How to Fix Base Filtering Engine Service Startup Problems

The Base Filtering Engine (BFE) service is a crucial network component targeted by malware. If the BFE service doesn’t start, many services, such as Windows Firewall, Routing, Remote Access, and others, fail to start.

If the BFE service is missing from the Services MMC or the Action Center warns you that the Windows Firewall isn’t enabled, your system is likely under malware attack. Have it checked thoroughly using a reputed anti-malware tool, or you may seek professional help to eliminate malware. Trying to repair these services when malware is on board your system isn’t going to help.

The first (and probably the only) thing most of us do to reinstate the Base Filtering Engine Service is to import the service registry keys from a similar computer, which is a correct step. But this only enlists the service in the Services MMC, but the required service Permissions aren’t assigned automatically. Due to missing special permissions for the BFE service, the following errors occur when you try to turn on the BFE or Windows Firewall.

Action Center can’t turn on Windows Firewall

Turning it on via the Windows Firewall applet may show the error Windows Firewall can’t change some of your settings. Error code 0x80070433 or 0x8007042c.

Services MMC: Windows could not start the Windows Firewall service on Local Computer. Error 1075: The dependency service does not exist or has been marked for deletion.

Services MMC: Windows could not start the Base Filtering Engine service on Local Computer. Error 5: Access is denied.

This is recorded in the System event log as well:

Log Name: System
Source: Service Control Manager
Date: 1/9/2020 8:21:25 AM
Event ID: 7023
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: W10-PC
Description:
The BFE service terminated with the following error:
Access is denied.

Resolution: Repair Base Filtering Engine

Step 1: Import the BFE Service Registry Keys

1. First, create a Restore Point.
2. Download AdvancedRun from Nirsoft.net.
3. Using AdvancedRun, launch C:\Windows\Regedit.exe under the TrustedInstaller privileges.(For more info, see How to Run programs as TrustedInstaller.)

   

4. After starting the Registry Editor as TrustedInstaller, you may close the AdvancedRun utility.
5. Download the BFE service registry fix below for your version of Windows:

   BFE for Windows 7 | BFE for Windows 8 | BFE for Windows 10 | BFE for Windows 11

6. Unzip the archive and extract the .reg file to a folder — e.g., “C:\Temp”
7. From the Registry Editor, click File, Import…, select the BFE registry file, and import it.
   

This adds the BFE service to the registry.

Don’t close the Registry Editor yet. The next step is to fix the BFE service registry key permissions. See “Step 2” below.

Step 2: Fix the BFE service registry permissions

1. In the Registry Editor (run as TrustedInstaller) window, and go to the following branch:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE\Parameters\Policy

2. Right-click Policy, and click Permissions
   
   It has some default permissions inherited from the parent key. By default, the SYSTEM and Administrators groups have full control permission for the branch. But this isn’t enough to start BFE.
3. Click on the Add button.
   
4. In the Enter the object names to select: box, type NT SERVICE\BFE, and click OK.
   
5. BFE is added to the list of Group or user names. We need to give it special permissions. Click Advanced
   
6. Select BFE, and click the Edit button.
   
7. In the Permission Entry dialog, click “Show advanced permissions.”
   
8. Enable the following Permissions:
   • Query Value
   • Set Value
   • Create Subkey
   • Enumerate Subkeys
   • Notify
   • Read Control (this is added by default when you added BFE)
9. After adding the above six special permissions, click OK.
10. You’ll be back at the Advanced Security Settings dialog now. Click Replace all child object permissions with inheritable permissions from this object, and click OK.
    
11. You’ll be back at the standard permissions dialog. Click OK and close the dialog.
    
12. Exit the Registry Editor.
13. Restart Windows, and then launch the Services MMC (services.msc)
14. Double-click Base Filtering Engine and check its status. If the permissions are correct and no malware is on board, the Base Filtering Engine service should show the status Running.
    

Step 3: Check the Security Descriptors

Still no dice..? If the above steps fail to resolve the issue, resetting the BFE service permissions or security descriptors should do the trick.

1. Open an elevated or admin Command Prompt.
2. Type in the following command:

   [Windows 7 and Windows 8]
   SC.EXE SDSET BFE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
   
   [Windows 10]
   SC.EXE SDSET BFE D:(A;;CCLCLORC;;;AU)(A;;CCDCLCSWRPLORCWDWO;;;SY)(A;;CCLCSWRPLORCWDWO;;;BA)(A;;CCLCLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)
   
   [Windows 11]
   SC.EXE SDSET BFE D:(A;;CCLCLORC;;;AU)(A;;CCDCLCSWRPLORCWDWO;;;SY)(A;;CCLCSWRPLORCWDWO;;;BA)(A;;CCLCLO;;;BU)

   Make sure there are no spaces in the Security Descriptor string. It should be like this:
   
   SC <SPACE> SDSET <SPACE> <SECURITYDESCRIPTOR>
   
   

And you should see the message SetServiceObjectSecurity SUCCESS. Restart Windows once again.

Editor’s note

If you get the error SetServiceObjectSecurity FAILED 5: Access is denied when running the SC.EXE SDSET command mentioned above, then the registry key permissions or the service permissions are wrong somewhere. In that case, re-run all of the above steps to verify the permission entries. It should eventually work!