none
Firewall, DCHP services won't start, Error 5: Access is Denied

    Question

  •  

    I am deploying 10 brand new Dell Optiplex 755 machines with Vista Business.   However, every single machine, after being OK for awhile, will eventually have problems starting services, such as DHCP, Event Viewer and Firewall (in total it's about 12 services that won't start, but I believe that is because of a cascading effect).  You get Error 5: Access is Denied in Event log, or if you try to manually start the service.

     

    The network connection status does not work, you get "The service or dependency failed to start" and just a red X through the icon.  Other things won't work like remote desktop, some audio functions (eg in webcams), etc.

     

    This problem is driving me crazy and I have done everything under the sun to fix it.

     

    See http://support.microsoft.com/kb/943996/en-us  as it describes the problem pretty well, however, the solution does NOT work in my case. 

     

    I have reinstalled machines, system restored machines (which sometimes works, sometimes doesn't), NOT installed windows updates, installed windows updates.

    I should tell you I am joining these machines to a domain (windows 2003 server).  We also had a Windows 2000 server as a DC and I thought that was the cause of the problem, however I asked our system analyst to remove that server as a DC.  So now only the Windows 2003 server is the DC, but the problem is still there.

     

    I will deploy the computer to the user, they will be fine for awhile, then after a little while if they log out or reboot, their machine will hoze itself.  If they stay logged in all day they will be fine.

     

    Does anyone have any ideas why all 10 of my machines are hozing themselves? It takes hours to fix each one and I am running out of time here.... We have deployed dozens of vista machines at our head office and never seen this problem.

     

    Thanks

    Sunday, January 27, 2008 4:27 PM

Answers

  • out of curiosity, what happens if you "reserve' an ip for one of the failed machines in DHCP?  Some of our Vista machines will randomly fail to pull a DHCP address, thus causing major issues with GPO's not running.  In these cases, as a test, I setup reserved ip addresses for the mac address in dhcp and the issue resolved.  Not sure why it happens though.

     

    Tuesday, January 29, 2008 4:21 PM

All replies

  • out of curiosity, what happens if you "reserve' an ip for one of the failed machines in DHCP?  Some of our Vista machines will randomly fail to pull a DHCP address, thus causing major issues with GPO's not running.  In these cases, as a test, I setup reserved ip addresses for the mac address in dhcp and the issue resolved.  Not sure why it happens though.

     

    Tuesday, January 29, 2008 4:21 PM
  • I have almost the exact same situation.  I have a Windows 2003 Server SP2 Active Directory environment with GPOs setup, but I had to move the Vista machines into a seperate group that does not inherit the GPs of the rest of the organization.  If I do not then I have this casdcading problem.  I currently forgot to move one of the Systems into the correct GPO and it is having this issue.  Once it happens, I am unable to find a fix to reset it to the normal/usable state.  This seems to be a Group Policy issue, but I am unable to find anywhere in the Group Policies that I am changing the permissions of the Registry keys that effect the DHCP Client.

     

    Extremely frustrated at this point.  Have you found anything out about how to fix this?

    Tuesday, March 11, 2008 3:25 PM
  • I have the same thing with my computer, windows vista 32 home premium. Is this so diffucult for you guys at Microsoft to solve this problem... Or we need to do system restores every 6 months, my other machine under aonther OS didn't need nothing in past 4 years.

     

    Hope you resolve this ...

     

    Friday, March 21, 2008 12:11 AM
  • Has anyone been able to resolve this.  I am having the same problem starting services.  Many are not on and when I try to start them, I get Error 5: Access is Denied.  Tried everything I can think of and what I found in the forums with no luck to date.  Can't get a wireless connection.  Please help if you have the answer.

    Saturday, May 03, 2008 1:46 AM
  • I too have similar issues.  I have even attempted configuring Vista Ultimate on a Windows 2008 DC, thinking 2008 is designed 100% for Vista...don't bother wasting your time...same issue occurs.  I have created a tech support case with Microsoft and spent over 21 hours on the phone with them and am being told that we will have to move to level two next week.  Microsoft is trying to tell me the root problem is with our linksys router or some other network equipment...HA HA...I dont believe that for nothing, as everything works fine until a GPO is pushed out from the server.  It's the way Vista talks with the DC.


    Just thought you'd like to know you're not alone...and Microsoft doesnt even have a clue.  If/when MS corrects our problem, I'll try to post the results for everyone.

    Saturday, June 07, 2008 2:43 PM
  • I also have similar problems.  I bought a laptop and a netgear router.  Having disconnected my ADSL modem I could use my Dell desktop to configure the router over the lan connection but not connect to the internet.

     

    The laptop works fine, either wired or wireless.  The Lan has an error message 'Dependency service or group failed to start.  When I try to diagnose the services aren't running and when I try to start them I get the error 5 message.

     

    I have folowed lots of advice for file repairs, tcp stack reinstall, regedit but nothing has helped.

     

    Hope MS come up with the goods.

     

    Saturday, June 07, 2008 6:47 PM
  • I own a computer shop in vegas and have had to deal with several of these problems. I have tried no less than 20 different fixes - countlesss hours, nothing works. If I had to guess (because that's where I'm at) its faulty driver software. Yea that's right I said it. A back to factory restore seems to be the only fix. Wow WTF are we really here talking about this? This problem is all over the intenet and the fixes don't work. I've been on the phone with M$ and they don't have the answer. One day internet the next complete frustration. Vista is so buggy and now here comes W7 which i'm testing on 2 machines, guess what it's the same platform same ____ same problems......ok i feel so much better, I never knew tech forums could be so therapeautic....
    Friday, July 10, 2009 4:21 PM
  • I am fixing a friend's Vista Dell laptop and it has the same problem with the auto services not starting.  DHCP, diagnostics. etc.  You think there is no fixing? Even with a retinstall of the operating sytem?
    Do I have to install xp then?
    Thursday, August 13, 2009 6:35 AM
  • SOLUTION BELOW!

    This problem stumped me for HOURS, but I overcame it. Here is my story.

    Today I had a power loss, and when I switched my computer back on and Windows 7 finished booting up - lo and behold - I can't start many windows services (DHCP, Diagnostics, Firewall, etc) due to Access Denied errors. Also, for some reason windows reported that there are no sound devices installed, and so I didn't have audio either (even though the Windows Audio service was running and device manager showed my X-Fi to be installed properly).

    Using Process Monitor (http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx) and while attempting to start the DHCP service, I found that it was getting access denied to some registry keys under HKLM\SYSTEM\CurrentControlSet\services. I tried a few things out, and found that adding the user SERVICE with full permissions to the registry keys that the DHCP service was requesting solved the problem and allowed DHCP to start, but not the other services (since they requested different keys). So I just set the whole services key and all subkeys/value to give full permission to SERVICE. I restarted my computer and things were much better. A lot of the services were back up.

    But still, no audio devices were detected. So I uninstalled my X-Fi in device manager (without removing the driver) and restarted. Upon restart, the sound card was detected and the driver automatically reinstalled, and all sound issues were solved as well.

    I then noticed that the Action Center was alerting me that the Windows Firewall was down, and it failed to start the service. I tried to start the service and got the dreaded Access Denied error. I though I got rid of it. Windows Firewall depends on Base Filtering Engine service which won't start due to Access Denied. For some reason, using Process Monitor I saw that giving the CurrentControlSet\services\BFE key the permission for SERVICE wasn't enough. I added NT Service\BFE and that allowed BFE to start. But Windows Firewall still wouldn't start! So once more Process Monitor showed me that Windows Firewall was trying to access CurrentControlSet\services\SharedAccess, so I added NT Service\MpsSvc to it, and Windows Firewall finally came online.

    So far so good. I won't be surprised to find additional issues regarding services and access denied errors in the future. This is a very odd bug that Microsoft must investigate (it has my full cooperation if it needs it).

    • Proposed as answer by Taz0 Friday, December 11, 2009 9:30 PM
    Friday, December 11, 2009 9:26 PM
  • Well I have to tell that this is most frustrating problem I have encountered in 15 years of tech work. I am using virtual servers to work on this problem and while I got one server to work correctly I cannot get the other 2 to start the bfe service. This is the worst piece of engineering for operating systems that I can imagine. I CANNOT even add the nt service\mpsSvc as it cannot even find it. Frustrating, frustrating, frustrating. These are stock 64 bit 2008 Standard servers freshly installed with service pack 2. I couldn't even get Windows Update to work through the web browser but could through WSUS. Any help from someone, somewhere on this planet would be appreciated.

    Gary
    macpiano
    Thursday, January 07, 2010 2:10 AM
  • Yes, this is a HUGE issue and can't believe it hasn't been addressed until now. Even though I was able to restore almost all functionality using the above methods, I still can't do simple things such as ping form a non-elevated command prompt, and can't find the cause since no ACCESS DENIED events are caught by ProcMon.
    Thursday, January 07, 2010 11:49 AM
  • See http://support.microsoft.com/kb/943996/en-us  as it describes the problem pretty well, however, the solution does NOT work in my case. 

    This worked very well in my case :)

    thanks !!
    Friday, February 26, 2010 7:52 AM
  • We're still experiencing the issue on a handful of servers.

    Taz0, many thanks for your solution! We have a number of 2008 R2 servers here that were suffering the same, and the doc'n supplied by MS was no use!

    Everyone else is aware, the MS doc has you editing the permissions for DHCP and TCPIP services, adding Network Service and local Network Configuration Operators with full permissions. This failed to work for me in a number of cases. Propagating the permissions to all child objects worked in a few cases.

    Adding the local Service account with full permissions to both keys worked ona few more but I should add that I had to progagate those as well, to all child objects.

    Finally, some servers are still a problem, where attempting to propagate permissions returns "Registry editor could not set security in the key currently selected, or some of its subkeys."

    Any further solutions out there?

    Tuesday, May 25, 2010 9:25 PM
  • DapperDanB, for you registry issues, you might want to try taking ownership of the keys, and then try to set permissions. In RegEdit, right click the tree node you'd like to take ownership of (such as the services node), click Permissions..., click Advanced then click the Owner tab. Under the Change owner to section, select your user from the list, tick the Replace owner on subcontainers and objects checkbox and click OK and OK.

    You should be able to change permissions now without an error.

    Wednesday, May 26, 2010 6:46 AM
  • I did this today, I often forget to check technet so I make some updates/changes on my site instead.

     

    http://5secondnews.com/2010/06/17/windows-7-services-failing-to-start-last-resort/

     

    this is a bit over the top but i was sick of the issues. it also fixed my itunes issues it appears with similiar permissions errors. AFTER REMEMBER TO RESTART THE AUTO SERVICes. if you feel uncomfortable, sort by automatic. restart the related services that have stopped but should be running . 

     

     

    also try winsock reset: (elevated command prompt, right click > run as admin)

    type: netsh winsock reset

    since my machine only has 1 user (it may remove users but not delete them)

    i also ran.

    secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose

    i still can’t get peer block to run which is a great firewall against spyware ips.

    other errors i had for each service:

    error 5

    error 1638

    error 1608

    UPDATE:

    i had to in the local_users registry folder (root folder) in regedit elevated to run as admin add the : “bfe” user group (without quotes)… and then give full access. NT Service\BFE

    along with “network services” and local services groups to the main folder (full access then hit apply). windows 7 crashes and undoes alot of your settings if you try too much at once.

    THEN YOU HAVE TO GO AND RESTART YOUR SERVICES or reboot your pc i assume.

    restart bfe, windows firewall, and the services mentioned above. i assume this works for win 2008 and vista.

    Thursday, June 17, 2010 4:16 AM
  • Hi, been facing the same problems described on this thread for about 6 months now. I've been getting access to the net by manually assigning IP address and DNS since services like DHCP or diagnostics won't start, but I've had enough of my system not doing half the things it should do.

    I'm trying to use Process Monitor to have a look at what the DHCP service does when i try to start it. However, with no filters on it captures about 80,000 per MINUTE (should that many things really be happening at once?) and so there's far too many events to scroll through in order to find what I'm looking for.

    Could you provide any pointers on what kind of inclusion filter I could set to get rid of the other 79,999 events? All I want to look at is the event for "tried to enable the DHCP service and failed" so that I can at least complete step 1 of Taz0's fix?

     

    Many Thanks

    Tuesday, October 19, 2010 2:42 PM
  • Agreed!
    Thursday, November 18, 2010 11:04 PM
  • SOLUTION:

    I got called in to help with this hellacious problem at one of our client locations, and from what I've read, it apparently affects both Vista and Windows 7 PCs.  It took me a while to find the probable cause and the solution, so I hope you don't mind the high level of detail -- by this point, every one of us deserves it.  :)  They were running Windows Small Business Server 2003, and right after joining any Windows 7 PC to the domain and rebooting, the DHCP Client and Diagnostic Policy Service services would fail to start with the event log error "Access is Denied" .  The inability to use DHCP was the most noticeable symptom, but there were some other strange things going on as well, such as User Account Control protection level changes not sticking.  Wiping and reimaging the Windows 7 machines did not solve the problems, and the systems would bomb out again as soon as the workstation rejoined the domain.  I immediately suspected Group Policy had something to do with it.  In the meantime, the users had been forced to use static IPs on those stations as a workaround -- a real pain since many were laptops they traveled with.

    For workstations already affected, none of the basic fixes involving Registry permissions worked (even if I temporarily set those keys to give Full Access to Everyone), and neither did creating a new AD OU for the Windows 7 machines and blocking all policy inheritance, so I had to dig deeper into GP on the server.  What I discovered was that in this case, the Default Domain Policy was the culprit, and had literally thousands of very detailed security restrictions total under:

    Computer Configuration/Windows Settings/Security Settings/System Services (normally all are set to "Not Defined" by default)

    Computer Configuration/Windows Settings/Security Settings/Registry (this is normally empty by default)

    Computer Configuration/Windows Settings/Security Settings/File System (this is normally empty by default)

    I'd never used those settings before, so I compared them against GP on several servers I'd personally set up and found all the others were set to defaults.  No way these custom policy restrictions could have been set manually, so my guess is that these were caused by a lockdown template applied to the server at some point.  The custom settings apparently reflected services, Registry keys, and just about every file under the Windows directory structure as they existed on the SBS 2003 server at the time the lockdown policy was applied (if that was truly the the cause).  Obviously things have evolved since 2003, and some of these settings are incompatible with Vista and Windows 7.  Since they were unfortunately located in the Default Domain Policy, they were pushed out to those new workstations and damaged them.

    Next, I compared the two affected services on the Windows 7 PCs to those on both Windows 2003 Server and Windows XP, and found differences between all 3 in the accounts used to start those services.  For example, in Windows XP, the DHCP Client service starts under the LOCAL SYSTEM account.  On Windows 7, it’s LOCAL SERVICE , and on 2003 it’s NETWORK SERVICE.   Trying to modify the Windows 7 defaults to match any of the others failed and caused further errors about an account mismatch with related services.

    On the Windows 7 systems, neither the logon account setting nor their Registry key permissions seemed to have changed and were still at defaults, which is one reason the "Access is Denied" errors were so perplexing.  Some or all of the GP restrictions for System Services and Registry may not have applied to the new machines at all, so I believe the actual damage was caused by the permission settings for File System -- basically, the services can't start because LOCAL SERVICE no longer had permissions to the actual system files used by those services.  Those file level permission changes appeared to be permanent modifications once applied, and were not automatically reversed by removal of those GP restrictions.  I believe this is the reason everyone is having to wipe their Vista and Windows 7 workstations to bring DHCP back to life.

    Here is what I did to correct the problem:

    1.  I set all three GP categories mentioned above back to their default settings.  Under System Services , I set each service back to "Not Defined".  I deleted every freakin' entry under File System and Registry , and it took a good while since there were thousands.

    2.  I reimaged a few of the Windows 7 workstations, and the problem did not reoccur after joining them to the domain and rebooting.  DHCP works like a charm now!  Probably fixed a host of unforseen issues as well.

    3.  For a few other affected workstations, I had the local site admin try using Security Restore from Rizone3.com to reset all permissions back to factory defaults, but he said this didn't seem to fix the issue -- maybe some screwed-up ownership settings prevented it from doing its job.  My guess is that if we manually modify the file permissions on the service-related system files, they'll be able to start the service and it could save time on repair.  But knowing what I do now of the problem, I'm going to highly suggest a full wipe/reload of the O/S as the best solution.

    Hope this helps, and if anyone else comes up with a better and quicker solution to repair the damaged workstations without a wipe/reload, I'll look forward to it.  I never tried using System Restore, so it might be worth a shot.  In the meantime, I'm making a practice of checking Group Policy settings on any existing pre-2008 servers to make sure I won't run into this anymore.  I'm betting it would wreak havoc with newer server operating systems introduced into the domain as well as workstations.  Also, I've never personally used lockdown policies before, but am making a note to self NOT to.  :)

    Good luck!!!
    • Proposed as answer by Mike6974 Sunday, October 30, 2011 7:17 AM
    • Unproposed as answer by Mike6974 Sunday, October 30, 2011 7:19 AM
    • Proposed as answer by rtaylor82 Thursday, March 29, 2012 5:10 PM
    Thursday, December 02, 2010 5:23 PM
  • SkymanPCA, you sir are my HERO.

     

             My problem resolution story: We have a W2003 SP2 Domain Controller. After joining Vista/Windows 7 machines to the domain and after a few reboots networking would cease to work. DHCP, Windows Firewal, Network location Awareness services all would error when starting them with "Error 5 Access denied". I began to suspect Antivirus, Windows Updates or GPO's.

             After eliminating AV and Updates it appeared GPO was the problem. I ran gpresult /R on the broken machine and noted all GPO's under user and computer.

             I read SkymanPCA's detailed story/fix and began to overlook ALL GPO's in my organization, starting with ones I noted earlier. In my case, the "default domain policy" had been changed to a custom naming convention but nonetheless had a lockdown policy for Windows XP that was being applied to Vista / 7 Machines as well.

           

     

    Friday, December 10, 2010 9:40 PM
  • Hey, flyingpolok -

    Very glad to hear this helped someone else out, and you're more than welcome.  I get a ton of troubleshooting fixes from forums on the web, so I rely on them a lot myself.  One thing I've learned is that no matter how long we've been working in IT, and no matter how smart we are -- never underestimate the ability of situations like this to make total monkeys out of us for a several rounds and make us doubt our super-powers.  Have a great week bro!


    Tuesday, December 14, 2010 8:11 PM
  • I'm the Network Admin at an Upstate NY community college and we got hit hard by Conficker in the Fall of 2009. During the cleanup process I discovered that on the machines that had been infected the DHCP Client service was stopped and I couldn't restart it because of "Error 5: Access is denied". After hours of searching (the first day of Conficker cleanup was a 27 hour work day) I stumbled upon the solution:

    1)      Machines that have been cleaned may have the DHCP Client service won’t start issue. Conficker changes perms on a couple of Reg Keys:

    a.       HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp

    b.      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip

                                              i.    Click Permissions, click Add, type network service and then click OK.

                                             ii.    Click to select the Full Control check box in the Allow column of the Permissions for NETWORK SERVICE box, and then click OK.

                                            iii.    Give Read perms to the Network Configuration Operators group

                                            iv.    Go to the Advanced properties for both and make sure to check reset perms on all child objects so sub-keys get the perms too

                                                                 v.      Try to restart the DHCP Client service

    I know this is an old thread but as I didn't see the exact solution listed that I had found I figured I'd throw it out there.

    Friday, February 25, 2011 8:56 PM
  • Hi,

     

    I followed your instructions but I'm still seeing the exact same issues. Running Vista, my problem is virtually identical to the one described here.

     

    Two questions:

    1. When using Process Monitor, how could you tell which ones were denied access? (i.e. what was in the "Result" field?)

    2. Has anyone else discovered an alternate solution?

     

    Thanks very much.

    Tim

    • Proposed as answer by SafRochester Tuesday, July 05, 2011 5:40 PM
    • Unproposed as answer by SafRochester Tuesday, July 05, 2011 5:40 PM
    Thursday, April 07, 2011 7:50 PM
  • OK, I have had this problem for days. Tried everything above. Finally I tried this; and it worked fine:

     

    Went to CNET downloads

    Downloaded Zone Alarm (Free) Firewall app. (Free!)

    Installed it

    Everything came on like a dream, the windows firewall service became accesible and worked, the network and all related apps came back on-line and I could see all the icons again in the task bar....everything is sweet as.

    I presume that when Zone Alarm installed it self, it corrected all the neccesary registry stuff and all the service commands.

    I was going to uninstall Zone Alarm to revert back to Windows Firewall, but what the heck, I actually like Zone ALarm. It seems to protect more transparently.

    One word of advice, when installing Zone Alarm, untick the "Install Toolbar" thingy and all the other offers. You dont need them. The firewall is great.

    Hope it helps you guys out there.

    Saf

    Tuesday, July 05, 2011 5:52 PM
  • I have had a similar problem where my DHCP, Firewall and other services kept getting an "Error 5" and "Access Denied". Turns out the problem is with the Base Filtering Engine and the permissions granted to it. To solve this problem this is what I did:

    1. Click Start then run

    2. Type regedit

    3. In registry go to HKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent

    4. Right click and select permissions

    5. In Group or User Names Click add and then MpsSvc with Full Control

    6. In registry go to HKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter

    7. In Group or User Names Click add and then MpsSvc with Full Control When I rebooted, everything was working perfectly again.

    When I rebooted my PC everything was working again.
    Sunday, July 31, 2011 10:20 AM
  • Wow. It has been over a year since I last posted in this thread. And I have STILL not found a solution to this problem.

    I've tried every solution suggested on this thread, including these newer ones posted since my last visit, and none of them have worked or even provided me with a smidge of progress. I'm absolutely astounded.

     

    Skyman's solution was useless to me because I'm running Vista home premium, and so don't have access to any Group Policy tools whatsoever. and Cameron_kelsey's suggestion did not work either, as the group "MpsSvc" is not recognized/does not exist on my machine, so it won't even let me try adding it.

     

    Has anybody running Vista Home Premium, rather than a server-based OS, had this problem, and come up with any alternatives?

    Wednesday, November 16, 2011 1:13 PM
    • Edited by Adm_Gs Saturday, December 24, 2011 6:15 PM URL changed for the article
    Wednesday, December 07, 2011 12:22 PM
  • I had the same BFE error 5.

    I used Tweaking.com's windows repair and the BFE service and windows firewall started after that
    Maybe worth a try

    • Proposed as answer by Howzat_au Monday, April 09, 2012 7:47 AM
    Sunday, December 11, 2011 6:01 PM
  • I had the same problem with several services on a laptop running Vista. Running "Startup Repair" from the recovery options of the Vista boot cd solved the problem!

     

    Chris.

    Tuesday, January 10, 2012 12:42 PM
  • This does not work for me. It's really funny the first post is in 2008. There's no effective solution found during past 3 years. I'm sure this is the problem of domain group policy.I tested to add the local service account to local administrator group. The service started without any problem. I'm curious which permission is not correctly configred by group policy.Hope there is a way to fix this problem finally. I'm also worried even we upgarde the 2003 domain to 2008 domain this problem could still exists.

    Tuesday, February 21, 2012 8:02 AM
  • Following the restart of domain controllers after you deploy the latest Windows Updates, services"DHCP Service" and "Network Policy Server(RADIUS)" could not restart (access denied).

    This is a key VSS (Volume Shadow Copy Service) in the registry that has been modified for some reason.
    According to Microsoft support, the act of installing too many updates at once, can trigger this kind of problem.

    Troubleshooting:

    HKLM\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl 

    Change the key value "NT Authority \NetworkService" from 0 to 1


    Tuesday, March 06, 2012 3:41 PM
  • SOLUTION:

    I got called in to help with this hellacious problem at one of our client locations, and from what I've read, it apparently affects both Vista and Windows 7 PCs.  It took me a while to find the probable cause and the solution, so I hope you don't mind the high level of detail -- by this point, every one of us deserves it.  :)  They were running Windows Small Business Server 2003, and right after joining any Windows 7 PC to the domain and rebooting, the DHCP Client and Diagnostic Policy Service services would fail to start with the event log error "Access is Denied" .  The inability to use DHCP was the most noticeable symptom, but there were some other strange things going on as well, such as User Account Control protection level changes not sticking.  Wiping and reimaging the Windows 7 machines did not solve the problems, and the systems would bomb out again as soon as the workstation rejoined the domain.  I immediately suspected Group Policy had something to do with it.  In the meantime, the users had been forced to use static IPs on those stations as a workaround -- a real pain since many were laptops they traveled with.

    For workstations already affected, none of the basic fixes involving Registry permissions worked (even if I temporarily set those keys to give Full Access to Everyone), and neither did creating a new AD OU for the Windows 7 machines and blocking all policy inheritance, so I had to dig deeper into GP on the server.  What I discovered was that in this case, the Default Domain Policy was the culprit, and had literally thousands of very detailed security restrictions total under:

    Computer Configuration/Windows Settings/Security Settings/System Services (normally all are set to "Not Defined" by default)

    Computer Configuration/Windows Settings/Security Settings/Registry (this is normally empty by default)

    Computer Configuration/Windows Settings/Security Settings/File System (this is normally empty by default)

    I'd never used those settings before, so I compared them against GP on several servers I'd personally set up and found all the others were set to defaults.  No way these custom policy restrictions could have been set manually, so my guess is that these were caused by a lockdown template applied to the server at some point.  The custom settings apparently reflected services, Registry keys, and just about every file under the Windows directory structure as they existed on the SBS 2003 server at the time the lockdown policy was applied (if that was truly the the cause).  Obviously things have evolved since 2003, and some of these settings are incompatible with Vista and Windows 7.  Since they were unfortunately located in the Default Domain Policy, they were pushed out to those new workstations and damaged them.

    Next, I compared the two affected services on the Windows 7 PCs to those on both Windows 2003 Server and Windows XP, and found differences between all 3 in the accounts used to start those services.  For example, in Windows XP, the DHCP Client service starts under the LOCAL SYSTEM account.  On Windows 7, it’s LOCAL SERVICE , and on 2003 it’s NETWORK SERVICE.   Trying to modify the Windows 7 defaults to match any of the others failed and caused further errors about an account mismatch with related services.

    On the Windows 7 systems, neither the logon account setting nor their Registry key permissions seemed to have changed and were still at defaults, which is one reason the "Access is Denied" errors were so perplexing.  Some or all of the GP restrictions for System Services and Registry may not have applied to the new machines at all, so I believe the actual damage was caused by the permission settings for File System -- basically, the services can't start because LOCAL SERVICE no longer had permissions to the actual system files used by those services.  Those file level permission changes appeared to be permanent modifications once applied, and were not automatically reversed by removal of those GP restrictions.  I believe this is the reason everyone is having to wipe their Vista and Windows 7 workstations to bring DHCP back to life.

    Here is what I did to correct the problem:

    1.  I set all three GP categories mentioned above back to their default settings.  Under System Services , I set each service back to "Not Defined".  I deleted every freakin' entry under File System and Registry , and it took a good while since there were thousands.

    2.  I reimaged a few of the Windows 7 workstations, and the problem did not reoccur after joining them to the domain and rebooting.  DHCP works like a charm now!  Probably fixed a host of unforseen issues as well.

    3.  For a few other affected workstations, I had the local site admin try using Security Restore from Rizone3.com to reset all permissions back to factory defaults, but he said this didn't seem to fix the issue -- maybe some screwed-up ownership settings prevented it from doing its job.  My guess is that if we manually modify the file permissions on the service-related system files, they'll be able to start the service and it could save time on repair.  But knowing what I do now of the problem, I'm going to highly suggest a full wipe/reload of the O/S as the best solution.

    Hope this helps, and if anyone else comes up with a better and quicker solution to repair the damaged workstations without a wipe/reload, I'll look forward to it.  I never tried using System Restore, so it might be worth a shot.  In the meantime, I'm making a practice of checking Group Policy settings on any existing pre-2008 servers to make sure I won't run into this anymore.  I'm betting it would wreak havoc with newer server operating systems introduced into the domain as well as workstations.  Also, I've never personally used lockdown policies before, but am making a note to self NOT to.  :)

    Good luck!!!
    Thank so much SkymanPCA!  Exactly what my issue was
    Thursday, March 29, 2012 5:11 PM
  • I had the same BFE error 5.

    I used Tweaking.com's windows repair and the BFE service and windows firewall started after that
    Maybe worth a try


    Thanks Eprom. After trying a heap of other suggestions this has finally fixed the problem for me.
    Monday, April 09, 2012 7:51 AM
  • Easy solution to this one. Open a command prompt and type the following:

    NET  LOCALGROUP   administrators  "NT Authority\Local Service"   /add

    netsh winsock reset catalog 

    Then reboot as instructed. That should fix these errors.

    Monday, June 04, 2012 9:27 PM
  • Thanks so much. This ends my 2 weeks of headache. I was able to remove rootkit ZeroAccess and trojan Sirefef using this, then stuck at reviving Firewall, Defender. Only thing I wonder here is if enabling SERVICE permission to the whole services tree is original setting, or is too vulnerable?
    Friday, June 15, 2012 7:07 PM
  • Easy solution to this one. Open a command prompt and type the following:

    NET  LOCALGROUP   administrators  "NT Authority\Local Service"   /add

    netsh winsock reset catalog 

    Then reboot as instructed. That should fix these errors.

    this fixed things for me

    Thanks

    Monday, July 30, 2012 9:16 AM
  • This worked for me! Thanks SkymanPCA for the hair-pulling hours of frustration and the detailed solution.  I will dump half a beer this evening in your honor!  Seems that UAC and other security improvements in Windows 7/8 negate the use of XP style lockdown policies.  Cheers!
    Thursday, August 30, 2012 1:05 AM
  • Great job, thank you, I have been fighting this on several machines and you handed me a five minute fix.  Thank you for posting.  Don
    Wednesday, October 10, 2012 2:43 PM
  • You are a genius.  I've been fighting this problem for two days, tried at least a dozen suggestions - and yours is the one that worked.  Thank you so much!
    Friday, October 18, 2013 3:49 PM