Very frequent logging of:"The Diagnostic Service Host service failed to start due to the following error: A privilege that the service requires to function properly does not exist in the service account configuration. You may use the Services Microsoft Management Console (MMC) snap-in (services.msc) and the Local Security Settings MMC snap-in (secpol.msc) to view the service configuration and the account configuration."Checking Service status it shows the service faults even before start:SERVICE_NAME: WdiServiceHost TYPE : 20 WIN32_SHARE_PROCESS STATE : 1 STOPPED WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0The Same logon account (Local Service) is used for DPS (Diagnostic Policy Service) and it starts without a hitch.Morten Ross

I have the same problem.The domain the client is joined to is using the Vista Security Guide group policies (i.e. User Rights Assignments from GPO Accelerator), which are allso being applied to Windows 7 test machines.

Since your question or comment has gone unanswered, you can send your request to the development team in this thread. Have Comments about Windows 7 Beta Rating posts helps other users Mark L. Ferguson MS-MVP

I have the same issue. Windows 7 RC It started once I joined the system to my domain so I'm guessing it has something to do with the domain policy. Update: Checked User Rights assignment on a non-domain Win7 PC and found the Profile System Performance Policy had the user NT SERVICE\WdiServiceHost . Added this user to my domain policy. It seemed to slow down the amount of times the error is logged but hasn't stopped it completely.

If you take a look at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WdiServiceHost\RequiredPrivileges, you'll see that the service requires (among others) the SeSystemProfilePrivilege privilege, but LocalService, which it is running under, does not have this privilege (at least on my computer in our company domain). I have resolved this by granting SeSystemProfilePrivilege to the LocalService account (because I was not allowed to use the Local Security Policy applet, I used ntrights.exe from the Windows Resource Kit). It seems to work fine at the moment, but I am afraid the privilege is going to be removed automatically tomorrow when syncing data from the domain...

Hi...You must edit group policy settings... edit Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assingment -> Profile system performance ... Check Define these settings and add Administrators and NT SERVICE\WdiServiceHostHelped for me...kaspik

Adding wdiServiceHost to domain policywas also the answer for us (thanks kaspik) on afresh W7 test box.

Hi Kaspik, when I try to follow your suggestion, I get a "the account NT Service\WdiServiceHost can't be verified" when editing the Domain's policy, is this account missing from our domain or am i missing something here? Thanks!LeowiseWindows 7 is SOLID!

For me, the fix was toadd "LOCAL SERVICE" in the accounts given that security right, "Profile system performance" in the appropriate domain policy (in our case, the default domain policy.)It only had "Administrators" listed. I tried the "WdiServiceHost" and "Local System" - but either got the "can't be verified" when prefixing with "NT Service\" or with NT AUTHORITY\", and got group policy processing errors when not prefixing with anything.After adding "LOCAL SERVICE", I ran gpupdate /force on the clients, but still had to reboot before the Event ID 7000 errors stopped.

One of our Windows 7 laptops is having the same issue and there seems to be some question as to the actual resolution. I have attempted to add the WdiServiceHost user account prefixed with NT Service and without. With the prefix, the Group Policy can't verify the account and it cannot be added. Without the prefix, the machine throws winlogon errors stating the account cannot be found. I've also tried variations of local system and local service all without resolution. I've set the Profile System Performance rule back to "Default" on the default domain policy and it according to gpresult /R the only policy provisioning is the Default Domain Policy. Any suggestions? Thanks.

Adding LOCAL SERVICE to the group solved it for me. No problems like the others mentioned.

For those with issues adding "NT SERVICE\WdiServiceHost", you need to edit the GPO from a Vista or Higher machine (one that has that account) and then pick your machine instead of the domain when adding the user. Then paste "NT SERVICE\WdiServiceHost" into the box and it will find it. ""

Adding the NT Service\WdiServiceHost does indeed work. We were utilizing the settings set forth per the Microsoft Security Compliance Manager, specifically the Win7-EC-Desktop 1.0 which specifically states only local administrators should be granted the right to profile system performance. The vulnerability described there is "The Profile system performance user right poses a moderate vulnerability. Attackers with this user right could monitor a computer's performance to help identify critical processes that they might wish to attack directly. Attackers may also be able to determine what processes are active on the computer so that they could identify countermeasures that they may need to avoid, such as antivirus software or an intrusion detection system." Rather than see 7000 series messages in the event log repeatedly I figured I could make the change in settings. Perhaps the security folks could elaborate further...especially if there's a vulnerability in allowing NT SERVICE\WdiServiceHost?Tom

It would be great if we could get a response to this problem. I'm in an EXTREMELY secure environment, and I have to reduce the size of my attack surface considerably. When I try to fix this vulnerability, I get this error. Can someone please from MS please advise how to actually fix this? Thanks :)

I am also seeing my event log flooded with this error on a highly secured (http://iase.disa.mil/stigs/content_pages/windows_os_security.html) Windows 7 system. The error states that "A privilege that the service requires to function properly does not exist in the service account configuration. You may use the Services Microsoft Management Console (MMC) snap-in (services.msc) and the Local Security Settings MMC snap-in (secpol.msc) to view the service configuration and the account configuration." However, I checked the values listed in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WdiServiceHost\RequiredPrivileges (great tip!) and it does indeed have the required User Rights Assignments configured by GPO. Any other ideas?

I am getting this same error on my 1 and only domain controller. I have never used group policy on this domain yet, so I don't understand how a GP could have gotten mis-configured? Note that when I go to services the Diagnostic Service Host is set to manual, and the start button is grayed out. There must be something besides a policy error causing this??

I am getting this same error on my 1 and only domain controller. I have never used group policy on this domain yet, so I don't understand how a GP could have gotten mis-configured? Note that when I go to services the Diagnostic Service Host is set to manual, and the start button is grayed out. There must be something besides a policy error causing this??

Hi Petr Cant we do it via GPO for all uses which are use win7Microsoft TechNet Forum Bandara

Hi We had this problem after copying the Win7-EC-... policies. We needed to edit the policy and re-add the NT SERVICE\WdiServiceHost to Profile system performance. In the GPO report for the Win7-EC-.. it now show NT SERVICE\WdiServiceHost insted of only WdiServiceHost.

For us I found that the line in question should actually be: => Profile system performance – Administrators, NT Service\WdiServiceHost, Local Service Note: this change alone will still create the stream of system errors logged / Creating a new error noted below. __________________________________________________________________________ Event ID: 7000 - WdiSystemHost General: The Diagnostic Service Host service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process. __________________________________________________________________________ The below instructions do however stop all system generated errors on this issue. 1. Go to Start and click Run then type Services.msc then press enter. 2. Now right click on the "Diagnostic Policy Service" and go to properties. Now under the "Log On" tab check if "This account" has been selected and using the "Local Service" is selected for it. Note that if you have to change this; when it asks for the "Local Service" password, simply delete what is there and hit apply. 3. Similarly check for "Diagnostic Service Host" service if and go to properties. Now under the "Log On" tab check if "This account" has been selected and using the "Local Service" is selected for it. Note that if you have to change this; when it asks for the "Local Service" password, simply delete what is there and hit apply. 4. Now right click on the "Diagnostic System Host" and go to properties. Now under the "Log On" tab check if "Local System account" is selected and make sure that the "Allow service to interact with desktop" is NOT selected. 5. If any of the options previously stated do not match, then you may wish to apply the settings directed and check if the issue is resolved. This worked for us; hope it helps you... Rob