Troubleshooting service startup issues with Process Monitor

Many things can cause a service, like IIS’s World Wide Web Publishing Service, to fail on startup. When troubleshooting such an issue, Process Monitor can be an invaluable tool. What Process Monitor does is monitor all File and Registry access on the system in real-time. The latest version of process monitor can be obtained here.

Most of the time, we use this tool to troubleshoot Access Denied related issues. In those scenarios, Process Monitor shows exactly what user account tried to access what file or registry key when the Access Denied error occurred.

Troubleshooting service startup issue when it’s not a simple Access Denied scenario

When the issue is not Access Denied, it can be difficult to track down the root cause using Process Monitor. Below is an issue I worked on recently that’s a perfect example of this.

Problem - When attempted to start the World Wide Web Publishing Service, a popup with the below error message appears:

Windows could not start the World Wide Web Publishing Service on Local Computer. For more information, review the System Event log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code -2147221164.

One or more of the following events are found in the System Event Log:

Event Type: Error
Event Source: W3SVC
Event Category: None
Event ID: 1036
Description:
A failure occurred while initializing the configuration manager for the World Wide Web Publishing Service. The data field contains the error number.

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Data:
0000: 80040154

Event Type: Error
Event Source: W3SVC
Event Category: None
Event ID: 1005
Description:
The World Wide Web Publishing Service is exiting due to an error. The data field contains the error number.

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Data:
0000: 80040154

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7024
Description:
The World Wide Web Publishing Service service terminated with service-specific error 2147746132 (0x80040154).

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.

Here are the steps I took to capture the necessary information using Process Monitor:

  1. Launch Process Monitor.

  2. Run net start w3svc from a command prompt to reproduce the issue.

    Microsoft Windows [Version 5.2.3790]
    (C) Copyright 1985-2003 Microsoft Corp.

    C:\>net start w3svc
    The World Wide Web Publishing Service service is starting.
    The World Wide Web Publishing Service service could not be started.

    A service specific error occurred: 2147746132.

    More help is available by typing NET HELPMSG 3547.

  3. Click the magnifying glass icon () in Process Monitor to stop the capture.

Process Monitor logs a lot of data so it’s best to filter the output accordingly. To get an idea of where to start, I searched on error 80040154 from the event log entries and found this means “Class not registered”. Since “Class not registered” is caused by something missing in the registry, I looked for a Result of “NAME NOT FOUND” in the Process Monitor Output.

As you’ll quickly find out, “NAME NOT FOUND” occurs all the time. This is due to programs searching different locations for something until it finds it and a result of “SUCCESS” appears.

The way I found to make this easier to troubleshoot is to capture another Process Monitor log on a server where the World Wide Web Publishing Service starts successfully and then filter both logs for the specific process that is failing.

Here’s how to configure the filter for IIS 6.0 on Windows Server 2003.

  1. In Process Monitor, click Filter/Filter…
  2. Select “Command Line” and “is” for the first two drop-down lists.
  3. Then enter C:\WINDOWS\System32\svchost.exe -k iissvcs and click Add as follows:

Comparing the output from both, I found the below difference:

On server where W3SVC fails

On server where W3SVC works

Here the HKEY_CLASSES_ROOT\AppID\{A9E69610-B80D-11D0-B9B9-00A0C922E750}\LocalService value was missing from the registry on the server where the service failed to start, but was present on the server where it succeeded.

Resolution

To resolve the issue, use regedit.exe to export the missing key from the working server and import it to the server that fails. Running IISRESET from a command prompt was also required here to resolve the issue.