crashing affecting the svchost process which in turn is affecting services dependent on that. Most services recover except the 3 listed above. On one of the devices this appears to occur on a trigger of every 4.5 hours although that doesn't seem to tie in with ConfigMgr client policy or any scheduled task. The following describes the error.

Log Name:      Application
Source:        Application Error
Date:          23/07/2015 20:02:47
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      compname
Description:
Faulting application name: svchost.exe_wuauserv, version: 6.3.9600.16384, time stamp: 0x5215dfe3
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00007ffd6729b000
Faulting process ID: 0x298
Faulting application start time: 0x01d0c51a5806873d
Faulting application path: C:\WINDOWS\system32\svchost.exe
Faulting module path: unknown
Report ID: 67d83f5c-316d-11e5-827f-6002920a5d9d
Faulting package full name:
Faulting package-relative application ID:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-07-23T19:02:47.000000000Z" />
    <EventRecordID>27629</EventRecordID>
    <Channel>Application</Channel>
    <Computer>compname</Computer>
    <Security />
  </System>
  <EventData>
    <Data>svchost.exe_wuauserv</Data>
    <Data>6.3.9600.16384</Data>
    <Data>5215dfe3</Data>
    <Data>unknown</Data>
    <Data>0.0.0.0</Data>
    <Data>00000000</Data>
    <Data>c0000005</Data>
    <Data>00007ffd6729b000</Data>
    <Data>298</Data>
    <Data>01d0c51a5806873d</Data>
    <Data>C:\WINDOWS\system32\svchost.exe</Data>
    <Data>unknown</Data>
    <Data>67d83f5c-316d-11e5-827f-6002920a5d9d</Data>
    <Data>
    </Data>
    <Data>
    </Data>
  </EventData>
</Event>

Free Windows Admin Tool Kit Click here and download it now
July 29th, 2015 11:21am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics