Microsoft KB Archive/892199

= Certain Administrative Templates from the Windows XP Security Guide may prevent you from starting the Windows Firewall service in Windows XP Service Pack 2 =

Article ID: 892199

Article Last Modified on 11/16/2007

-

APPLIES TO


 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Professional

-





Notice
This article is intended for advanced computer users. If you are not comfortable with advanced troubleshooting, you may want to ask someone for help or contact support. For information about how to do this, visit the following Microsoft Web site:

http://support.microsoft.com/contactus



SYMPTOMS
After you install Windows XP Service Pack 2 (SP2), you cannot start the Windows Firewall service. You may experience one or more of the following symptoms:  When you click Windows Firewall in Control Panel, you may receive the following error message:

Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing (ICS) service?

If you click Yes, you receive the following error message:

Windows cannot start the Windows Firewall/Internet Connection Sharing (ICS) service.

 If you try to manually start the Windows Firewall service by using Services, you may receive the following error message:

Could not start the Windows Firewall/Internet Connection Sharing (ICS) service on Local Computer.

Error 0x80004015: The class is configured to run as a security id different from the caller

Note To open Services, click Start, click Control Panel, double-click Administrative Tools, and then double-click Services. For information about how to use Services, on the Action menu in Services, click Help.  The following events may appear in the system event log: Event ID: 7036

Event Source: Service Control Manager

Event Type: Information

Event Category: None

Description:

The Windows Firewall/Internet Connection Sharing (ICS) service entered the stopped state. Event ID: 7023

Source: Service Control Manager

Type: Error

Description:

The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error:

The class is configured to run as a security id different from the caller   When you use the SC query command to determine the status for the Windows Firewall/Internet Connection Sharing service, you see the following output:  C:\>sc query sharedaccess SERVICE_NAME: sharedaccess TYPE : 20 WIN32_SHARE_PROCESS STATE : 1 STOPPED (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : -2147467243 (0x80004015) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0   If you try to start the Windows Firewall/Internet Connection Sharing (ICS) service at the command prompt by using the net start sharedaccess command, you see the following output:  C:\>net start sharedaccess The Windows Firewall/Internet Connection Sharing (ICS) service is starting. The Windows Firewall/Internet Connection Sharing (ICS) service could not be started. A system error has occurred. System error 16405 has occurred. The system cannot find message text for message number 0x4015 in the message file for BASE. </ul>

Note The Windows Firewall feature of Windows XP SP2 is a replacement for the Internet Connection Firewall (ICF) in earlier versions of Windows XP.

<div class="cause_section">

CAUSE
This problem may occur if certain Administrative Templates from the Windows XP Security Guide were applied to the computer before Windows XP SP2 was installed. This problem occurs because of a problem in some security templates that were published as part of the Windows XP Security Guide.

In Windows XP SP2, remote procedure call (RPC) runs by using the NT Authority\NetworkService account. The default security descriptor for services in Windows XP SP2 gives Read access to the Authenticated Users group. This includes the NT Authority\NetworkService account.

<div class="resolution_section">

Advanced users
These methods are intended for advanced computer users. If you are not comfortable with advanced resolutions, you may want to ask someone for help or contact support. For information about how to contact support, visit the following Microsoft Web site:

http://support.microsoft.com/contactus

To resolve this problem, use one of the following methods:

Method 1: Restore the default security descriptor for the SharedAccess service
The service that controls the Windows Firewall/Internet Connection Sharing (ICS) service is named SharedAccess. The default security descriptor (SD) gives READ access to LocalSystem (SY), PowerUsers (PU), and AuthenticatedUsers (AU), and it gives Full Control access to Administrators (BA).

To view the SD of SharedAccess, type SC sdshow SharedAccess at the command prompt, and then press ENTER. The default SD appears and resembles the following: <pre class="fixed_text"> D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU) Note For more information about how to interpret the strings, visit the following MSDN Web site and search for SDDL or &quot;ACE strings&quot;:

http://msdn2.microsoft.com/en-us/library/aa374928.aspx

Note To open the command prompt, click Start, click Run, in the Open box, type CMD, and then click OK.

If you see any other output as illustrated in this example, you can reset the SD by using the SC command with the sdset option. To restore the default SD for the SharedAccess service, type the following command at the command prompt, and then press ENTER:

SC sdset SharedAccess D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

For more information about the SC sdset command, see Windows Help.

Method 2: Restore the default SD for the SharedAccess services
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows XP and Windows Vista

To restore the default SD for the SharedAccess services, follow these steps: <ol> Click Start, click Run, in the Open box, type regedit, and then click OK.</li> Locate and then click the following registry subkey: 

</li> Delete the Security registry subkey, if it exists.</li> Exit Registry Editor, and then restart the computer.</li></ol>

Note It is important to delete the Security registry subkey if this subkey exists. This guarantees that the default security descriptor is used for starting Windows Firewall when the computer is restarted.

If you run Microsoft Component Object Model (COM), DCOM, or Microsoft COM+ applications to control the Windows Firewall service, you must also follow these steps: <ol> Click Start, click Run, in the Open box, type regedit, and then click OK.</li> Locate and then click the following registry subkey:

</li> On the File menu, click Export.</li> In the File name box, type C:\reg_AppID_CLSID.reg, and then click Save to save the registry file.</li> Delete the {ce166e40-1e72-45b9-94c9-3b2050e8f180} registry subkey.</li> On the File menu, click Import.</li> In the File name box, type C:\reg_AppID_CLSID.reg, and then click Open.</li> Click OK, and then exit Registry Editor.</li> Start the Windows Firewall/Internet Connection Sharing (ICS) service. To do this, type NET START SharedAccess at the command prompt, and then press ENTER.</li></ol>

Note You can perform all these steps at the command prompt. To do this, follow these steps: <ol> Type the following commands, and then press ENTER after each command:

REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Security /f

REG DELETE HKLM\SOFTWARE\Classes\AppID\{ce166e40-1e72-45b9-94c9-3b2050e8f180} /f

The deletion of the {ce166e40-1e72-45b9-94c9-3b2050e8f180} registry subkey is an important step. This step guarantees that the default security descriptor at the time of re-importing is applied.</li> Restart the computer.</li></ol>

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

<div class="moreinformation_section">

MORE INFORMATION
For more information about Windows Firewall in Windows XP SP2, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/library/bb457029.aspx

For more information about the Windows XP Security Guide, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/winclnt/secwinxp/xpsgch04.mspx

The SC.exe (Service Controller) utility
The SC.exe utility communicates with the Service Controller and with installed services. SC.exe retrieves and sets control information about services. You can use SC.exe to test and debug service programs. Service properties that are stored in the registry can be set to control how service applications are started when you turn on the computer and how they run as background processes. SC.exe parameters can configure a specific service, retrieve the current status of a service, and stop and start a service. You can create batch files that call various SC.exe commands to automate the startup or shutdown sequence of services. SC.exe provides capabilities that resemble Services in the Administrative Tools item in Control Panel.

For more information about the SC.exe utility, visit the following Microsoft Web site:

http://technet2.microsoft.com/windowsserver/en/library/0A658E97-51D5-4109-B461-A474C799964E1033.mspx

Security templates
For more information about security templates, see &quot;Data Security and Data Availability for End Systems&quot; at the following Microsoft Web site:

http://www.microsoft.com/technet/archive/security/bestprac/bpent/sec3/datavail.mspx?mfr=true

For more information about the Windows XP Security Guide v2, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyId=2D3E25BC-F434-4CC6-A5A7-09A8A229F118&displaylang=en

You can create and define security templates by using the Security Templates snap-in. To do this, follow these steps:
 * 1) Click Start, click Run, type mmc, and then click OK.
 * 2) In the Console1 window, on the File menu, click Add/Remove Snap-in.
 * 3) In the Add/Remove Snap-in dialog box, click Add.
 * 4) In the Add Standalone Snap-in dialog box, click Security Templates, click Add, and then click Close.
 * 5) In the Add/Remove Snap-in dialog box, click OK.
 * 6) In the Console1 window, expand the Security Templates node. Then expand the \ \Security\Templates node to see a list of the available templates.
 * 7) Expand the \ \Security\Templates\securews\ node, click System Services, and then double-click Windows Firewall/Internet Connection Sharing (ICS) to define this policy setting in the template.

Programmatically assign permissions
For information about how to programmatically assign permissions to the LaunchPermission registry entry or to the AccessPermission registry entry, visit the following MSDN Web site to obtain sample DCOMperm: Permissions for a COM Server code:

http://msdn2.microsoft.com/en-us/library/aa242178(VS.60).aspx

The AccessPermission registry entry sets a discretionary access control list (DACL) that determines access. The LaunchPermission registry entry sets a DACL that determines who can start the application.

The LaunchPermission registry entry is REG_BINARY. Upon receiving a local or remote request to start the server of this class, the DACL described by this value is checked while impersonating the client. Its success either enables or disables the starting of the server. If this value does not exist, as a default, the machine-wide DefaultLaunchPermission entry is checked in the same manner to determine whether the class code can be started.

The AccessPermission registry value is REG_BINARY. It contains data that describes the DACL of the principals that can access instances of this class. Upon receiving a request to connect to an existing object of this class, the DACL is checked by the application being called while impersonating the caller. If the access check fails, the connection is not enabled. If this named value does not exist, as a default, the machine-wide DefaultAccessPermission DACL is tested in the same manner to determine whether the connection is enabled.

View the service permission settings in the DCOMcnfg GUI
To view the service permission settings in the DCOMcnfg graphical user interface (GUI), follow these steps: <ol> Click Start, click Run, in the Open box, type DCOMCNFG, and then click OK.</li> <li>Expand the following nodes:

Component Services

Computers

My Computer

DCOM Config

</li> <li>Right-click SharedAccess, and then click Properties.</li> <li>Click the General tab, and verify that the following settings are configured:

Application Name: SharedAccess

Application ID: {ce166e40-1e72-45b9-94c9-3b2050e8f180}

Application Type: Local Service

Authentication Level: Default

Service Name: SharedAccess

</li> <li>Click the Identity tab, and verify that The system account (services only) is selected.</li> <li>Click the Security tab.</li> <li>In the Launch and Activation Permissions area, click Customize, and then click Edit.</li> <li>In the Group or user names box, click Administrators ( \Administrators). Verify that the Local Activation check box in the Allow column is selected, and then click OK.</li> <li>In the Access Permissions area, click Customize, and then click Edit. Verify that the following settings are configured: <ul> <li>In the Group or user names box, click Administrators ( MACHINE_NAME \Administrators). Then verify that the Local Access check box in the Allow column is selected. Click OK.</li></ul> </li> <li>In the Configuration Permissions area, click Customize, and then click Edit. Verify that the following settings are configured: <ul> <li>In the Group or user names box, click Administrators ( \Administrators). Then verify that the Full Control check box and the Read check box in the Allow column are selected.</li> <li>In the Group or user names box, click Power Users. Then verify that the Read check box in the Allow column is selected.</li> <li>In the Group or user names box, click SYSTEM. Then verify that the Full Control check box and the Read check box in the Allow column are selected.</li> <li>In the Group or user names box, click Users. Then verify that the Read check box in the Allow column is selected. Click OK two times.</li></ul> </li></ol>

Sample registry outputs
To export the content of the registry entry, type the following command at the command prompt, and then press ENTER:

REG EXPORT HKLM\SOFTWARE\Classes\AppID\{ce166e40-1e72-45b9-94c9-3b2050e8f180} C:\reg_AppID_CLSID.txt

The output file, C:\reg_AppID_CLSID.txt, will contain text resembles the following: <pre class="fixed_text"> Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{ce166e40-1e72-45b9-94c9-3b2050e8f180}] @=&quot;SharedAccess&quot; &quot;LocalService&quot;=&quot;SharedAccess&quot; &quot;AccessPermission&quot;=hex:01,00,14,80,34,00,00,00,50,00,00,00,00,00,00,00,14,00,\ 00,00,02,00,20,00,01,00,00,00,00,00,18,00,03,00,00,00,01,02,00,00,00,00,00,\ 05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,59,51,b8,17,\ 66,72,5d,25,64,63,3b,0b,7f,a9,28,00,01,05,00,00,00,00,00,05,15,00,00,00,59,\ 51,b8,17,66,72,5d,25,64,63,3b,0b,7f,a9,28,00 &quot;LaunchPermission&quot;=hex:01,00,04,80,34,00,00,00,50,00,00,00,00,00,00,00,14,00,\ 00,00,02,00,20,00,01,00,00,00,00,00,18,00,09,00,00,00,01,02,00,00,00,00,00,\ 05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\ 5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\ 5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00 A similar output file for the  registry subkey will contain text that resembles the following text: <pre class="fixed_text"> Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\SharedAccess] &quot;DependOnGroup&quot;=hex(7):00,00 &quot;DependOnService&quot;=hex(7):4e,00,65,00,74,00,6d,00,61,00,6e,00,00,00,57,00,69,00,\ 6e,00,4d,00,67,00,6d,00,74,00,00,00,00,00 &quot;Description&quot;=&quot;Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.&quot; &quot;DisplayName&quot;=&quot;Windows Firewall/Internet Connection Sharing (ICS)&quot; &quot;ErrorControl&quot;=dword:00000001 &quot;ImagePath&quot;=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\ 74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\ 00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\ 6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00 &quot;ObjectName&quot;=&quot;LocalSystem&quot; &quot;Start&quot;=dword:00000002 &quot;Type&quot;=dword:00000020

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\SharedAccess\Epoch] &quot;Epoch&quot;=dword:0000073e

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\SharedAccess\Parameters] &quot;ServiceDll&quot;=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\ 00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\ 69,00,70,00,6e,00,61,00,74,00,68,00,6c,00,70,00,2e,00,64,00,6c,00,6c,00,00,\ 00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\SharedAccess\Enum] &quot;0&quot;=&quot;Root\\LEGACY_SHAREDACCESS\\0000&quot; &quot;Count&quot;=dword:00000001 &quot;NextInstance&quot;=dword:00000001

<div class="references_section">