"Access is denied" when you attempt to start the Base Filtering Engine service, after upgrading from Windows Server 2003 to Windows Server 2008 R2

Here’s an issue that appears deceptively simple. After upgrading a Windows Server 2003 based system to Windows Server 2008 R2, ping and RDP are not working. On checking, the Windows Firewall service hasn’t been started because the service on which it is dependent, the Base Filtering Engine service, has not started. The Base Filtering Engine service fails to start with an “Access is denied” error.

Log Name: System
Source: Service Control Manager
Date: 19-Sep-10 11:17:56 AM
Event ID: 7023
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Win2k8R2.contoso.com
The Base Filtering Engine service terminated with the following error:
Access is denied.

A quick web search will reveal many web pages, most of which list the cause of the issue as missing permissions on the “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE\Parameters\Policy” registry key.

However, in this case, a Process Monitor log captured at the time doesn’t have a single event whose result is ACCESS DENIED. Is there something wrong with Process Monitor? Not at all. Why then doesn’t it have an ACCESS DENIED event for the registry key mentioned above? Because the cause of this instance of the issue is not missing permissions on the registry key, rather, something else.

The reason Process Monitor doesn’t capture the Access Denied error is because the error doesn’t occur on a File or Registry operation. Rather, the Access Denied occurs when the Base Filtering Engine service attempts to query the configuration of installed services on the computer. It does so, in alphabetical order. If the Base Filtering Engine service, which runs under the Local System security context, doesn’t have permissions to query the configuration of a service, the Base Filtering Engine service errors out with the event pasted above.

Okay, so we know the cause of the issue. How do you determine which installed service has restrictive permissions? The two options available are:

· Log a call with Microsoft Support for us to debug and determine the problem service.

· Manually examine each service, starting with non-Microsoft services.

Say you’ve decided to go it on your own. Here’s what you need to do to check the Discretionary Access Control List (DACL), or permissions, of a service.

First off, you’ve got to get the names of all installed services:

sc query > servicenames.txt

Open servicenames.txt and make a note of the SERVICE_NAME property of each service.

To list the DACL of a service, run this command:

sc sdshow <service name>

Let’s start by listing the DACL of a Microsoft service, which would have the correct permissions (Unless they’ve been manually edited).

sc sdshow Audiosrv


The resulting string of letters and special characters is the Security Descriptor (SD) in SDDL. The characters after D: make up the DACL. The characters after S: are the SACL, which we’re not interested in.

Since the Base Filtering Engine service runs in the context of the Local System account, the part of the DACL we’re interested in is (A;;CCLCSWRPWPDTLOCRRC;;;SY)

Now it’s time to get our hands dirty. Do an sc sdshow on all non-Microsoft services and check if they have (A;;CCLCSWRPWPDTLOCRRC;;;SY). The services that are missing this Access Control Entry (ACE) are the ones that are causing the Base Filtering Engine service to terminate with “Access is denied”.

On to the most interesting part of this post. How do I fix it?

That’s easy! But first, the disclaimer.

Disclaimer: Proceed at your own risk. Incorrectly setting the DACL could result in you being locked out of modifying the service, or even accessing it.

1. Make a note of the Security Descriptor (SD) of the problem service by running this command:

sc sdshow ProblemService


2. List the SD of a Microsoft service for comparision:

sc sdshow Audiosrv

3. Identify the missing Access Control Entries (ACEs). These are:


4. Insert the missing ACEs into the DACL of the SD of the problem service, by running this command:


Important: Ensure that there are no spaces in the DACL string, because if there is a space in the string, the sc sdset command will only consider the portion before the space and truncate the DACL SDDL string there.




5. Lather, rinse, repeat for other non-Microsoft services that are missing the ACE for Local System.

That’s it. Start the Base Filtering Engine service and then the Windows Firewall service and you’re done.

Here are a couple of links that will demystify SDDL for you:

Parsing SDDL Strings

SDDL string parser – MS Israel Community

Comments (8)

  1. Prashant Bahroos (v-2prbah@mssupport.microsoft.com) says:

    Brilliant article with a superb explaination of the issue and resolution.

  2. sys-eng says:

    While this is rather complex, it is definitely something that Microsoft could do with a utility to fix a common problem with their operating system.  I do believe that Apple would do so for their OS rather than have the customer/user attempt this.  Just an entirely differerent corporate philosophy.

  3. Stormchaser64 says:

    Excellent work.  Saved me from having to rebuild a server, when all the other people were giving up and wiping their systems, I was determined to find the cause of the problem.  Turned out it was a Temp@lert probe service causing the problem. The DACL was not right.  Again, great article.  Thanks.

  4. Mangesh P. says:

    Best ever technical document helped me to resolve our issue after ridicules 8 days. Gone through more than 100 blogs, patches with firing from higher management. Thanks a ton for this great article. Finding Problematic Service manually was real challenge
    for me. Thanks once again.

  5. noffee says:

    I tried to do the sc sdset command, but Access is denied

  6. PaulB says:

    So, I followed the first part of this and went through all the services using sdshow. I came up with the following services that do not contain the EXACT string referenced above ((A;;CCLCSWRPWPDTLOCRRC;;;SY)):

    Thing is, most of them appear to be microsoft services, and most of them have strings that start with A;; and end with ;;;SY, but none of them have the exact string. Should I follow through with adding that exact string to each one? Don’t know if this matters,
    but this is a Windows 7 Home Premium machine. Thanks in advance!

  7. Erik says:

    I have this problem, and this is the first article I have found which doesn’t suggest re-installing windows.

    I tested all the services quickly by sorting servicenames.txt, deleting all but the lines beginning with SERVICE_NAME: and then doing a search/replace to make those lines begin with sc sdshow, and rename the file to be .bat

    I only found the one service which didn’t contain a ;SY) entry SamSs (Security Accounts Manager) which I’m guessing IS a Microsoft service? and your article states look for non-/Microsoft services.

    I found a few services with different letters in the ;SY) code. Are these possibly to blame? Do the entries have to match exactly?


  8. Bruno Messina says:

    RichardSpitz , you saved my skin in 2015 to a 2010 article with this brilliant explanation. Thank you!!