You may get a service timeout from a signed .NET/ managed service application while the system is doing a revocation check of the certificate over the internet.

You may get a service timeout from your signed .NET service application while the OS does a revocation check to verify the certificate that signed the EXE.

The reason behind this time out is because of a worker thread which is waiting for a response from the CDP (CRL Distribution Point) server in order to validate the certificate in the digital signature of the service executable against the Certificate Revocation List (CRL).

The CDP is usually an HTTP address so the request is done via port 80.

Reason behind the service time out

1. When a .NET service starts, the Service Control Manager (SCM) waits until the service reports a status of SERVICE_RUNNING. The .NET Framework ServiceBase implementation will report SERVICE_RUNNING to Service Control Manager (SCM) only when OnStart() returns.

2. It is recommended that a service reports this status of SERVICE_RUNNING to SCM as quickly as possible, as other components in the system that require interaction with SCM will be blocked during this time.

3. The service must be designed to return from OnStart as quickly as possible; possibly within the first 30 seconds. It is critical that OnStart() returns quickly. You have 30 seconds (absolute time, not thread execution time) between Service Control Manager (SCM) which calls CreateProcess to start the service process and the service code returning from OnStart().

To resolve this you can disable revocation checking from a configuration file. For details please look at KB article

In short it states about the generatePublisherEvidence configuration setting available at Microsoft .NET Framework 3.0. It says to create an application configuration file with name <ApplicationName>.exe.config, in which you can put the code:

<? xml version="1.0" encoding="utf-8"?>



<generatePublisherEvidence enabled="false"/>




Shamik Misra

Skip to main content