How to Repair Base Filtering Engine Service Startup Problems?

The Base Filtering Engine (BFE) service is an important network component that’s targeted by many malware. If the BFE service doesn’t start, many services such as Windows Firewall, Routing and Remote Access and other services fail to start.

Should the BFE service be missing from the Services MMC, or if the Action Center warns you that the Windows Firewall isn’t enabled, then it’s highly likely that your system is under attack. Have it checked thoroughly using a reputed anti-malware tool or you may seek professional help to eliminate malware. Trying to repair these services when a malware is on-board your system, isn’t going to help in most cases.

This post assumes that you’ve done a malware cleanup, and looking for information on how to fix the services such as BFE, Windows Firewall and others.

First (and probably the only) thing most of us do to reinstate the Base Filtering Engine Service is to import the service registry keys from a similar computer, which is actually a correct step. But this only enlists the service in the Services MMC, but the required service Permissions aren’t assigned automatically. Due to missing special permissions for the BFE service, the following errors occur when you try to turn on the BFE or Windows Firewall.

Some of the error messages you may see:

Action Center can’t turn on Windows Firewall

Turning it on via Windows Firewall control panel, may show up error Windows Firewall can’t change some of your settings. Error code 0x80070433 or Error 0x8007042c.

Services MMC: Windows could not start the Windows Firewall service on Local Computer. Error 1075: The dependency service does not exist or has been marked for deletion.

Services MMC: Windows could not start the Base Filtering Engine service on Local Computer. Error 5: Access is denied.

This is recorded in the System event log as well:

Log Name: System
Source: Service Control Manager
Date: 1/9/2016 8:21:25 AM
Event ID: 7023
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: W10-PC
Description:

The BFE service terminated with the following error:
Access is denied.

Resolution: Fix the BFE Service Registry Keys

First, create a System Restore point, and then restore the BFE service registry entries by downloading the appropriate .zip for your version of Windows:

BFE for Windows 7 | BFE for Windows 8 | BFE for Windows 10

Unzip and run the enclosed REG file. This registers the BFE service back.


Can’t access the BFE Registry key? Take Ownership.

If you aren’t able to open the BFE service registry key, or unable to change the Permissions as suggested in this article, then you may need to take ownership of the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE

and (only if necessary), in this key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE\Parameters\Policy

For more information of changing ownership of a registry key, see article Take ownership of a registry key. Once done, it should be fairly easy to apply the correct permissions for the Base Filtering Service registry key.


Then, to fix the BFE service permissions, start Regedit.exe and go to the following registry path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE\Parameters\Policy

Right-click Policy, and click Permissions

It has some default permissions, inherited from the parent key. By default, SYSTEM and Administrators group have Full Control permissions. But this isn’t enough to start BFE.

Click the Add button.

In the Enter the object names to select: box, type NT SERVICE\BFE, and click OK.

BFE is added to the list of Group or user names. We need to give it some special permissions. Click Advanced

Select BFE, and click the Edit button.

In the Permission Entry dialog, enable or Allow the following Permissions for BFE:

  • Query Value
  • Set Value
  • Create Subkey
  • Enumerate Subkeys
  • Notify
  • Read Control (this is added by default when you added BFE)

After adding the above (six) Permissions, click OK.

You’ll be back at the Advanced Security Settings dialog now. Select BFE, and click the Replace all child object permissions with inheritable permissions from this object, and click OK.

you’ll be back at the standard permissions dialog. Simply click OK and close the dialog.

Restart Windows, and then launch Services MMC. To do so, click Start, type services.msc and hit {ENTER}. Double-click Base Filtering Engine, and check the status. If the permissions are correct and no malware is on-board, the Base Filtering Engine service should show the status as Started.

Still no dice..? Fix the Security Descriptors

If all else fails, resetting the BFE service Security Descriptors might do the trick for you. Open a elevated/administrator Command Prompt. To do so, type cmd.exe in Start. From the search results, right-click Command Prompt, and choose Run as Administrator. In the console window, type in the following command:

SC SDSET D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)

Make sure that there are no spaces in the Security Descriptor string. It should be like:

SC <SPACE> SDSET <SPACE> <SECURITYDESCRIPTOR>

Note: The BFE service default Security Descriptor is same for Windows 7, Windows 8 and Windows 10. Applying the above Security Descriptor for any other Windows Operating System isn’t suggested.

(For some background information on service Security Descriptors, read the posts by Richard Spitz and Microsoft Enterprise Networking Team TechNet Blogs).

And you should see the message SetServiceObjectSecurity SUCCESS. Restart Windows once again. Instead, if you get the error SetServiceObjectSecurity FAILED 5: Access is denied, then Permissions are wrong somewhere, in which case, re-run all the steps above to verify the Permission entries. It should work eventually!

About the author

Ramesh Srinivasan founded Winhelponline.com back in 2005. He is passionate about Microsoft technologies and has a vast experience in the ITeS industry — delivering support for Microsoft's consumer products. He has been a Microsoft MVP [2003 to 2012] who contributes to various Windows support forums.

1 thought on “How to Repair Base Filtering Engine Service Startup Problems?

Comments are closed.

+1
Share
Tweet
Share
Pin