Security Center and Automatic Update Notification Icons Not Appearing

Today, I was removing malware and spyware bits from a Windows XP Professional machine. When the infected machine was cleaned, I checked the machine for updates using our in-house WSUS server. I noticed two things which were the Automatic Update notification icon was not appearing and the Security Center notification icon was not functioning at all…no notification icons appearing in the Notification Tray.

The Windows XP Automatic Update notification icon appears when updates are ready to be downloaded and / or updates are ready to be installed. The Windows XP Security Center notification icon appears when the firewall is disabled. no antivirus product is installed or definitions out of date, or Automatic Updates are set to Off.

Automatic Update and Security Center Notification Icons

I checked if the Security Center service was running using the following commands:

sc query wscsvc

sc qc wscsvc

The Security Center service was started and the startup type was set to Automatic. I also checked if the Security Center Alert Settings were disabled. The Security Center Alert Settings were not disabled, refer to Image below.

Security Center Alert Settings

I started to think the WMI repository were somehow not consistent or corrupted, so I rebuilt the WMI repository using this blog article "Security Center not Accurately Reporting Anti-Virus / Firewall Status for Windows XP" and the notification icons still were not appearing.

I checked if the Customize Notification icons were set to Always Hide for the Automatic Update and Security Center notification icons. The notification icons were not in the Customize Notification icons list, refer to image below.

Customize Notifications

In was a little bit puzzled after I check for any Group Policies that may have been enabled by the malware and spyware to enforce some machine or personal settings and I could not detect any issues with Group Policy settings.

I open the "WindowsUpdate.log" and found some interesting clues which were:

2008-03-25 12:29:55:578 848 634 Service WARNING: GetUserTokenFromSessionId failed with error 800704dd for session 0
2008-03-25 12:29:55:578 848 634 AU WARNING: AU found no suitable session to launch client in

I did some searching and found this knowledge base article, "Error messages that you may receive when you try to download and install updates from the Windows Update Web site, from the Microsoft Update Web site, or from a WSUS server: "0x800704DD," "0x80240020," or both". I check the registry and found the following subkey missing:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

I re-created the missing registry subkey and its entries. Rebooted the computer and the Security Center and Automatic Update notification icons appeared.

NOTE

To enlarge the images, simply click on the images you would like to view. With Internet Explorer 7, you can right-click on the image to select Open in New Tab.

Manual Steps to Repair / Re-created the ‘SensLogn’ Registry Subkey for Windows XP

1. Click Start and then Run.
2. Type regedit.exe in the Run dialog box.
3. Press ENTER on your keyboard.
4. Navigate to:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
   
5. Right-click Notify to select New > Key.
6. Name the new key SensLogn.
7. Right-click SensLogn to select New > DWORD Value.
8. Name the new DWORD Asynchronous.
9. Double click Asynchronous to assign a value data of 1.
10. Right-click SensLogn to select New > String Value.
11. Name the new String Disconnect.
12. Double click Disconnect to assign a value data of SensDisconnectEvent.
13. Right-click SensLogn to select New > String Value.
14. Name the new String DLLName.
15. Double click DLLName to assign a value data of WlNotify.dll.
16. Right-click SensLogn to select New > DWORD Value.
17. Name the new DWORD Impersonate.
18. Double click Impersonate to assign a value data of 1.
19. Right-click SensLogn to select New > String Value.
20. Name the new String Lock.
21. Double click Lock to assign a value data of SensLockEvent.
22. Right-click SensLogn to select New > String Value.
23. Name the new String Logoff.
24. Double click Logoff to assign a value data of SensLogoffEvent.
25. Right-click SensLogn to select New > String Value.
26. Name the new String Logon.
27. Double click Logon to assign a value data of SensLogonEvent.
28. Right-click SensLogn to select New > DWORD Value.
29. Name the new DWORD MaxWait.
30. Double click MaxWait to assign a value data of 1.
31. Right-click SensLogn to select New > String Value.
32. Name the new String PostShell.
33. Double click PostShell to assign a value data of SensPostShellEvent.
34. Right-click SensLogn to select New > String Value.
35. Name the new String Reconnect.
36. Double click Reconnect to assign a value data of SensReconnectEvent.
37. Right-click SensLogn to select New > DWORD Value.
38. Name the new DWORD Safe.
39. Double click Safe to assign a value data of 1.
40. Right-click SensLogn to select New > String Value.
41. Name the new String Shutdown.
42. Double click Shutdown to assign a value data of SensShutdownEvent.
43. Right-click SensLogn to select New > String Value.
44. Name the new String StartScreenSaver.
45. Double click StartScreenSaver to assign a value data of SensStartScreenSaverEvent.
46. Right-click SensLogn to select New > String Value.
47. Name the new String StartShell.
48. Double click StartShell to assign a value data of SensStartShellEvent.
49. Right-click SensLogn to select New > String Value.
50. Name the new String Startup.
51. Double click Startup to assign a value data of SensStartupEvent.
52. Right-click SensLogn to select New > String Value.
53. Name the new String StopScreenSaver.
54. Double click StopScreenSaver to assign a value data of SensStopScreenSaverEvent.
55. Right-click SensLogn to select New > String Value.
56. Name the new String Unlock.
57. Double click Unlock to assign a value data of SensUnlockEvent.
58. Exit the Windows XP Registry Editor.
59. Reboot Windows XP.

Automated Fix to Repair / Re-created the ‘SensLogn’ Registry Subkey for Windows XP

1. Download to senslogn.reg a folder on your hard drive.
2. Right-click sendlogn.reg to select Merge.
3. Now the registration entries are added for you.
4. Reboot Windows XP.

   NOTES

   The sendlogn.reg file is from my web server (http://lprf.homeserver.com). You also can view the contents of the sendlogn.reg file by right-clicking the file and selecting Edit. You may need to log off then log on to your user account or restart your computer for the changes to take affect.

Platforms Tested

• Microsoft Windows XP Professional SP2
• Microsoft Windows XP Home SP2

Related Articles

• Security Center not Accurately Reporting Anti-Virus / Firewall Status for Windows XP

Version 1.2
Edited: May 11, 2012

Security Center not Accurately Reporting Anti-Virus / Firewall Status for Windows XP

Windows XP Security Center may be reporting inaccurately when you uninstall an anti-virus and / or firewall application. Windows XP Security Center may still identify the security applications are still monitoring your system when the applications have been uninstalled. Windows XP Security Center may be reporting the uninstalled application is still monitoring your system even if you have installed a different ant-virus and / or firewall applications. Administrative privileges are required to perform the solution.

Manual Steps

1. Click the START button to open the Start Menu.
2. Click Run… to open the Run dialog box.
3. Type:

   services.msc
   

4. Press ENTER on your keyboard.
5. Locate and double-click Windows Management Instrumentation.
6. Click Stop to stop the service.
7. Navigate to:

   C:\WINDOWS\system32\wbem\Repository
   

8. Delete all contents in the Repository folder.
9. Reboot the computer.

Manual Steps Using Command Line

1. Click the START button to open the Start Menu.
2. Click Run… to open the Run dialog box.
3. Type:

   cmd.exe

4. Press ENTER on your keyboard.

   NOTE

   A Command Prompt Window should now be open.

5. Type the following in the Command Window:

   net stop "Windows Management Instrumentation"
   

6. Press ENTER on your keyboard.
7. Type the following in the Command Window:

   rd %systemroot%\system32\wbem\Repository\ /S /Q

8. Press ENTER on your keyboard.
9. Type the following in the Command Window:

   mkdir %systemroot%\system32\wbem\Repository\

10. Press ENTER on your keyboard.
11. Reboot the computer.

Platforms Tested

• Microsoft Windows XP Editions

Version 1.1
Edited: May 11, 2012