Access Denied - Base Filter Engine
Dear Experts, I have setup a Win 2k8 server standard edition SP2 and it was running without any problems. Suddenly I saw a bluescreen (I suppose this is because of a new Bluetooth driver I added). Now I cant get the network working so as the windows firewall. I suppose the problem is because of "Base Filtering Engine" saying "Access Denied". What can be the reason? I copied the BFE registry settings from a server working well and tried importing, but no success yet. Regards, AbhilashRegards, Abhilash Jacob Rajan
August 11th, 2011 11:58am

have you tried this http://blogs.technet.com/b/rspitz/archive/2010/09/19/quot-access-is-denied-quot-when-you-attempt-to-start-the-base-filtering-engine-service-after-upgrading-from-windows-server-2003-to-windows-server-2008-r2.aspxhttp://www.virmansec.com/blogs/skhairuddin
Free Windows Admin Tool Kit Click here and download it now
August 11th, 2011 1:15pm

Dear Syed, I already saw this page, imported BFM registry of another computer (which is working fine) to this server and it didnt work.Regards, Abhilash Jacob Rajan
August 12th, 2011 12:20am

Hi, Please double check the link Syed provided, it is not suggesting importing BFM registry from another computer. If the issue persists after that, please refer to the following suggestions: 1. Browse to the location for the BFE service in the registry (HKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy), right click and select permissions. 2. In the "Permissions for Policy" window, click advanced | Add. 3. Once the "Select Users, Computers or Group" box appears, change the "From this location:" to point to the local machine name. 4. After changing the search location, enter "NT Service\BFE" in the "Enter the object name to select" box and click "Check names" - this will allow you to add the BFE account. 5. Give the following privileges to the BFE account: Query Value Set Value Create Subkey Enumerate Subkeys Notify Read Control After adding the BFE account to the registry key, please try to start the Base Filtering Engine service. Any progress? Thanks. NinaPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
August 16th, 2011 12:30pm

Hi, Please double check the link Syed provided, it is not suggesting importing BFM registry from another computer. If the issue persists after that, please refer to the following suggestions: 1. Browse to the location for the BFE service in the registry (HKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy), right click and select permissions. 2. In the "Permissions for Policy" window, click advanced | Add. 3. Once the "Select Users, Computers or Group" box appears, change the "From this location:" to point to the local machine name. 4. After changing the search location, enter "NT Service\BFE" in the "Enter the object name to select" box and click "Check names" - this will allow you to add the BFE account. 5. Give the following privileges to the BFE account: Query Value Set Value Create Subkey Enumerate Subkeys Notify Read Control After adding the BFE account to the registry key, please try to start the Base Filtering Engine service. Any progress? Thanks. NinaPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
August 16th, 2011 12:30pm

Dear Nina, I tried your tip and didn't work. The BFE service is still not started. Regards, AbhilashRegards, Abhilash Jacob Rajan
Free Windows Admin Tool Kit Click here and download it now
August 16th, 2011 3:24pm

Hi Abhilash, Windows 7 introduced a new feature, Tigger-Start service. To support this feature, BFE will enumerate all services and query to see if this service supports Trigger-Start. The Base Filtering Engine service runs under the Local System security context. If this account does not have the permissions to query the configuration of a service, you will receive this error. The blog recommended by Syed is to resolve this kind of issues. I understand that you have tried to import registry key from another computer; however, the suggestions listed in the blog are different from this. Please give it a try and let us know if anything is unclear.Laura Zhang - MSFT
August 30th, 2011 12:53pm

Dear Laura, As I'm not very IT savvy, I never understood what to do per Syed's blog. May you please explain me how to get this done: In fact, what I tried is to do is that followed some other blog on same topic and added the login user etc to the services control list from regedit. Regards, Abhilash · Manually examine each service, starting with non-Microsoft services. Say you’ve decided to go it on your own. Here’s what you need to do to check the Discretionary Access Control List (DACL), or permissions, of a service. First off, you’ve got to get the names of all installed services: sc query > servicenames.txt Open servicenames.txt and make a note of the SERVICE_NAME property of each service. To list the DACL of a service, run this command: sc sdshow <service name> Let’s start by listing the DACL of a Microsoft service, which would have the correct permissions (Unless they’ve been manually edited). sc sdshow Audiosrv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) The resulting string of letters and special characters is the Security Descriptor (SD) in SDDL. The characters afterD: make up the DACL. The characters after S: are the SACL, which we’re not interested in. Since the Base Filtering Engine service runs in the context of the Local System account, the part of the DACL we’re interested in is (A;;CCLCSWRPWPDTLOCRRC;;;SY) Now it’s time to get our hands dirty. Do an sc sdshow on all non-Microsoft services and check if they have(A;;CCLCSWRPWPDTLOCRRC;;;SY). The services that are missing this Access Control Entry (ACE) are the ones that are causing the Base Filtering Engine service to terminate with “Access is denied”. On to the most interesting part of this post. How do I fix it? That’s easy! But first, the disclaimer. Disclaimer: Proceed at your own risk. Incorrectly setting the DACL could result in you being locked out of modifying the service, or even accessing it. 1. Make a note of the Security Descriptor (SD) of the problem service by running this command: sc sdshow ProblemService D:(A;;LC;;;WD)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) 2. List the SD of a Microsoft service for comparision: sc sdshow Audiosrv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) 3. Identify the missing Access Control Entries (ACEs). These are: (A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO) 4. Insert the missing ACEs into the DACL of the SD of the problem service, by running this command: Sc sdset ProblemService D:(A;;LC;;;WD)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) Important: Ensure that there are no spaces in the DACL string, because if there is a space in the string, the sc sdset command will only consider the portion before the space and truncate the DACL SDDL string there. eg. 5. Lather, rinse, repeat for other non-Microsoft services that are missing the ACE for Local System. That’s it. Start the Base Filtering Engine service and then the Windows Firewall service and you’re done. Here are a couple of links that will demystify SDDL for you: Parsing SDDL Strings http://blogs.dirteam.com/blogs/jorge/archive/2008/03/26/parsing-sddl-strings.aspx SDDL string parser - MS Israel Community http://blogs.microsoft.co.il/files/folders/guyt/entry70399.aspx Access is denied, Base Filtering Engine service Regards, Abhilash Jacob Rajan
Free Windows Admin Tool Kit Click here and download it now
September 5th, 2011 10:17am

Hi, Just wanted to say thank you for the technical steps, worked like a charm to my long problem which all started with the Trojan:Win64/Sirefef.K that after one full day i was able to remove. However, the problem was that it broke some of my services, my whole firewall service was gone. I had to re-create manualy but there was another problem with dependecies. The BFE couldn't start and without it nor the Firewall. So the problem was the inproper permission which i set with " D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) " Next I gave proper permission to that key and finaly my BFE fired up! and so my FW service. So thanks again. ~cyberblackhat
December 13th, 2011 8:16pm

Hi, Please double check the link Syed provided, it is not suggesting importing BFM registry from another computer. If the issue persists after that, please refer to the following suggestions: 1. Browse to the location for the BFE service in the registry (HKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy), right click and select permissions. 2. In the "Permissions for Policy" window, click advanced | Add. 3. Once the "Select Users, Computers or Group" box appears, change the "From this location:" to point to the local machine name. 4. After changing the search location, enter "NT Service\BFE" in the "Enter the object name to select" box and click "Check names" - this will allow you to add the BFE account. 5. Give the following privileges to the BFE account: Query Value Set Value Create Subkey Enumerate Subkeys Notify Read Control After adding the BFE account to the registry key, please try to start the Base Filtering Engine service. Any progress? Thanks. Nina Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. DING DING DING! FINALLY! This has really been frustrating me for a while.
Free Windows Admin Tool Kit Click here and download it now
December 26th, 2011 11:20pm

Dear Victor, I tried this and failed already. This suggestion didn't help in resolving the problem. May you please suggest something new? Regards, AbhilashRegards, Abhilash Jacob Rajan
December 27th, 2011 1:36pm

Hi "Nina Liu - MSFT " Sounds good its worked for me !thanks a lot !
Free Windows Admin Tool Kit Click here and download it now
May 9th, 2012 10:50am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics