I have found a new and apparantly unknown solution to this problem. I'm not really expecting any replies to this message, but I'm posting this here so that others who experience this error can perhaps (finally) fix it themselves.
I have a new 2008 R2 file server I only just built a week ago, and for some reason I am getting a bizarre error at server startup that says the "Diagnostic Policy Service" failed to start, due to an "Access Denied" error #5.
The only official Microsoft reference to this error is a registry permissions article on TechNet, but these permissions are correct on my server:
After spending a great deal of time wading through tons of unhelpful discussions of the problem I decided to try researching it myself.
I downloaded and installed Microsoft's free "Process Monitor" utility, started it, stopped the monitoring, and cleared the log.
Next I arranged the services window and the Process Monitor utility window so that I could quickly start the capture of events, click Start on the "Diagnostic Policy Service" and then quickly stop capturing events after the error occured.
Searching the Process Monitor event log for the word "denied", I found this single entry:
Date & Time: 9/3/2011 7:05:39 AM
Event Class: File System
Result: ACCESS DENIED
Desired Access: Synchronize
Options: Directory, Synchronous IO Non-Alert, Open For Free Space Query
ShareMode: Read, Write
So it appears the Diagnostic Policy Service is trying to do something with drive C:\ when its first starts up, but its initial access is denied and the service fails to load.
I went to the properties for drive C:, Security tab, and added the following entry:
LOCAL SERVICE -- Full Control of C:\
After doing this I can now go into the Services console, manually start the Diagnostic Policy Service, and it loads and continues to operate without any problems:
* The Diagnostic Policy Service service entered the running state.
* The Diagnostic System Host service entered the running state.
* The Protected Storage service entered the running state.
,If this post is helpful to you, I would be interested in seeing your replies.
Dale Mahalko, firstname.lastname@example.org
- Edited by Dale Mahalko Saturday, September 03, 2011 12:35 PM
I had the same issue as you stated. Using your idea to use Process Monitor, I found that access was denied to HKLM\System\CurrentControlSet\Control\WDI\Config. I set "NT Service\DPS" full control to that key and the service started.
You have to select the local computer/server you are working on in order to add nt service\xxxx accounts. Click the location button and select the computer you are using when adding permissions. Be aware though that if Group Policy is controlling registry permissions, then you will need to edit that gpo and add the proper permissions then wait for them to propagate out to the rest of the network.
I ran across this problem when I first added 2008 servers to a 2003 domain that I inherited. Previous admin was crazy about restricting registry permissions through group policy.
I have been forever and a day trying to find a solution to this error. I notice you all refer to servers. Will this work on my home computer? I am having the problem on one that connects wirelessly. I have the wireless connection working, but no internet connection due to this error.
Someone is asking me for more detail via email. I prefer to talk in the forum, so that I don't need to repeat anything to anyone else.
Simple config method:
Computer -> Drive C: -> Properties -> Security tab -> upper "Edit" button
New window "Properties for drive C:" appears -> "Add" button
New window "Select users or groups" appears -> type "local service" -> Click OK
(If you get an error that the item cannot be found, click the "Object Types" button, and select "Built-in Security principals".)
(The Location field should show the name of your computer. If not, click the "Location" button, and find and select your computer name.)
The item "LOCAL SERVICE" now appears in the security list. Click on the item name, and then check the box "Full Control" under "Allow".
Click OK, OK. Windows will now grind through the entire directory tree adding "LOCAL SERVICE" to all folders that inherent parent permissions from the Drive C: object. This may take a while, do not interrupt the process or security permissions will only be partially set for some directories and not others.
However flacr's suggestion on May 4, 2012, to only add this permission for "NT Service\DPS" is probably a better and more fine-grained solution. Doing that restricts the added permissions to only that one "DPS" service rather than all local services.
The risk for doing it for all services, is that if you have a virus attack that installs a hidden service on the system, giving "LOCAL SERVICE" full control of the drive means the malicious service also gets full control of the drive too.
Thanks for sharing the finding. I, too, have the same Diagnostic Policy Service not running and "Access Denied" for attempting to start the Diagnostic Policy Service. After adding the "local service" with Modify permission, I was able to start the service.
This might be a bug on Microsoft. I have installed many Windows 7, 8, and server 2008 R2, and server 2012 R2; they all have the same problem.