Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 6005

Source
Level
Description
The winlogon notification subscriber <subscriber> is taking long time to handle the notification event.
Comments
 
On two Windows 2012 R2 servers it was impossible to logon. The server remained unresponsive. I was able to logon using save mode, then I noticed an Event ID 6005.

The following setting change solved my problem:
- change all services which are set to start automatically to "automatic (delayed start)
I had events 6005 and 6006 (83 seconds) on a Windows 2008 R2 SP1 member server running SQL 2008 R2 SP2 with 2 instances. One instance is using SQL Server Reporting Services. Changing the StartupType of SQL Server Reporting Services from 'Automatic' to 'Automatic (Delayed Start)' caused the warnings to disappear.
I had this event when a server would not log on and would hang at "Applying User Settings". I eventually found the resolution to this problem at ME2004121.
By setting "Network Connections -> Advanced settings -> Provider Order -> Microsoft Windows Network first -> reboot" this problem was solved on two servers.
In my case it was TrendMicro AntiVirus that was causing this long boot procedure. I've uninstalled TrendMicro and the boot procedure into windows was working fast.


This event came from the TrustedInstaller module and occured during Windows Update. This event seems to have stopped after installing SP1. Some research indicates this was a known bug.
From a support forum: "I found that this is happening (long login times) only on certain hardware. On a different hardware platform, my test login was between 45 sec to 1 min, this is ok for a domain environment with lots of group policies. However, when I looked at the network driver, I found that the driver belongs to Microsoft, I updated the NIC driver from Intel and Broadcom (new version),   and the login is back to normal at last. I have to say that i only did this for few machines and tested with one test account, but I am quite sure that the long login issue is because Vista is using its own driver for your network card and that is where the problem is coming from."
A Microsoft support engineer suggested that one should disable any login scripts to see if the login time is returned to normal. If it is, then the login script should be troubleshooted for the introduced delays.
One user reported that this event was caused by the antivirus (disabling it caused the problem to go away).
In my case, it turns out that a wireless HP printer that I have tries to load a network service (HP CUE DeviceDiscovery Service ), the service fails and so the computer spends cycles trying to rediscover the printer. If I either disable this service or turn the printer off the machine boots a lot faster.
See also the comments for event id 6006 from Winlogon (link below). Event 6005 and 6006 are in most cases recorded together.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...