Base Filtering Engine Service Broken
I am having trouble with Vista Beta 2 after joining a windows 2003 domain. Windows will not start the Base Filtering Engine service, which seems to be required to properly run Windows on a network. If I attempt to manually start the service, I receive, "Error 1297: A privilege that the service requires to function properly does not exist in the service account configuration." Furthermore, I receive Event ID 7000 with the same message. I think it might have something to do with Group Policy. However, I did attempt to remove all group policy settings and the problem still persists. I have other problems with Vista's networking and I think most of them are related to this same issue. Thanks, Tom
September 7th, 2006 3:35pm

Tom, This is what error 1297 is: ERROR_INCOMPATIBLE_SERVICE_PRIVILEGE 1297 A privilege that the service requires to function properly does not exist in the service account configuration. You may use the Services Microsoft Management Console (MMC) snap-in (services.msc) and the Local Security Settings MMC snap-in (secpol.msc) to view the service configuration and the account configuration. Try going to the BFE Properties and possible change the settings in the Logon tab, I think that might help. Let me know if this helps. Regards, Andre Rivera Windows Beta Feedback Team
Free Windows Admin Tool Kit Click here and download it now
September 8th, 2006 12:51am

My issue was related to active directory group policy. I had a good running version of Vista at home, from which I export the Local Policy Settings. Then I imported the stable settings into my domain member Vista computer. This reset all the settings that group policy may have corrupted. I now have a Vista OU that is blocking all previous group policy settings (Server 2000 & 2003). Tom
September 12th, 2006 2:15am

Any thoughts on what item(s) in thepolicy may have been causing theproblems? I am experiencing similar issues with a test box that only cropped after joining the workstation to our Win2K3 domain, which causes me to suspect an AD Group Policy problem. Before domain join everything appeared to be working fine. Following, however, several services fail --with "access denied" --on startup including: Base Filtering Engine DHCP Client Diagnostic Policy Service IKE and AuthIP IPsec Keying Modules IPsec Policy Agent Network Service List Network Location Awareness Thread Ordering Server Windows Audio Windows Firewall Windows Time Windows Media Center Service Launcher Windows Media Player Network Sharing Service Further, the following list of (unique) errors and warnings show up in the system log: DHCP Client terminates with "Access Denied" Windows Time service terminates with "Access Denied" Resource Publication Service fails DCOM netprofm 1068 Error Group Policy results warning DNS registration warning Thread Ordering Server service terminates with "Access Denied" Windows Audio service fails Thread Ordering Server dependency Base Filtering Engine service terminates with "Access Denied" Windows Firewall service fails Base Filtering Engine dependency IKE and AuthIP IPSec Keying service fails Base Filtering Engine dependency Diagnostic Policy Service terminates with "Access Denied" Network Location Awareness service terminates with error 3221226008 IPsec Policy Agent service fails Base Filtering Engine dependency Network List Service fails Network Location Awareness dependency WMPNetworkSvc fails with registry error 0x80070006 BITS Client fails firewall state set with error 2147944153 WinHTTP Web Proxy Auto-Discovery Service fails DHCP Client dependency The above list is in chronological order, but many of the errors repeat themselves several times. Unfortunately, I don't have a "clean" box from which to export the local policy settings and don't have enterprise admin privileges to create a new OU. Anyfeedback and/or guidance would be greatly appreciated... Thanks,--Scott
Free Windows Admin Tool Kit Click here and download it now
September 15th, 2006 8:00pm

I setup an OU in AD that has no GPO's on it at all and blocked policy inheritance and forced a GPUPDATE on my Vista Machine and everything is peachy again, I assume it has something to do with the services in the GPO, but not sure.
October 28th, 2006 5:10pm

I've got this same issue with one of our Vista PC's after joining our domain. I've created an OU for the machine that is blocking all policies. Could someone chime in and help me export/import the local policies from a non-domain vista box to a domain vista box? I'd be happy with any assistance with this problem!PS: My BFE service does start... it's the Windows Firewall that's not starting (preventing the Terminal Services Service).
Free Windows Admin Tool Kit Click here and download it now
December 7th, 2006 6:58pm

I found my fix! My Default Domain Policy and Default Domain Controller Policy were selected to enforce the policies (I had not initially noticed that). After disabling that, I setup a Vista Clients GP within the Vista OU and setup no policies (all are undefined). After that, I ran a gpupdate /force onmy DCand ran the same command on my Vista client (still actively connected to my AD). After that was done I imported a local policy I had backed up before joining the domain and restarted the client. Upon logging in, the firewall service was operational and remote access services were operating as before along with telephony service and a few others. To check to see if your group policies are enforced on your domain, open your group policy manager and search help for "enforce". Having this enabled will still cause your OU's to follow the enforced policy even if you have them set to block inheritance. A test remote connect from home verifies all is as it should be again...whew!
December 8th, 2006 2:09am

has anybody figured out what in the GP was causing this??? I have the same problem and I can't figure out how to fix it without reinstalling the OS.Thanx
Free Windows Admin Tool Kit Click here and download it now
February 15th, 2007 12:32am

I'm with Scott on this problem. I'm in a production environment and can't muck around with the domain just to make Vista work. Can someone tell me how to manually fix the problem without making global changes? Thanks, Paul
March 1st, 2007 5:42pm

I was having a similar problem but not with BFE not starting. The issue I faced was BFE started but the windows firewall would not which kept us from remotely accessing the machine. The error message I received trying to start the firewall is the same posted above (Error 1297). I finally got it to work by modifying the User Rights Assignments under Local Policies on the machine itself. Under the following 2 options I added domain users and domain admins, as well as the local group administrators. Adjust memory quotas for a process and Increase a process working set. After adding that I was able to get the firewall service started. I joined it back to the domain and it still worked. I looked on an XP Pro machine and I have not found the Increase A Process Working Set option. This appears to be something new in Vista from what I can tell and the only group that was assigned to it was Users. Not sure if this will work for you but it did me.
Free Windows Admin Tool Kit Click here and download it now
June 26th, 2007 6:10pm

Tried Dgramels' approach and it didn't work for me. This weird issue came up when we switched domains. Worked around it by using JKoons' approach of creating my own AD OU and blocking policy inheritance, then moving my machine into it. None of this is made any easier or quicker by the fact that it seems I need to do two reboots (even with gpupdate /force) before any change comes into effect. Great for wasting time, what with Vista's restart time being astronomical.
July 19th, 2007 5:28pm

Hello all!I had the same problem an hour ago But i`ve found how to fix it for me.When BFE service starts it also start a group of dependent services (you can see them on Dependencies tab in service props) with "IPSec policies agent" service as one of them.In my case the problem was that "IPSec policies agent" service was set to auto startup via domain GPO. There also were set default permissions in GPO for this service - SYSTEM - full control, Administrators - Full control, INTERACTIVE - read. I`ve had to turn on object auditing to find out what user account is trying to start BFE. In Security logs i`ve found records saying that sc (service control) is trying to start service under LOCAL SERVICE account!!! As I later understood - BFE could not start itself because it could not start a dependent service IPSec Policies agent. BFE starts IPSec! so, if we look info LOGIN AS tab in BFE service we will find out that it is starting underLOCALSERVICEaccount!AndinmyGPOipsecservicehaspermissionsonittobestartedonlybySYSTEMandAdministratos.As you understand, the decision was to modify GPO and togivefullcontrolpermissionto LOCAL SERVICEaccountonIPSecPoliciesagentservice.Now it works!Hope This HELPS! And good luck!
Free Windows Admin Tool Kit Click here and download it now
September 5th, 2007 8:02pm

Thanks it helps me. Now my servises is started. I had problem with firewall servisec, phone service,... Thank you
September 26th, 2007 12:23pm

How do you add the Local Service account to a domain GPO? This as I can see it, is not available when you try to add using a GPO onthe domain controller....
Free Windows Admin Tool Kit Click here and download it now
October 27th, 2007 6:13am

those setting needs to be set for win 2008 /vista HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip "Local service" Full, Read (add this permission) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE "NT Service\BFE" Full, Read(add this permission)HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DPS "NT Service\Trustedinstaller" Full, Read(add this permission) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc "NT Service\NlaSvc" Full, Read(add this permission) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch "NT Service\MpsSvc" Query, Set Value(add this permission) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy "NT Service\MpsSvc" Full, Read(add this permission) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy "NT Service\MpsSvc" Full, Read(add this permission)http://support.microsoft.com/kb/943996
March 6th, 2009 6:10pm

I know this thread has been dead for awhile. But I was having the same issues and what I did was go to the CMD window (must be in Admin mode-Type 'cmd' in run and then hold 'ctrl' + 'shift' and hit enter. Say ok when prompted, then type 'netsh winsock reset'. After that I restarted as prompted and everything worked!
Free Windows Admin Tool Kit Click here and download it now
May 3rd, 2010 11:37pm

Great hints, I did procedures mentioned above and was able to start most of the stopped services. But cannot start the Windows Firewall and Diagnostic Policy services. Any clues? I am on Windows 7, the domain server is Windows 2000. Also I can't ping localhost, getting General failure error. Is it related with Windows Firewall?
May 12th, 2010 11:41am

In my case I'm confused as to why we've not experienced problems on xp. Our first Windows7 went in and I was unable to start dhcp service (amongst many others). I found that some idiot many moons ago went and changed the permissions in group policy to hklm\system and then set permissions to replicate down the registry. So I'm now having to manually go in and set the permissions in group policy. For most services it's pretty easy to fix - just go to HKLM\System\CurrentControlSet\Services\ServiceName. The service name can be obtained by looking at the (short) ServiceName displayed in services.msc. I've found that setting Local Service and Network Service to full control works (although this may open up some security issues as this is a sledgehammer to fix a nut) BUT it gets the services running. (note that i've subsequently found that I also need to add "NT Service\mpssvc" on the local machine too) http://support.microsoft.com/kb/943996 has the required permissions but for me it doesn't work for two reasons. 1. You can't add "NT SERVICE\mpssvc" to the permissions in group policy and 2) the permissions they suggest (by editing directly on the machine in regedit) do not work. It was only adding local service,network service (and in the absense of mpssvc I chose everyone) that got my firewall working. Edit: Interestingly I found that Windows7 fails in a secure mode so you can't ping the device until the firewall is running. So this has to be done before any remote management or diagnostics can be done. As soon as the permissions were changed, gpupdate run I could start the firewall and my continual ping from another machine started to respond back with packets. For what it's worth, the group policy settings are Computer\Windows Settings\Security Settings\Registry. Then add a key and make the changes as required. Hope this helps someone and if anyone knows how to add the mpssvc account in a group policy then please let me know! Registry keys Permissions I had to change were bfe, mpssvc, dps, dhcp,eventlog,nla,nlasvc,tcpip,fdrespub,mmcss,mpsdrv,sharedaccess
Free Windows Admin Tool Kit Click here and download it now
July 31st, 2010 12:19am

Interestingly I've found another registry key today with the same issue - in this case it was preventing Remote Desktop from working. The port was not listening. Fixed by setting Network Service with access to hklm\system\currentcontrolset\control\Terminal Server\RCM. This did need a reboot to take effect though.http://absoblogginlutely.net
April 19th, 2011 9:06pm

Helsby, your posts were extremely helpful. I bought a brand new Sony Vaio laptop, and all was working well until I upgraded to Win 7 Ultimate from Win 7 Pro. Then I first noticed that Windows Update was failing to install all updates even though it kept trying at every shutdown. I looked at my sevices and noticed more than half a dozen services set to run Automatic that hadn't started, including the Event log, Windows Firewall, Base Filtering Engine, and others. After dealing on all the permissions in the services hive of the registry, it's all working. Thank you! Zippy
Free Windows Admin Tool Kit Click here and download it now
July 19th, 2011 1:16pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics