Troubleshooting Windows Modules Installer Hang During Login on Windows Server 2008 R2 Terminal Server


55 views

After deploying recent Windows updates to our server fleet, one particular Terminal Server running Windows Server 2008 R2 exhibited a critical login delay. The system consistently hangs at the authentication screen with the message "Waiting for Windows Modules Installer," eventually timing out and generating Event ID 7031 ("Service terminated unexpectedly").

Disabling the Windows Modules Installer service (TrustedInstaller) through the following PowerShell command provides temporary relief:

Stop-Service -Name TrustedInstaller -Force
Set-Service -Name TrustedInstaller -StartupType Disabled

The issue typically stems from one of three scenarios:

  • Corrupted update components in the Component-Based Servicing (CBS) log
  • Pending update operations stuck in the installer queue
  • Permission conflicts with third-party applications (in this case, Tricerat's ScrewDrivers)

Run these commands sequentially to gather diagnostic data:

# Check pending operations
Get-WindowsUpdateLog -Force -LogPath C:\temp\windowsupdate.log

# Verify component store health
DISM /Online /Cleanup-Image /AnalyzeComponentStore

# Examine CBS logs
Get-Content C:\Windows\Logs\CBS\CBS.log | Select-String -Pattern "TrustedInstaller" -Context 10
  1. Reset Windows Update Components: 
    net stop wuauserv
net stop cryptSvc
net stop bits
net stop msiserver
ren C:\Windows\SoftwareDistribution SoftwareDistribution.old
ren C:\Windows\System32\catroot2 catroot2.old
net start wuauserv
net start cryptSvc
net start bits
net start msiserver
  2. Repair System Files: 
    sfc /scannow
DISM /Online /Cleanup-Image /RestoreHealth
  3. Re-enable the service with monitoring: 
    Set-Service -Name TrustedInstaller -StartupType Automatic
$log = Start-Transcript -Path "C:\TrustedInstaller_Monitor.log"
Get-Service -Name TrustedInstaller | % {
    while($_.Status -ne 'Running') {
        Write-Host "Waiting for service start..."
        Start-Sleep -Seconds 5
    }
}

For Terminal Servers with third-party RDP management tools like Tricerat, implement these registry tweaks:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
"AUOptions"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"="http://your-wsus-server"
"WUStatusServer"="http://your-wsus-server"

After applying recent Windows Updates to our Server 2008 R2 terminal server environment, we encountered a critical login delay where the system hangs at the "Waiting for Windows Modules Installer" message. The service eventually times out with Event ID 7031 ("Service terminated unexpectedly") in the System log. While disabling the Windows Modules Installer (TrustedInstaller) service provides a temporary workaround, this prevents future update installations.

Initial troubleshooting revealed:

# Check service status
Get-Service TrustedInstaller | Select Status,StartType
# Result: Running (when enabled) / Automatic (Delayed Start)

The server exhibits these symptoms:

  • Universal impact across all user sessions
  • Minimal third-party software (ERP system and Tricerat ScrewDrivers)
  • Server Manager displays generic "Error" without role details
  • RDP functionality remains intact despite the login delay

Analysis suggests the issue stems from a corrupted Windows Update component or pending installation operation. Common triggers include:

# Check pending updates operations
Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing" | 
Where {$_.Name -match "RebootPending"}

Step 1: Reset Windows Update Components

# Stop relevant services
Stop-Service -Name TrustedInstaller,Bits,WuausServ -Force

# Rename SoftwareDistribution folder
Rename-Item $env:systemroot\SoftwareDistribution SoftwareDistribution.bak -Force

# Reset service registry entries
$services = @("BITS","CryptSvc","TrustedInstaller","wuauserv")
foreach ($svc in $services) {
    sc.exe sdset $svc "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)"
}

Step 2: Repair System Components

Run these commands sequentially:

DISM /Online /Cleanup-Image /RestoreHealth
sfc /scannow

Step 3: Rebuild Update Repository

# For Server 2008 R2 specific fix
Start-Process -FilePath "wuauclt.exe" -ArgumentList "/resetauthorization /detectnow" -Wait

After implementing the solution:

# Create monitoring script
while ($true) {
    $status = Get-Service TrustedInstaller | Select -ExpandProperty Status
    Write-Host "$(Get-Date) - TrustedInstaller status: $status"
    if ($status -ne "Running") { Start-Service TrustedInstaller }
    Start-Sleep -Seconds 30
}

For environments with Tricerat ScrewDrivers installed, additional steps may be required:

# Check for print driver conflicts
Get-WmiObject Win32_PrinterDriver | Where {$_.Name -match "tricerat"} | 
Select Name,ConfigFile,DataFile | Format-List