Base Filtering Engine Service Broken


  • I am having trouble with Vista Beta 2 after joining a windows 2003 domain.  Windows will not start the Base Filtering Engine service, which seems to be required to properly run Windows on a network.  If I attempt to manually start the service, I receive, "Error 1297:  A privilege that the service requires to function properly does not exist in the service account configuration."  Furthermore, I receive Event ID 7000 with the same message.  I think it might have something to do with Group Policy.  However, I did attempt to remove all group policy settings and the problem still persists.  I have other problems with Vista's networking and I think most of them are related to this same issue.



    Thursday, September 07, 2006 12:35 PM


  • My issue was related to active directory group policy.  I had a good running version of Vista at home, from which I export the Local Policy Settings.  Then I imported the stable settings into my domain member Vista computer.  This reset all the settings that group policy may have corrupted.  I now have a Vista OU that is blocking all previous group policy settings (Server 2000 & 2003).


    Monday, September 11, 2006 11:15 PM

All replies

  • Tom,

    This is what error 1297 is:


    A privilege that the service requires to function properly does not exist in the service account configuration. You may use the Services Microsoft Management Console (MMC) snap-in (services.msc) and the Local Security Settings MMC snap-in (secpol.msc) to view the service configuration and the account configuration.


    Try going to the BFE Properties and possible change the settings in the Logon tab, I think that might help.

    Let me know if this helps.


    Andre Rivera

    Windows Beta Feedback Team

    Thursday, September 07, 2006 9:51 PM
  • My issue was related to active directory group policy.  I had a good running version of Vista at home, from which I export the Local Policy Settings.  Then I imported the stable settings into my domain member Vista computer.  This reset all the settings that group policy may have corrupted.  I now have a Vista OU that is blocking all previous group policy settings (Server 2000 & 2003).


    Monday, September 11, 2006 11:15 PM
  • Any thoughts on what item(s) in the policy may have been causing the problems?  I am experiencing similar issues with a test box that only cropped after joining the workstation to our Win2K3 domain, which causes me to suspect an AD Group Policy problem.  Before domain join everything appeared to be working fine.  Following, however, several services fail -- with "access denied" -- on startup including:

         Base Filtering Engine
         DHCP Client
         Diagnostic Policy Service
         IKE and AuthIP IPsec Keying Modules
         IPsec Policy Agent
         Network Service List
         Network Location Awareness
         Thread Ordering Server
         Windows Audio
         Windows Firewall
         Windows Time
         Windows Media Center Service Launcher
         Windows Media Player Network Sharing Service

    Further, the following list of (unique) errors and warnings show up in the system log:

         DHCP Client terminates with "Access Denied"
         Windows Time service terminates with "Access Denied"
         Resource Publication Service fails
         DCOM netprofm 1068 Error
         Group Policy results warning
         DNS registration warning
         Thread Ordering Server service terminates with "Access Denied"
         Windows Audio service fails Thread Ordering Server dependency
         Base Filtering Engine service terminates with "Access Denied"
         Windows Firewall service fails Base Filtering Engine dependency
         IKE and AuthIP IPSec Keying service fails Base Filtering Engine  dependency
         Diagnostic Policy Service terminates with "Access Denied"
         Network Location Awareness service terminates with error 3221226008
         IPsec Policy Agent service fails Base Filtering Engine dependency
         Network List Service fails Network Location Awareness dependency
         WMPNetworkSvc fails with registry error 0x80070006
         BITS Client fails firewall state set with error 2147944153
         WinHTTP Web Proxy Auto-Discovery Service fails DHCP Client dependency

    The above list is in chronological order, but many of the errors repeat themselves several times.  Unfortunately, I don't have a "clean" box from which to export the local policy settings and don't have enterprise admin privileges to create a new OU.  Any feedback and/or guidance would be greatly appreciated...


    Friday, September 15, 2006 5:00 PM
  • I setup an OU in AD that has no GPO's on it at all and blocked policy inheritance and forced a GPUPDATE on my Vista Machine and everything is peachy again, I assume it has something to do with the services in the GPO, but not sure.
    Saturday, October 28, 2006 2:10 PM
  • I've got this same issue with one of our Vista PC's after joining our domain. I've created an OU for the machine that is blocking all policies.

    Could someone chime in and help me export/import the local policies from a non-domain vista box to a domain vista box? I'd be happy with any assistance with this problem!

    PS:  My BFE service does start... it's the Windows Firewall that's not starting (preventing the Terminal Services Service).
    Thursday, December 07, 2006 3:58 PM
  • I found my fix!


    My Default Domain Policy and Default Domain Controller Policy were selected to “enforce” the policies (I had not initially noticed that).  After disabling that, I setup a Vista Clients GP within the Vista OU and setup no policies (all are undefined).  After that, I ran a “gpupdate /force” on my DC and ran the same command on my Vista client (still actively connected to my AD).  After that was done I imported a local policy I had backed up before joining the domain and restarted the client.  Upon logging in, the firewall service was operational and remote access services were operating as before along with telephony service and a few others.


    To check to see if your group policies are enforced on your domain, open your group policy manager and search help for "enforce".  Having this enabled will still cause your OU's to follow the enforced policy even if you have them set to block inheritance. 


    A test remote connect from home verifies all is as it should be again...whew!

    Thursday, December 07, 2006 11:09 PM
  • has anybody figured out what in the GP was causing this??? I have the same problem and I can't figure out how to fix it without reinstalling the OS.
    Wednesday, February 14, 2007 9:32 PM
  • I'm with Scott on this problem.  I'm in a production environment and can't muck around with the domain just to make Vista work.  Can someone tell me how to manually fix the problem without making global changes?




    Thursday, March 01, 2007 2:42 PM
  • I was having a similar problem but not with BFE not starting. The issue I faced was BFE started but the windows firewall would not which kept us from remotely accessing the machine. The error message I received trying to start the firewall is the same posted above (Error 1297).


    I finally got it to work by modifying the User Rights Assignments under Local Policies on the machine itself. Under the following 2 options I added domain users and domain admins, as well as the local group administrators. Adjust memory quotas for a process and Increase a process working set.


    After adding that I was able to get the firewall service started. I joined it back to the domain and it still worked. I looked on an XP Pro machine and I have not found the Increase A Process Working Set option. This appears to be something new in Vista from what I can tell and the only group that was assigned to it was Users.


    Not sure if this will work for you but it did me.

    Tuesday, June 26, 2007 3:10 PM
  • Tried Dgramels' approach and it didn't work for me.  This weird issue came up when we switched domains.  Worked around it by using JKoons' approach of creating my own AD OU and blocking policy inheritance, then moving my machine into it.  None of this is made any easier or quicker by the fact that it seems I need to do two reboots (even with gpupdate /force) before any change comes into effect.  Great for wasting time, what with Vista's restart time being astronomical.
    Thursday, July 19, 2007 2:28 PM
  • Hello all!
    I had the same problem an hour ago Smile But i`ve found how to fix it for me.
    When BFE service starts it also start a group of dependent services (you can see them on Dependencies tab in service props) with "IPSec policies agent" service as one of them.
    In my case the problem was that "IPSec policies agent" service was set to auto startup via domain GPO. There also were set default permissions in GPO for this service - SYSTEM - full control, Administrators - Full control, INTERACTIVE - read. I`ve had to turn on object auditing to find out what user account is trying to start BFE. In Security logs i`ve found records saying that sc (service control) is trying to start service under LOCAL SERVICE account!!! As I later understood - BFE could not start itself because it could not start a dependent service IPSec Policies agent. BFE starts IPSec! so, if we look info LOGIN AS tab in BFE service we will find out that it is starting under LOCAL SERVICE account! And in my GPO ipsec service has permissions on it to be started only by SYSTEM and Administratos. 
    As you understand, the decision was to modify GPO and to give full control permission to LOCAL SERVICE account on IPSec Policies agent service.
    Now it works!
    Hope This HELPS! And good luck!
    Wednesday, September 05, 2007 5:02 PM
  • Thanks it helps me. Now my servises is started. I had problem with firewall servisec, phone service,...

    Thank you

    Wednesday, September 26, 2007 9:23 AM
  • How do you add the Local Service account to a domain GPO?  This as I can see it, is not available when you try to add using a GPO on the domain controller....

    Saturday, October 27, 2007 3:13 AM
  • those setting needs to be set for win 2008 /vista

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip "Local service" Full, Read (add this permission)

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE "NT Service\BFE" Full, Read (add this permission)HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DPS "NT Service\Trustedinstaller" Full, Read (add this permission)

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc "NT Service\NlaSvc" Full, Read (add this permission)

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch "NT Service\MpsSvc" Query, Set Value (add this permission)

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy "NT Service\MpsSvc" Full, Read (add this permission)

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy "NT Service\MpsSvc" Full, Read (add this permission)

    Friday, March 06, 2009 3:10 PM
  • I know this thread has been dead for awhile. But I was having the same issues and what I did was go to the CMD window (must be in Admin mode-Type 'cmd' in run and then hold 'ctrl' + 'shift' and hit enter. Say ok when prompted, then type 'netsh winsock reset'. After that I restarted as prompted and everything worked!

    Monday, May 03, 2010 8:37 PM
  • Great hints, I did procedures mentioned above and was able to start most of the stopped services. But cannot start the Windows Firewall and Diagnostic Policy services. Any clues? I am on Windows 7, the domain server is Windows 2000.

    Also I can't ping localhost, getting General failure error. Is it related with Windows Firewall?

    Wednesday, May 12, 2010 8:41 AM
  • In my case I'm confused as to why we've not experienced problems on xp. Our first Windows7 went in and I was unable to start dhcp service (amongst many others).

    I found that some idiot many moons ago went and changed the permissions in group policy to hklm\system and then set permissions to replicate down the registry.

    So I'm now having to manually go in and set the permissions in group policy. For most services it's pretty easy to fix - just go to HKLM\System\CurrentControlSet\Services\ServiceName. The service name can be obtained by looking at the (short) ServiceName displayed in services.msc.  I've found that setting Local Service and Network Service to full control works (although this may open up some security issues as this is a sledgehammer to fix a nut) BUT it gets the services running. (note that i've subsequently found that I also need to add "NT Service\mpssvc" on the local machine too)  has the required permissions but for me it doesn't work for two reasons. 1. You can't add "NT SERVICE\mpssvc" to the permissions in group policy and 2) the permissions they suggest (by editing directly on the machine in regedit) do not work. It was only adding local service,network service (and in the absense of mpssvc I chose everyone) that got my firewall working.

     Edit: Interestingly I found that Windows7 fails in a secure mode so you can't ping the device until the firewall is running. So this has to be done before any remote management or diagnostics can be done. As soon as the permissions were changed, gpupdate run I could start the firewall and my continual ping from another machine started to respond back with packets.

    For what it's worth, the group policy settings are Computer\Windows Settings\Security Settings\Registry.  Then add a key and make the changes as required.

    Hope this helps someone and if anyone knows how to add the mpssvc account in a group policy then please let me know!

    Registry keys Permissions I had to change were

    bfe, mpssvc, dps, dhcp,eventlog,nla,nlasvc,tcpip,fdrespub,mmcss,mpsdrv,sharedaccess

    • Edited by helsby Thursday, August 19, 2010 4:15 PM corrected fdrespub, added mpssvc
    • Proposed as answer by Muhammad Ismail Vawdiwala Wednesday, March 21, 2012 9:44 AM
    Friday, July 30, 2010 9:19 PM
  • Interestingly I've found another registry key today with the same issue - in this case it was preventing Remote Desktop from working. The port was not listening. Fixed by setting Network Service with access to hklm\system\currentcontrolset\control\Terminal Server\RCM.  This did need a reboot to take effect though.
    Tuesday, April 19, 2011 6:06 PM
  • Helsby, your posts were extremely helpful.  I bought a brand new Sony Vaio laptop, and all was working well until I upgraded to Win 7 Ultimate from Win 7 Pro.  Then I first noticed that Windows Update was failing to install all updates even though it kept trying at every shutdown.  I looked at my sevices and noticed more than half a dozen services set to run Automatic that hadn't started, including the Event log, Windows Firewall,  Base Filtering Engine, and others.  After dealing on all the permissions in the services hive of the registry, it's all working. 

    Thank you!


    Tuesday, July 19, 2011 5:06 PM
  • Thanks Helsby for such a great support i was looking for since last couple of weeks, the same issue has happened with me.

    Once again thanks a lot.

    Muhammad Ismail

    Wednesday, March 21, 2012 9:45 AM