SOLUTION for "Diagnostic Policy Service" "Access Denied" 2008 R2

    General discussion

  • I have found a new and apparantly unknown solution to this problem. I'm not really expecting any replies to this message, but I'm posting this here so that others who experience this error can perhaps (finally) fix it themselves.


    I have a new 2008 R2 file server I only just built a week ago, and for some reason I am getting a bizarre error at server startup that says the "Diagnostic Policy Service" failed to start, due to an "Access Denied" error #5.

    The only official Microsoft reference to this error is a registry permissions article on TechNet, but these permissions are correct on my server:


    After spending a great deal of time wading through tons of unhelpful discussions of the problem I decided to try researching it myself.

    I downloaded and installed Microsoft's free "Process Monitor" utility, started it, stopped the monitoring, and cleared the log.

    Next I arranged the services window and the Process Monitor utility window so that I could quickly start the capture of events, click Start on the "Diagnostic Policy Service" and then quickly stop capturing events after the error occured.

    Searching the Process Monitor event log for the word "denied", I found this single entry:


    Date & Time: 9/3/2011 7:05:39 AM
    Event Class: File System
    Operation: CreateFile
    Path: C:\
    TID: 2980
    Duration: 0.0000359
    Desired Access: Synchronize
    Disposition: Open
    Options: Directory, Synchronous IO Non-Alert, Open For Free Space Query
    Attributes: n/a
    ShareMode: Read, Write
    AllocationSize: n/a


    So it appears the Diagnostic Policy Service is trying to do something with drive C:\ when its first starts up, but its initial access is denied and the service fails to load.

    I went to the properties for drive C:, Security tab, and added the following entry:

    LOCAL SERVICE  -- Full Control of C:\


    After doing this I can now go into the Services console, manually start the Diagnostic Policy Service, and it loads and continues to operate without any problems:

    System log:

    * The Diagnostic Policy Service service entered the running state.

    * The Diagnostic System Host service entered the running state.

    The Protected Storage service entered the running state.


    If this post is helpful to you, I would be interested in seeing your replies.

     Dale Mahalko,

    • Edited by Dale Mahalko Saturday, September 03, 2011 12:35 PM
    Saturday, September 03, 2011 12:31 PM

All replies

  • Thanks for the sharing.
    Laura Zhang - MSFT
    Friday, September 09, 2011 5:08 AM
  • I had the same issue as you stated.  Using your idea to use Process Monitor, I found that access was denied to HKLM\System\CurrentControlSet\Control\WDI\Config.  I set "NT Service\DPS" full control to that key and the service started.

    Friday, May 04, 2012 7:51 PM
  • I had the same issue as you stated.  Using your idea to use Process Monitor, I found that access was denied to HKLM\System\CurrentControlSet\Control\WDI\Config.  I set "NT Service\DPS" full control to that key and the service started.

    I'm having the exact same issue, I just don't understand where you're finding NT Service/DPS. Can you please give some more detail?
    Tuesday, June 26, 2012 1:32 AM
  • You have to select the local computer/server you are working on in order to add nt service\xxxx accounts. Click the location button and select the computer you are using when adding permissions. Be aware though that if Group Policy is controlling registry permissions, then you will need to edit that gpo and add the proper permissions then wait for them to propagate out to the rest of the network.

    I ran across this problem when I first added 2008 servers to a 2003 domain that I inherited. Previous admin was crazy about restricting registry permissions through group policy.

    Thursday, June 28, 2012 3:13 PM
  • Hi,

    I have been forever and a day trying to find a solution to this error. I notice you all refer to servers. Will this work on my home computer? I am having the problem on one that connects wirelessly. I have the wireless connection working, but no internet connection due to this error.

    Thank you

    Thursday, July 26, 2012 1:59 AM
  • Hi,

    thanks - works the same way for Windows Server 2012.



    Wednesday, June 26, 2013 11:36 AM
  • Someone is asking me for more detail via email. I prefer to talk in the forum, so that I don't need to repeat anything to anyone else.


    Simple config method:

    Computer -> Drive C: -> Properties -> Security tab -> upper "Edit" button

    New window "Properties for drive C:" appears -> "Add" button

    New window "Select users or groups" appears -> type "local service" -> Click OK

    (If you get an error that the item cannot be found, click the "Object Types" button, and select "Built-in Security principals".)

    (The Location field should show the name of your computer. If not, click the "Location" button, and find and select your computer name.)


    The item "LOCAL SERVICE" now appears in the security list. Click on the item name, and then check the box "Full Control" under "Allow".

    Click OK, OK. Windows will now grind through the entire directory tree adding "LOCAL SERVICE" to all folders that inherent parent permissions from the Drive C: object. This may take a while, do not interrupt the process or security permissions will only be partially set for some directories and not others.



    However flacr's suggestion on May 4, 2012, to only add this permission for "NT Service\DPS" is probably a better and more fine-grained solution. Doing that restricts the added permissions to only that one "DPS" service rather than all local services.

    The risk for doing it for all services, is that if you have a virus attack that installs a hidden service on the system, giving "LOCAL SERVICE" full control of the drive means the malicious service also gets full control of the drive too.

    Wednesday, August 21, 2013 6:10 PM
  • Thanks woked perfect 

    Deepak Behera

    Wednesday, September 25, 2013 5:55 PM
  • Thanks for sharing the finding.  I, too, have the same Diagnostic Policy Service not running and "Access Denied" for attempting to start the Diagnostic Policy Service.  After adding the "local service" with Modify permission, I was able to start the service.

    This might be a bug on Microsoft.  I have installed many Windows 7, 8, and server 2008 R2, and server 2012 R2; they all have the same problem.

    Sunday, October 20, 2013 8:46 PM