Dear Experts, I have setup a Win 2k8 server standard edition SP2 and it was running without any problems. Suddenly I saw a bluescreen (I suppose this is because of a new Bluetooth driver I added). Now I cant get the network working so as the windows firewall. I suppose the problem is because of "Base Filtering Engine" saying "Access Denied". What can be the reason? I copied the BFE registry settings from a server working well and tried importing, but no success yet. Regards, AbhilashRegards, Abhilash Jacob Rajan

Dear Syed, I already saw this page, imported BFM registry of another computer (which is working fine) to this server and it didnt work.Regards, Abhilash Jacob Rajan

Dear Nina, I tried your tip and didn't work. The BFE service is still not started. Regards, AbhilashRegards, Abhilash Jacob Rajan

Dear Laura, As I'm not very IT savvy, I never understood what to do per Syed's blog. May you please explain me how to get this done: In fact, what I tried is to do is that followed some other blog on same topic and added the login user etc to the services control list from regedit. Regards, Abhilash · Manually examine each service, starting with non-Microsoft services. Say you’ve decided to go it on your own. Here’s what you need to do to check the Discretionary Access Control List (DACL), or permissions, of a service. First off, you’ve got to get the names of all installed services: sc query > servicenames.txt Open servicenames.txt and make a note of the SERVICE_NAME property of each service. To list the DACL of a service, run this command: sc sdshow <service name> Let’s start by listing the DACL of a Microsoft service, which would have the correct permissions (Unless they’ve been manually edited). sc sdshow Audiosrv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) The resulting string of letters and special characters is the Security Descriptor (SD) in SDDL. The characters afterD: make up the DACL. The characters after S: are the SACL, which we’re not interested in. Since the Base Filtering Engine service runs in the context of the Local System account, the part of the DACL we’re interested in is (A;;CCLCSWRPWPDTLOCRRC;;;SY) Now it’s time to get our hands dirty. Do an sc sdshow on all non-Microsoft services and check if they have(A;;CCLCSWRPWPDTLOCRRC;;;SY). The services that are missing this Access Control Entry (ACE) are the ones that are causing the Base Filtering Engine service to terminate with “Access is denied”. On to the most interesting part of this post. How do I fix it? That’s easy! But first, the disclaimer. Disclaimer: Proceed at your own risk. Incorrectly setting the DACL could result in you being locked out of modifying the service, or even accessing it. 1. Make a note of the Security Descriptor (SD) of the problem service by running this command: sc sdshow ProblemService D:(A;;LC;;;WD)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) 2. List the SD of a Microsoft service for comparision: sc sdshow Audiosrv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) 3. Identify the missing Access Control Entries (ACEs). These are: (A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO) 4. Insert the missing ACEs into the DACL of the SD of the problem service, by running this command: Sc sdset ProblemService D:(A;;LC;;;WD)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) Important: Ensure that there are no spaces in the DACL string, because if there is a space in the string, the sc sdset command will only consider the portion before the space and truncate the DACL SDDL string there. eg. 5. Lather, rinse, repeat for other non-Microsoft services that are missing the ACE for Local System. That’s it. Start the Base Filtering Engine service and then the Windows Firewall service and you’re done. Here are a couple of links that will demystify SDDL for you: Parsing SDDL Strings http://blogs.dirteam.com/blogs/jorge/archive/2008/03/26/parsing-sddl-strings.aspx SDDL string parser - MS Israel Community http://blogs.microsoft.co.il/files/folders/guyt/entry70399.aspx Access is denied, Base Filtering Engine service Regards, Abhilash Jacob Rajan

Hi, Just wanted to say thank you for the technical steps, worked like a charm to my long problem which all started with the Trojan:Win64/Sirefef.K that after one full day i was able to remove. However, the problem was that it broke some of my services, my whole firewall service was gone. I had to re-create manualy but there was another problem with dependecies. The BFE couldn't start and without it nor the Firewall. So the problem was the inproper permission which i set with " D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) " Next I gave proper permission to that key and finaly my BFE fired up! and so my FW service. So thanks again. ~cyberblackhat

Hi, Please double check the link Syed provided, it is not suggesting importing BFM registry from another computer. If the issue persists after that, please refer to the following suggestions: 1. Browse to the location for the BFE service in the registry (HKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy), right click and select permissions. 2. In the "Permissions for Policy" window, click advanced | Add. 3. Once the "Select Users, Computers or Group" box appears, change the "From this location:" to point to the local machine name. 4. After changing the search location, enter "NT Service\BFE" in the "Enter the object name to select" box and click "Check names" - this will allow you to add the BFE account. 5. Give the following privileges to the BFE account: Query Value Set Value Create Subkey Enumerate Subkeys Notify Read Control After adding the BFE account to the registry key, please try to start the Base Filtering Engine service. Any progress? Thanks. Nina Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. DING DING DING! FINALLY! This has really been frustrating me for a while.

Dear Victor, I tried this and failed already. This suggestion didn't help in resolving the problem. May you please suggest something new? Regards, AbhilashRegards, Abhilash Jacob Rajan

This information seriously saved my day!!! It worked on a Windows 7 system that refused to take the new antivirus program. The error code was so fague, i spent hours reading through different forums. I finally tracked the problem to the Base Filtering Engine. The service was absent although system32 files were present. I did import the registry key from a known working system, but it still didn't help. After changing the permissions as you suggested everything worked. I was able to restart the services and install the program. Thanks again for your knowledge and further more for taking the time to add it on the world wide web:)

HI Abhilash, Please follow the instructions in this guide to restore the BFE to a good working order: Base Filtering Engine Service Access Denied

I was getting the Error 5 message when trying to start the BFE service. This worked for me.