none
Access Denied - Base Filter Engine

    Question

  • Dear Experts,

    I have setup a Win 2k8 server standard edition SP2 and it was running without any problems. Suddenly I saw a bluescreen (I suppose this is because of a new Bluetooth driver I added). Now I cant get the network working so as the windows firewall. I suppose the problem is because of "Base Filtering Engine" saying "Access Denied". What can be the reason?

    I copied the BFE registry settings from a server working well and tried importing, but no success yet.

    Regards,

    Abhilash


    Regards, Abhilash Jacob Rajan
    Thursday, August 11, 2011 8:58 AM

Answers

All replies

  • Dear Syed,

    I already saw this page, imported BFM registry of another computer (which is working fine) to this server and it didnt work.


    Regards, Abhilash Jacob Rajan
    Thursday, August 11, 2011 9:20 PM
  • Hi,

     

    Please double check the link Syed provided, it is not suggesting importing BFM registry from another computer. If the issue persists after that, please refer to the following suggestions:

     

    1. Browse to the location for the BFE service in the registry (HKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy), right click and select permissions.

    2. In the "Permissions for Policy" window, click advanced | Add.

    3. Once the "Select Users, Computers or Group" box appears, change the "From this location:" to point to the local machine name.

    4. After changing the search location, enter "NT Service\BFE" in the "Enter the object name to select" box and click "Check names" - this will allow you to add the BFE account.

    5. Give the following privileges to the BFE account:

     

    Query Value

    Set Value

    Create Subkey

    Enumerate Subkeys

    Notify

    Read Control

     

    After adding the BFE account to the registry key, please try to start the Base Filtering Engine service.

     

    Any progress?

     

    Thanks.

    Nina
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Proposed as answer by Deva_ES Wednesday, May 09, 2012 2:45 PM
    Tuesday, August 16, 2011 9:30 AM
  • Dear Nina,

    I tried your tip and didn't work. The BFE service is still not started.

    Regards,

    Abhilash


    Regards, Abhilash Jacob Rajan
    Tuesday, August 16, 2011 12:24 PM
  • Hi Abhilash,

     

    Windows 7 introduced a new feature, Tigger-Start service. To support this feature, BFE will enumerate all services and query to see if this service supports Trigger-Start. The Base Filtering Engine service runs under the Local System security context. If this account does not have the permissions to query the configuration of a service, you will receive this error.

    The blog recommended by Syed is to resolve this kind of issues. I understand that you have tried to import registry key from another computer; however, the suggestions listed in the blog are different from this. Please give it a try and let us know if anything is unclear.


    Laura Zhang - MSFT
    Tuesday, August 30, 2011 9:53 AM
  • Dear Laura,

    As I'm not very IT savvy, I never understood what to do per Syed's blog. May you please explain me how to get this done:

    In fact, what I tried is to do is that followed some other blog on same topic and added the login user etc to the services control list from regedit.

    Regards,

    Abhilash

    · Manually examine each service, starting with non-Microsoft services.

    Say you’ve decided to go it on your own. Here’s what you need to do to check the Discretionary Access Control List (DACL), or permissions, of a service.

    First off, you’ve got to get the names of all installed services:

    sc query > servicenames.txt

    Open servicenames.txt and make a note of the SERVICE_NAME property of each service.

    To list the DACL of a service, run this command:

    sc sdshow <service name>

    Let’s start by listing the DACL of a Microsoft service, which would have the correct permissions (Unless they’ve been manually edited).

    sc sdshow Audiosrv

     

    D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

    The resulting string of letters and special characters is the Security Descriptor (SD) in SDDL. The characters afterD: make up the DACL. The characters after S: are the SACL, which we’re not interested in.

    Since the Base Filtering Engine service runs in the context of the Local System account, the part of the DACL we’re interested in is (A;;CCLCSWRPWPDTLOCRRC;;;SY)

    Now it’s time to get our hands dirty. Do an sc sdshow on all non-Microsoft services and check if they have(A;;CCLCSWRPWPDTLOCRRC;;;SY). The services that are missing this Access Control Entry (ACE) are the ones that are causing the Base Filtering Engine service to terminate with “Access is denied”.

    On to the most interesting part of this post. How do I fix it?

    That’s easy! But first, the disclaimer.

    Disclaimer: Proceed at your own risk. Incorrectly setting the DACL could result in you being locked out of modifying the service, or even accessing it.

     

    1. Make a note of the Security Descriptor (SD) of the problem service by running this command:

    sc sdshow ProblemService

    D:(A;;LC;;;WD)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

    2. List the SD of a Microsoft service for comparision:

    sc sdshow Audiosrv
     
    D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

    3. Identify the missing Access Control Entries (ACEs). These are:

    (A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)

    4. Insert the missing ACEs into the DACL of the SD of the problem service, by running this command:

    Sc sdset ProblemService D:(A;;LC;;;WD)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

    Important: Ensure that there are no spaces in the DACL string, because if there is a space in the string, the sc sdset command will only consider the portion before the space and truncate the DACL SDDL string there.

    eg.

     

    clip_image002[6]

     

    5. Lather, rinse, repeat for other non-Microsoft services that are missing the ACE for Local System.

    That’s it. Start the Base Filtering Engine service and then the Windows Firewall service and you’re done.

    Here are a couple of links that will demystify SDDL for you:

    Parsing SDDL Strings 
    http://blogs.dirteam.com/blogs/jorge/archive/2008/03/26/parsing-sddl-strings.aspx

    SDDL string parser - MS Israel Community 
    http://blogs.microsoft.co.il/files/folders/guyt/entry70399.aspx


    Regards, Abhilash Jacob Rajan
    Monday, September 05, 2011 7:17 AM
  • Hi,

     

    Just wanted to say thank you for the technical steps, worked like a charm to my long problem which all started with the Trojan:Win64/Sirefef.K that after one full day i was able to remove. However, the problem was that it broke some of my services, my whole firewall service was gone. I had to re-create manualy but there was another problem with dependecies. The BFE couldn't start and without it nor the Firewall. So the problem was the inproper permission which i set with "

    D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

    "  Next I gave proper permission to that key and finaly my BFE fired up! and so my FW service. So thanks again. ~cyberblackhat

    Tuesday, December 13, 2011 1:17 AM
  •  

    Hi,

     

    Please double check the link Syed provided, it is not suggesting importing BFM registry from another computer. If the issue persists after that, please refer to the following suggestions:

     

    1. Browse to the location for the BFE service in the registry (HKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy), right click and select permissions.

    2. In the "Permissions for Policy" window, click advanced | Add.

    3. Once the "Select Users, Computers or Group" box appears, change the "From this location:" to point to the local machine name.

    4. After changing the search location, enter "NT Service\BFE" in the "Enter the object name to select" box and click "Check names" - this will allow you to add the BFE account.

    5. Give the following privileges to the BFE account:

     

    Query Value

    Set Value

    Create Subkey

    Enumerate Subkeys

    Notify

    Read Control

     

    After adding the BFE account to the registry key, please try to start the Base Filtering Engine service.

     

    Any progress?

     

    Thanks.

    Nina
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    DING DING DING! FINALLY! This has really been frustrating me for a while.
    • Proposed as answer by Jacob Tuesday, September 25, 2012 10:19 AM
    Tuesday, December 27, 2011 4:15 AM
  • Dear Victor,

    I tried this and failed already. This suggestion didn't help in resolving the problem. May you please suggest something new?

    Regards,

    Abhilash


    Regards, Abhilash Jacob Rajan
    Tuesday, December 27, 2011 6:31 PM
  • Hi  "Nina Liu - MSFT " Sounds good its worked for me  !thanks a lot !
    • Edited by Deva_ES Wednesday, May 09, 2012 2:48 PM
    • Proposed as answer by tambor81 Wednesday, December 19, 2012 6:31 PM
    Wednesday, May 09, 2012 2:46 PM
  • This information seriously saved my day!!! It worked on a Windows 7 system that refused to take the new antivirus program. The error code was so fague, i spent hours reading through different forums. I finally tracked the problem to the Base Filtering Engine. The service was absent although system32 files were present. I did import the registry key from a known working system, but it still didn't help. After changing the permissions as you suggested everything worked. I was able to restart the services and install the program. Thanks again for your knowledge and further more for taking the time to add it on the world wide web:)
    Wednesday, July 11, 2012 5:10 PM
  • HI Abhilash,

    Please follow the instructions in this guide to restore the BFE to a good working order:

    Base Filtering Engine Service Access Denied


    • Proposed as answer by A. TheOne Thursday, July 19, 2012 2:00 PM
    • Edited by A. TheOne Thursday, July 19, 2012 2:08 PM link error
    Thursday, July 19, 2012 2:00 PM
  • I was getting the Error 5 message when trying to start the BFE service. This worked for me. 

    Thursday, August 09, 2012 7:32 PM
  • I had this problem and your suggestion worked!  Thanks.
    Sunday, May 05, 2013 10:19 PM
  • Trust you have already tried steps mentioned in below the blogs. If not try them: 

    http://blogs.technet.com/b/networking/archive/2011/06/14/the-windows-firewall-service-fails-to-start-registry-permissions.aspx

    http://blogs.technet.com/b/networking/archive/2011/06/10/the-windows-firewall-service-fails-to-start-logon-permissions.aspx

    http://blogs.technet.com/b/networking/archive/2011/06/16/the-windows-firewall-service-fails-to-start-checking-privilege-access.aspx

    ===============

    You can also try fix it solution: http://support.microsoft.com/mats/windows_firewall_diagnostic/

    ===============

    If no success yet:

    1. Run process monitor while starting BFE and stop it by reproducing the issue.

    2. Go to filter menu --> Select filter --> Add a filter like this

    Now you can verify where is the problem and why are you getting access denied.


    Nitin Mohan Gupta

    Friday, July 26, 2013 11:48 PM
  • Thank you Nina - You're a genius and you should be promoted.

    I have tried a hundred solutions and this is the one that did it.

    Finally!!


    Thank you thank you.


    RF

    Sunday, October 27, 2013 1:04 AM