Base Filtering Engine Service Broken
I am having trouble with Vista Beta 2 after joining a windows 2003 domain. Windows will not start the Base Filtering Engine service, which seems to be required to properly run Windows on a network. If I attempt to manually start the service, I receive, "Error 1297: A privilege that the service requires to function properly does not exist in the service account configuration." Furthermore, I receive Event ID 7000 with the same message. I think it might have something to do with Group Policy. However, I did attempt to remove all group policy settings and the problem still persists. I have other problems with Vista's networking and I think most of them are related to this same issue. Thanks, Tom
September 7th, 2006 8:35am
Tom, This is what error 1297 is: ERROR_INCOMPATIBLE_SERVICE_PRIVILEGE 1297 A privilege that the service requires to function properly does not exist in the service account configuration. You may use the Services Microsoft Management Console (MMC) snap-in (services.msc) and the Local Security Settings MMC snap-in (secpol.msc) to view the service configuration and the account configuration. Try going to the BFE Properties and possible change the settings in the Logon tab, I think that might help. Let me know if this helps. Regards, Andre Rivera Windows Beta Feedback Team
September 7th, 2006 5:51pm
My issue was related to active directory group policy. I had a good running version of Vista at home, from which I export the Local Policy Settings. Then I imported the stable settings into my domain member Vista computer. This reset all the settings that group policy may have corrupted. I now have a Vista OU that is blocking all previous group policy settings (Server 2000 & 2003). Tom
September 11th, 2006 7:15pm
Any thoughts on what item(s) in thepolicy may have been causing theproblems? I am experiencing similar issues with a test box that only cropped after joining the workstation to our Win2K3 domain, which causes me to suspect an AD Group Policy problem. Before domain join everything appeared to be working fine. Following, however, several services fail --with "access denied" --on startup including: Base Filtering Engine DHCP Client Diagnostic Policy Service IKE and AuthIP IPsec Keying Modules IPsec Policy Agent Network Service List Network Location Awareness Thread Ordering Server Windows Audio Windows Firewall Windows Time Windows Media Center Service Launcher Windows Media Player Network Sharing Service Further, the following list of (unique) errors and warnings show up in the system log: DHCP Client terminates with "Access Denied" Windows Time service terminates with "Access Denied" Resource Publication Service fails DCOM netprofm 1068 Error Group Policy results warning DNS registration warning Thread Ordering Server service terminates with "Access Denied" Windows Audio service fails Thread Ordering Server dependency Base Filtering Engine service terminates with "Access Denied" Windows Firewall service fails Base Filtering Engine dependency IKE and AuthIP IPSec Keying service fails Base Filtering Engine dependency Diagnostic Policy Service terminates with "Access Denied" Network Location Awareness service terminates with error 3221226008 IPsec Policy Agent service fails Base Filtering Engine dependency Network List Service fails Network Location Awareness dependency WMPNetworkSvc fails with registry error 0x80070006 BITS Client fails firewall state set with error 2147944153 WinHTTP Web Proxy Auto-Discovery Service fails DHCP Client dependency The above list is in chronological order, but many of the errors repeat themselves several times. Unfortunately, I don't have a "clean" box from which to export the local policy settings and don't have enterprise admin privileges to create a new OU. Anyfeedback and/or guidance would be greatly appreciated... Thanks,--Scott
September 15th, 2006 1:00pm
I setup an OU in AD that has no GPO's on it at all and blocked policy inheritance and forced a GPUPDATE on my Vista Machine and everything is peachy again, I assume it has something to do with the services in the GPO, but not sure.
October 28th, 2006 10:10am
I've got this same issue with one of our Vista PC's after joining our domain. I've created an OU for the machine that is blocking all policies. Could someone chime in and help me export/import the local policies from a non-domain vista box to a domain vista box? I'd be happy with any assistance with this problem!PS: My BFE service does start... it's the Windows Firewall that's not starting (preventing the Terminal Services Service).
December 7th, 2006 10:58am
I found my fix! My Default Domain Policy and Default Domain Controller Policy were selected to enforce the policies (I had not initially noticed that). After disabling that, I setup a Vista Clients GP within the Vista OU and setup no policies (all are undefined). After that, I ran a gpupdate /force onmy DCand ran the same command on my Vista client (still actively connected to my AD). After that was done I imported a local policy I had backed up before joining the domain and restarted the client. Upon logging in, the firewall service was operational and remote access services were operating as before along with telephony service and a few others. To check to see if your group policies are enforced on your domain, open your group policy manager and search help for "enforce". Having this enabled will still cause your OU's to follow the enforced policy even if you have them set to block inheritance. A test remote connect from home verifies all is as it should be again...whew!
December 7th, 2006 6:09pm
has anybody figured out what in the GP was causing this??? I have the same problem and I can't figure out how to fix it without reinstalling the OS.Thanx
February 14th, 2007 4:32pm
I'm with Scott on this problem. I'm in a production environment and can't muck around with the domain just to make Vista work. Can someone tell me how to manually fix the problem without making global changes? Thanks, Paul
March 1st, 2007 9:42am
I was having a similar problem but not with BFE not starting. The issue I faced was BFE started but the windows firewall would not which kept us from remotely accessing the machine. The error message I received trying to start the firewall is the same posted above (Error 1297). I finally got it to work by modifying the User Rights Assignments under Local Policies on the machine itself. Under the following 2 options I added domain users and domain admins, as well as the local group administrators. Adjust memory quotas for a process and Increase a process working set. After adding that I was able to get the firewall service started. I joined it back to the domain and it still worked. I looked on an XP Pro machine and I have not found the Increase A Process Working Set option. This appears to be something new in Vista from what I can tell and the only group that was assigned to it was Users. Not sure if this will work for you but it did me.
June 26th, 2007 11:10am
Tried Dgramels' approach and it didn't work for me. This weird issue came up when we switched domains. Worked around it by using JKoons' approach of creating my own AD OU and blocking policy inheritance, then moving my machine into it. None of this is made any easier or quicker by the fact that it seems I need to do two reboots (even with gpupdate /force) before any change comes into effect. Great for wasting time, what with Vista's restart time being astronomical.
July 19th, 2007 10:28am
Hello all!I had the same problem an hour ago But i`ve found how to fix it for me.When BFE service starts it also start a group of dependent services (you can see them on Dependencies tab in service props) with "IPSec policies agent" service as one of them.In my case the problem was that "IPSec policies agent" service was set to auto startup via domain GPO. There also were set default permissions in GPO for this service - SYSTEM - full control, Administrators - Full control, INTERACTIVE - read. I`ve had to turn on object auditing to find out what user account is trying to start BFE. In Security logs i`ve found records saying that sc (service control) is trying to start service under LOCAL SERVICE account!!! As I later understood - BFE could not start itself because it could not start a dependent service IPSec Policies agent. BFE starts IPSec! so, if we look info LOGIN AS tab in BFE service we will find out that it is starting underLOCALSERVICEaccount!AndinmyGPOipsecservicehaspermissionsonittobestartedonlybySYSTEMandAdministratos.As you understand, the decision was to modify GPO and togivefullcontrolpermissionto LOCAL SERVICEaccountonIPSecPoliciesagentservice.Now it works!Hope This HELPS! And good luck!
September 5th, 2007 1:02pm
Thanks it helps me. Now my servises is started. I had problem with firewall servisec, phone service,... Thank you
September 26th, 2007 5:23am
How do you add the Local Service account to a domain GPO? This as I can see it, is not available when you try to add using a GPO onthe domain controller....
October 26th, 2007 11:13pm
those setting needs to be set for win 2008 /vista HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip "Local service" Full, Read (add this permission) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE "NT Service\BFE" Full, Read(add this permission)HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DPS "NT Service\Trustedinstaller" Full, Read(add this permission) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc "NT Service\NlaSvc" Full, Read(add this permission) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch "NT Service\MpsSvc" Query, Set Value(add this permission) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy "NT Service\MpsSvc" Full, Read(add this permission) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy "NT Service\MpsSvc" Full, Read(add this permission)http://support.microsoft.com/kb/943996
March 6th, 2009 10:10am
I know this thread has been dead for awhile. But I was having the same issues and what I did was go to the CMD window (must be in Admin mode-Type 'cmd' in run and then hold 'ctrl' + 'shift' and hit enter. Say ok when prompted, then type 'netsh winsock reset'. After that I restarted as prompted and everything worked!
May 3rd, 2010 4:37pm
Great hints, I did procedures mentioned above and was able to start most of the stopped services. But cannot start the Windows Firewall and Diagnostic Policy services. Any clues? I am on Windows 7, the domain server is Windows 2000. Also I can't ping localhost, getting General failure error. Is it related with Windows Firewall?
May 12th, 2010 4:41am
Interestingly I've found another registry key today with the same issue - in this case it was preventing Remote Desktop from working. The port was not listening. Fixed by setting Network Service with access to hklm\system\currentcontrolset\control\Terminal Server\RCM. This did need a reboot to take effect though.http://absoblogginlutely.net
April 19th, 2011 2:06pm
Helsby, your posts were extremely helpful. I bought a brand new Sony Vaio laptop, and all was working well until I upgraded to Win 7 Ultimate from Win 7 Pro. Then I first noticed that Windows Update was failing to install all updates even though it kept trying at every shutdown. I looked at my sevices and noticed more than half a dozen services set to run Automatic that hadn't started, including the Event log, Windows Firewall, Base Filtering Engine, and others. After dealing on all the permissions in the services hive of the registry, it's all working. Thank you! Zippy
July 19th, 2011 1:06pm
Thanks Helsby for such a great support i was looking for since last couple of weeks, the same issue has happened with me. Once again thanks a lot. Muhammad Ismail
March 21st, 2012 5:45am