You cannot start the Windows Firewall service in Windows XP Service Pack 2 (892199)


The information in this article applies to:

  • Microsoft Windows XP Home Edition SP2
  • Microsoft Windows XP Professional SP2
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry

SYMPTOMS

After you install Microsoft Windows XP Service Pack 2 (SP2), you cannot start the Windows Firewall service. You may experience one or more of the following symptoms:
  • When you click Windows Firewall in Control Panel, you may receive the following error message:
    Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing (ICS) service?
    If you click Yes, you receive the following error message:
    Windows cannot start the Windows Firewall/Internet Connection Sharing (ICS) service.
  • If you try to manually start the Windows Firewall service by using Services, you may receive the following error message:
    Could not start the Windows Firewall/Internet Connection Sharing (ICS) service on Local Computer.
    Error 0x80004015: The class is configured to run as a security id different from the caller
    Note To open Services, click Start, click Control Panel, double-click Administrative Tools, and then double-click Services. For information about using Services, on the Action menu in Services, click Help.
  • The following events may appear in the system event log: Event ID: 7036
    Event Source: Service Control Manager
    Event Type: Information
    Event Category: None
    Description:
    The Windows Firewall/Internet Connection Sharing (ICS) service entered the stopped state. Event ID: 7023
    Source: Service Control Manager
    Type: Error
    Description:
    The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error:
    The class is configured to run as a security id different from the caller
  • When you use the SC query command to determine the status for the Windows Firewall/Internet Connection Sharing service, you see the following output: 
     
C:\>sc query sharedaccess
SERVICE_NAME: sharedaccess
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED 
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : -2147467243 (0x80004015)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
  • If you try to start the Windows Firewall/Internet Connection Sharing (ICS) service at the command prompt by using the net start sharedaccess command, you see the following output: 
     
C:\>net start sharedaccess 
The Windows Firewall/Internet Connection Sharing (ICS) service is starting. 
The Windows Firewall/Internet Connection Sharing (ICS) service could not be started.  
A system error has occurred.
System error 16405 has occurred.
The system cannot find message text for message number 0x4015 in the message file for BASE.
Note The Windows Firewall feature of Windows XP SP2 is a replacement for the Internet Connection Firewall (ICF) in earlier versions of Windows XP.

CAUSE

This problem may occur if certain Administrative Templates from the Windows XP Security Guide were applied to the computer before Windows XP SP2 was installed. The problem occurs because of a problem in some of the security templates that were published as part of the Windows XP Security Guide.

In Windows XP SP2, remote procedure call (RPC) runs using the NT Authority\NetworkService account. The default security descriptor for services in Windows XP SP2 gives Read access to the Authenticated Users group, which includes the NT Authority\NetworkService account.

RESOLUTION

To resolve this problem, use one of the following methods:

Method 1: Restore the default security descriptor for the SharedAccess service

The service that controls the Windows Firewall/Internet Connection Sharing (ICS) service is named SharedAccess. The default security descriptor (SD) gives READ access to LocalSystem (SY), PowerUsers (PU), and AuthenticatedUsers (AU), and it gives Full Control access to Administrators (BA).

To view the SD of SharedAccess, type SC sdshow SharedAccess at the command prompt, and then press ENTER. The default SD appears and is similar to the following: 
 
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
Note For more information about how to interpret the strings, visit the following MSDN Web site and search for SDDL or "ACE strings": http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/ace_strings.asp
Note To open the command prompt, click Start, click Run, in the Open box, type CMD, and then click OK.
If you see any other output as illustrated in this example, you can reset the SD using the SC command with the sdset option. To restore the default SD for the SharedAccess service, type the following command at the command prompt, and then press ENTER:

SC sdset SharedAccess D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

For more information about the SC sdset command, see Windows Help.

Method 2: Restore the default SD for the SharedAccess services

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To restore the default SD for the SharedAccess services, follow these steps:
  1. Click Start, click Run, in the Open box, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security

  3. Delete the Security registry subkey, if it exists.
  4. Quit Registry Editor, and then restart the computer.
Note It is important to delete the Security registry subkey if this subkey exists. This guarantees that the default security descriptor is used for starting Windows Firewall when the computer is restarted.

If you run Microsoft Component Object Model (COM), DCOM, or Microsoft COM+ applications to control the Windows Firewall service, you must also perform the following steps:
  1. Click Start, click Run, in the Open box, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{ce166e40-1e72-45b9-94c9-3b2050e8f180}

  3. On the File menu, click Export.
  4. In the File name box, type C:\reg_AppID_CLSID.reg, and then click Save to save the registry file.
  5. Delete the {ce166e40-1e72-45b9-94c9-3b2050e8f180} registry subkey.
  6. On the File menu, click Import.
  7. In the File name box, type C:\reg_AppID_CLSID.reg, and then click Open.
  8. Click OK, and then quit Registry Editor.
  9. Start the Windows Firewall/Internet Connection Sharing (ICS) service. To do this, type NET START SharedAccess at the command prompt, and then press ENTER.
Note You can perform all these steps at the command prompt. To do this, follow these steps:
  1. Type the following commands, and then press ENTER after each command:

    REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Security /f

    REG DELETE HKLM\SOFTWARE\Classes\AppID\{ce166e40-1e72-45b9-94c9-3b2050e8f180} /f

    The deletion of the {ce166e40-1e72-45b9-94c9-3b2050e8f180} registry subkey is an important step. This step guarantees that the default security descriptor at the time of re-importing is applied.
  2. Restart the computer.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

For more information about Windows Firewall in Windows XP SP2, visit the following Microsoft Web site: http://www.microsoft.com/technet/prodtechnol/winxppro/support/wftshoot.mspx

For more information about the Windows XP Security Guide, visit the following Microsoft Web site: http://www.microsoft.com/technet/security/prodtech/winclnt/secwinxp/xpsgch04.mspx

The SC.exe (Service Controller) utility

The SC.exe utility communicates with the Service Controller and with installed services. SC.exe retrieves and sets control information about services. You can use SC.exe to test and debug service programs. Service properties stored in the registry can be set to control how service applications are started at boot time and how they run as background processes. SC.exe parameters can configure a specific service, retrieve the current status of a service, and stop and start a service. You can create batch files that call various SC.exe commands to automate the startup or shutdown sequence of services. SC.exe provides capabilities that are similar to Services in the Administrative Tools item in Control Panel.

For more information about the SC.exe utility, visit the following Microsoft Web site: http://technet2.microsoft.com/windowsserver/en/library/0A658E97-51D5-4109-B461-A474C799964E1033.mspx

Security templates

For more information about security templates, see "Data Security and Data Availability for End Systems" at the following Microsoft Web site: http://www.microsoft.com/technet/Security/bestprac/bpent/sec3/datavail.mspx

For more information about the Windows XP Security Guide v2, visit the following Microsoft Web site: http://www.microsoft.com/downloads/details.aspx?FamilyId=2D3E25BC-F434-4CC6-A5A7-09A8A229F118&displaylang=en

You can create and define security templates by using the Security Templates snap-in. To do this, follow these steps:
  1. Click Start, click Run, type mmc, and then click OK.
  2. In the Console1 window, on the File menu, click Add/Remove Snap-in.
  3. In the Add/Remove Snap-in dialog box, click Add.
  4. In the Add Standalone Snap-in dialog box, click Security Templates, click Add, and then click Close.
  5. In the Add/Remove Snap-in dialog box, click OK.
  6. In the Console1 window, expand the Security Templates node. Then expand the \system_root\Security\Templates node to see a list of the available templates.
  7. Expand the \system_root\Security\Templates\securews\ node, click System Services, and then double-click Windows Firewall/Internet Connection Sharing (ICS) to define this policy setting in the template.

Programmatically assign permissions

For information about how to programmatically assign permissions to the LaunchPermission registry entry or to the AccessPermission registry entry, visit the following MSDN Web site to obtain sample DCOMperm: Permissions for a COM Server code: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vcsample98/html/vcsmpdcompermpermissionsforcomserver.asp

The AccessPermission registry entry sets a discretionary access control list (DACL) that determines access. The LaunchPermission registry entry sets a DACL that determines who can start the application.

The LaunchPermission registry entry is REG_BINARY. Upon receiving a local or remote request to start the server of this class, the DACL described by this value is checked while impersonating the client. Its success either allows or disallows the starting of the server. If this value does not exist, as a default, the machine-wide DefaultLaunchPermission entry is checked in the same way to determine whether the class code can be launched.

The AccessPermission registry value is REG_BINARY. It contains data that describes the DACL of the principals that can access instances of this class. Upon receiving a request to connect to an existing object of this class, the DACL is checked by the application being called while impersonating the caller. If the access check fails, the connection is not allowed. If this named value does not exist, as a default, the machine-wide DefaultAccessPermission DACL is tested in the same manner to determine whether the connection is allowed.

View the service permission settings in the DCOMcnfg GUI

To view the service permission settings in the DCOMcnfg graphical user interface (GUI), follow these steps:
  1. Click Start, click Run, in the Open box, type DCOMCNFG, and then click OK.
  2. Expand the following nodes:

    Component Services
    Computers
    My Computer
    DCOM Config

  3. Right-click SharedAccess, and then click Properties.
  4. Click the General tab, and verify that the following settings are configured:

    Application Name: SharedAccess
    Application ID: {ce166e40-1e72-45b9-94c9-3b2050e8f180}
    Application Type: Local Service
    Authentication Level: Default
    Service Name: SharedAccess

  5. Click the Identity tab, and verify that The system account (services only) is selected.
  6. Click the Security tab.
  7. In the Launch and Activation Permissions area, click Customize, and then click Edit.
  8. In the Group or user names box, click Administrators (MACHINE_NAME\Administrators). Verify that the Local Activation check box in the Allow column is selected, and then click OK.
  9. In the Access Permissions area, click Customize, and then click Edit. Verify that the following settings are configured:
    • In the Group or user names box, click Administrators ( MACHINE_NAME \Administrators). Then verify that the Local Access check box in the Allow column is selected. Click OK.
  10. In the Configuration Permissions area, click Customize, and then click Edit. Verify that the following settings are configured:
    • In the Group or user names box, click Administrators (MACHINE_NAME\Administrators). Then verify that the Full Control check box and the Read check box in the Allow column are selected.
    • In the Group or user names box, click Power Users. Then verify that the Read check box in the Allow column is selected.
    • In the Group or user names box, click SYSTEM. Then verify that the Full Control check box and the Read check box in the Allow column are selected.
    • In the Group or user names box, click Users. Then verify that the Read check box in the Allow column is selected. Click OK two times.

Sample registry outputs

To export the content of the registry entry, type the following command at the command prompt, and then press ENTER:

REG EXPORT HKLM\SOFTWARE\Classes\AppID\{ce166e40-1e72-45b9-94c9-3b2050e8f180} C:\reg_AppID_CLSID.txt

The output file, C:\reg_AppID_CLSID.txt, will contain text that is similar to the following: 
 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{ce166e40-1e72-45b9-94c9-3b2050e8f180}]
@="SharedAccess"
"LocalService"="SharedAccess"
"AccessPermission"=hex:01,00,14,80,34,00,00,00,50,00,00,00,00,00,00,00,14,00,\
00,00,02,00,20,00,01,00,00,00,00,00,18,00,03,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,59,51,b8,17,\
66,72,5d,25,64,63,3b,0b,7f,a9,28,00,01,05,00,00,00,00,00,05,15,00,00,00,59,\
51,b8,17,66,72,5d,25,64,63,3b,0b,7f,a9,28,00
"LaunchPermission"=hex:01,00,04,80,34,00,00,00,50,00,00,00,00,00,00,00,14,00,\
00,00,02,00,20,00,01,00,00,00,00,00,18,00,09,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
A similar output file for the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess registry subkey will contain text that is similar to the following text: 
 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\SharedAccess]
"DependOnGroup"=hex(7):00,00
"DependOnService"=hex(7):4e,00,65,00,74,00,6d,00,61,00,6e,00,00,00,57,00,69,00,\
6e,00,4d,00,67,00,6d,00,74,00,00,00,00,00
"Description"="Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network."
"DisplayName"="Windows Firewall/Internet Connection Sharing (ICS)"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"ObjectName"="LocalSystem"
"Start"=dword:00000002
"Type"=dword:00000020

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\SharedAccess\Epoch]
"Epoch"=dword:0000073e

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\SharedAccess\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
69,00,70,00,6e,00,61,00,74,00,68,00,6c,00,70,00,2e,00,64,00,6c,00,6c,00,00,\
00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\SharedAccess\Enum]
"0"="Root\\LEGACY_SHAREDACCESS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

REFERENCES

828758 Microsoft Windows XP COM+ 1.5 Hotfix Package

875357 Troubleshooting Windows Firewall settings in Windows XP Service Pack 2

892504 The Windows Firewall service in Windows Server 2003 cannot start if the DCOM Process Launcher Service is disabled

Microsoft Windows XP Professional Product Documentation MSDN Windows XP Professional SP2 on the Microsoft Web site.
Modification Type:MajorLast Reviewed:10/10/2006
Keywords:kbtshoot kberrmsg KB892199 kbAudEndUser
©2004 Microsoft Corporation. All rights reserved.