The Windows Firewall Service Fails to start – Checking Privilege Access

As discussed in the previous posts in this series, there can be several causes that will prevent Windows Firewall from starting. In this installment, part 4 of 5 in the series, I will cover specifics of checking access privileges for both Windows Vista and Windows 7.

Checking Privilege access

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

You can see the privilege access settings by looking at the RequiredPrivileges registry value.

I have listed the values you will find in a default clean install below but it is possible you will have other values.

HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc\RequiredPrivileges
  1. SeAssignPrimaryTokenPrivilege
  2. SeAuditPrivilege
  3. SeChangeNotifyPrivilege
  4. SeCreateGlobalPrivilege
  5. SeImpersonatePrivilege
  6. SeIncreaseQuotaPrivilege
  7. clip_image001

You can then check the privileges found in the previous step using secpol.msc. Make sure each of the above listed privileges has LOCAL SERVICE listed in them.

You can check this by one of the following methods:

Method 1

Open secpol.msc, right click on root node (Security Settings) and export the data to an .inf file, open the .inf file in notepad.

Note: In the .inf file make sure the above listed privileges contain the SID of the needed object - for LOCAL SERVICE the SID is S-1-5-19

Note: This list below is edited to only contain the values we are looking for. There will be more values in the INF.

[Privilege Rights]
SeChangeNotifyPrivilege = *S-1-1-0,*S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551
SeAuditPrivilege = *S-1-5-19,*S-1-5-20
SeIncreaseQuotaPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544
SeAssignPrimaryTokenPrivilege = *S-1-5-19,*S-1-5-20
SeImpersonatePrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6
SeCreateGlobalPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6

Method 2

Open the Local Security Policy MMC (secpol.msc), then drill down to Local Policies / User Rights Assignment.

Find the Policy for the corresponding privileges (below) and make sure LOCAL SERVICE is listed in them.

Privilege name

Policy name

SeAssignPrimaryTokenPrivilege

Replace a process level token

SeAuditPrivilege

Manage auditing and security log

SeChangeNotifyPrivilege

Bypass traverse checking

SeCreatGlobalPrivilege

Create global objects

SeImpersonatePrivelege

Impersonate a client after authentication

SeUncreaseQuotaPrivilege

Adjust memory quotas for a process

Missing privileges can be added via Registry Editor as follows:

  1. Browse to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\registry key, right click and select Permissions.
  2. In the "Permissions for Creator Owner" window, click the Advanced button, then click Add.
  3. clip_image002
  4. Once the "Select User, Computer, Service Account or Group" box appears, change the "From this location:" to point to the local machine name if it is not already.
  5. After changing the search location, enter "NT Service\BFE" for Windows Vista or "NT Service\MpsSvc" for Windows 7 in the "Enter the object name to select" box and click "Check names" - this will allow you to add the account. Click OK to return to the Advanced Security Settings dialog.
  6. Check the appropriate privileges from above.

What’s next?

In my next installment, I will cover Firewall service dependencies.