Windows 10系统日志中Windows Modules Installer服务启动类型反复变更的异常问题咨询
2026-4-20
Windows 10系统日志中Windows Modules Installer服务启动类型反复变更的异常问题咨询
各位好,我最近在排查一台Windows 10 Home 64位系统上反复断开重连的USB设备问题,于是打开了事件查看器,结果意外发现了一系列奇怪的系统日志条目——Windows Modules Installer服务的启动类型被TrustedInstaller来回反复修改,实在搞不懂是什么情况,想请教下大家有没有合理的解释?
以下是我截取的相关日志条目:
事件1(2024-02-16 11:31:38 AM)
- 日志名称:System
- 来源:Service Control Manager
- 事件ID:7040
- 级别:信息
- 用户:SYSTEM
- 描述:
The start type of the Windows Modules Installer service was changed from auto start to demand start.
- Event XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" /> <EventID Qualifiers="16384">7040</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8080000000000000</Keywords> <TimeCreated SystemTime="2024-02-16T16:31:38.9786775Z" /> <EventRecordID>100903</EventRecordID> <Correlation /> <Execution ProcessID="996" ThreadID="20380" /> <Channel>System</Channel> <Computer>DESKTOP-CA9265O</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="param1">Windows Modules Installer</Data> <Data Name="param2">auto start</Data> <Data Name="param3">demand start</Data> <Data Name="param4">TrustedInstaller</Data> </EventData> </Event>
事件2(2024-02-16 11:12:44 AM)
- 日志名称:System
- 来源:Service Control Manager
- 事件ID:7040
- 级别:信息
- 用户:SYSTEM
- 描述:
The start type of the Windows Modules Installer service was changed from demand start to auto start.
- Event XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" /> <EventID Qualifiers="16384">7040</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8080000000000000</Keywords> <TimeCreated SystemTime="2024-02-16T16:12:44.2737181Z" /> <EventRecordID>100902</EventRecordID> <Correlation /> <Execution ProcessID="996" ThreadID="16768" /> <Channel>System</Channel> <Computer>DESKTOP-CA9265O</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="param1">Windows Modules Installer</Data> <Data Name="param2">demand start</Data> <Data Name="param3">auto start</Data> <Data Name="param4">TrustedInstaller</Data> </EventData> </Event>
事件3(2024-02-16 11:12:40 AM)
- 日志名称:System
- 来源:Service Control Manager
- 事件ID:7040
- 级别:信息
- 用户:SYSTEM
- 描述:
The start type of the Windows Modules Installer service was changed from auto start to demand start.
- Event XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" /> <EventID Qualifiers="16384">7040</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8080000000000000</Keywords> <TimeCreated SystemTime="2024-02-16T16:12:40.0349188Z" /> <EventRecordID>100901</EventRecordID> <Correlation /> <Execution ProcessID="996" ThreadID="16768" /> <Channel>System</Channel> <Computer>DESKTOP-CA9265O</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="param1">Windows Modules Installer</Data> <Data Name="param2">auto start</Data> <Data Name="param3">demand start</Data> <Data Name="param4">TrustedInstaller</Data> </EventData> </Event>
事件4(2024-02-16 10:57:11 AM)
- 日志名称:System
- 来源:Service Control Manager
- 事件ID:7040
- 级别:信息
- 用户:SYSTEM
- 描述:
The start type of the Windows Modules Installer service was changed from demand start to auto start.
- Event XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" /> <EventID Qualifiers="16384">7040</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8080000000000000</Keywords> <TimeCreated SystemTime="2024-02-16T15:57:11.2390014Z" /> <EventRecordID>100900</EventRecordID> <Correlation /> <Execution ProcessID="996" ThreadID="15748" /> <Channel>System</Channel> <Computer>DESKTOP-CA9265O</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="param1">Windows Modules Installer</Data> <Data Name="param2">demand start</Data> <Data Name="param3">auto start</Data> <Data Name="param4">TrustedInstaller</Data> </EventData> </Event>
简单梳理下时间线:
- 10:57:11:从
demand start改为auto start - 11:12:40:改回
demand start(间隔约15分钟) - 11:12:44:再次改为
auto start(间隔仅4秒) - 11:31:38:改回
demand start(间隔约18分钟)
有没有大佬能说说,TrustedInstaller为什么会做出这种反复修改的操作?我是不是有点过度紧张,但总觉得这个行为不太正常……
备注:内容来源于stack exchange,提问作者greenops011
