# Can't turn on Windows Firewall



## Arronwy (Mar 30, 2012)

After clearing my computer of Malware with the help of the malware subforum. I am still unable to turn on my Windows Firewall. We tried multiple things to get it back started but none works. Here is the thread if you want to see what we tried. When I try to start it in services.msc I get an error that says "Windows could not start the Windows Firewall on Local Computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to service specific error code 5." Thanks for the help. I'm using Windows 7 SP1.


http://www.techsupportforum.com/forums/f50/pc-cant-connect-online-or-run-system-restore-638139-2.html#post3685234


----------



## Shekka (Jan 6, 2012)

Try following these steps here.


----------



## civiced (Mar 29, 2012)

You've probably already done this, but have you uninstalled
security essentials with a really good deep cleaning utility?
You know it plays hell with programs accessed with the pro-
grams key in the control panel. I can't open half the stuff now.


----------



## Arronwy (Mar 30, 2012)

Shekka, 

The steps in there didn't seem to work. I tried the fix it thing and tried to do it manually and my Windows Firewall still won't turn on. Any other ideas? Thanks for the quick reply.


Civiced,

I am not sure what you are suggesting.


----------



## Shekka (Jan 6, 2012)

Arronwy,


Do you have your windows 7 disk? If so please go to start and type:
sfc /scannow

Post back what it says when complete.


----------



## Shekka (Jan 6, 2012)

You could also try this first.

Download both the registry files

http://www.mediafire.com/?317ea53a883288d

http://www.mediafire.com/?z6aw8j7997qa7j9

Launch and import them to registry


If the downloaded files opens as notepad
Rename the files from
bfe.reg.txt to bfe.reg
firewall.reg.txt to firewall.reg
You should get a UAC prompt now
Click *YES *

Restart your PC

Now,open *RUN *and type

*regedit *and click ok

go to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE

Right click on it-*permissions*

Click on *ADD *and type

Everyone and click ok

Now Click on Everyone

Below you have *permission for users*

Select full control and click ok

Now,open *RUN *and type

*services.msc* and click ok

start base filtering engine service and then windows firewall service


----------



## jenae (Jun 17, 2008)

Hi, I have concerns for the reg files in Shekka's last post. You should not run them at the moment, BOTH are not the full default and fail to remove the existing entries.You should also be advised to export your existing keys before doing anything in the registry, especially if the source is a third party, you may not need them anyway.

Open a cmd prompt as admin and copy paste:-


```
reg query "HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc" > 0 & notepad 0
```
 press enter

copy the notepad outcome here.

Often after a virus is removed the WMI repository is corrupt this will cause your sort of problems, easily fixed, cmd as admin (copy paste):-


```
net stop winmgmt&cd %systemroot%\system32\WBEM&Ren Repository Repository.old&winmgmt /resetRepository&shutdown -r
```
 press enter, agree to the stopping of dependencies, your computer will shutdown and restart. Try windows firewall now.


----------



## Arronwy (Mar 30, 2012)

Sorry, for the late response. Work has been driving me crazy.

Here is the information you asked for. I will try the second part of your post as well after I post this. If it works hopefully I will make the edit deadline.


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc
DisplayName REG_SZ @%SystemRoot%\system32\FirewallAPI.dll,-23090
Group REG_SZ NetworkProvider
ImagePath REG_EXPAND_SZ %SystemRoot%\system32\svchost.exe -k LocalServiceNoNetwork
Description REG_SZ @%SystemRoot%\system32\FirewallAPI.dll,-23091
ObjectName REG_SZ NT Authority\LocalService
ErrorControl REG_DWORD 0x1
Start REG_DWORD 0x2
Type REG_DWORD 0x20
DependOnService REG_MULTI_SZ mpsdrv\0bfe
ServiceSidType REG_DWORD 0x3
RequiredPrivileges REG_MULTI_SZ SeAssignPrimaryTokenPrivilege\0SeAuditPrivilege\0SeChangeNotifyPrivilege\0SeCreateGlobalPrivilege\0SeImpersonatePrivilege\0SeIncreaseQuotaPrivilege
FailureActions REG_BINARY 805101000000000000000000030000001400000001000000C0D4010001000000E09304000000000000000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Security



Edit: Tried the second part of your post and I still get the same error when trying to start the windows firewall in Services.msc. Should I try what Shekka suggested?


----------



## jenae (Jun 17, 2008)

Hi, NO just follow on, you do not want to hose your system the registry is the most complex of all windows components needs to be treated with respect our motto is "do no harm". This is not to say that the "error code 5" has not been correctly identified by Shekka as a permissions problem, just how it arrived at this is to be determined.

Cmd as admin as before and copy paste:-


```
reg query "HKLM\SYSTEM\CurrentControlSet\Services\BFE" > 0 & notepad 0
```
 press enter

Post notepad outcome here.


----------



## Arronwy (Mar 30, 2012)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
DisplayName REG_SZ @%SystemRoot%\system32\bfe.dll,-1001
Group REG_SZ NetworkProvider
ImagePath REG_EXPAND_SZ %systemroot%\system32\svchost.exe -k LocalServiceNoNetwork
Description REG_SZ @%SystemRoot%\system32\bfe.dll,-1002
ObjectName REG_SZ NT AUTHORITY\LocalService
ErrorControl REG_DWORD 0x1
Start REG_DWORD 0x2
Type REG_DWORD 0x20
DependOnService REG_MULTI_SZ RpcSs
ServiceSidType REG_DWORD 0x3
RequiredPrivileges REG_MULTI_SZ SeAuditPrivilege
FailureActions REG_BINARY 805101000000000000000000030000001400000001000000C0D4010001000000E09304000000000000000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE\Parameters


----------



## Shekka (Jan 6, 2012)

Jenae, do you think, or atleast agree that this could possibly be a permissions issue in the BFE, or even a policy issue caused by the infection the OP originally had?

Do you think that possibly re-applying or atleast checking the default reg permisions might help?


----------



## jenae (Jun 17, 2008)

Hi Shekka, my post #9, I agree with you about the permissions, my problem was with the reg mod's, when opened they do not conform to the defaults, so I prefer to not run them. As it turns out from the reg query's his registry is as it should be.

This require some more work for the time being, could you run the following, from a elevated cmd prompt type:-


```
net start> 0 & notepad 0
```
 press enter

Post the notepad outcome here.

I suspect you have a corrupt user profile.. we will see.


----------



## Arronwy (Mar 30, 2012)

These Windows services are started:

Adobe Acrobat Update Service
AMD External Events Utility
AMD FUEL Service
Application Experience
Background Intelligent Transfer Service
Base Filtering Engine
Browser Configuration Utility Service
CNG Key Isolation
COM+ Event System
Cryptographic Services
DCOM Server Process Launcher
Desktop Window Manager Session Manager
DHCP Client
Diagnostic Policy Service
Diagnostic Service Host
Distributed Link Tracking Client
DNS Client
Encrypting File System (EFS)
Extensible Authentication Protocol
Function Discovery Provider Host
Function Discovery Resource Publication
Group Policy Client
HomeGroup Provider
Human Interface Device Access
IKE and AuthIP IPsec Keying Modules
IP Helper
JMB36X
Microsoft Antimalware Service
Microsoft Network Inspection
Microsoft Software Shadow Copy Provider
Nero BackItUp Scheduler 4.0
Network Connections
Network List Service
Network Location Awareness
Network Store Interface Service
Peer Name Resolution Protocol
Peer Networking Grouping
Peer Networking Identity Manager
Plug and Play
PnkBstrA
PnkBstrB
Power
Print Spooler
Program Compatibility Assistant Service
Quality Windows Audio Video Experience
Remote Access Connection Manager
Remote Procedure Call (RPC)
RPC Endpoint Mapper
SAS Core Service
Secondary Logon
Secure Socket Tunneling Protocol Service
Security Accounts Manager
Security Center
Server
Shell Hardware Detection
SSDP Discovery
Superfetch
System Event Notification Service
Task Scheduler
TCP/IP NetBIOS Helper
Telephony
Themes
UPnP Device Host
User Profile Service
Windows Audio
Windows Audio Endpoint Builder
Windows Connect Now - Config Registrar
Windows Driver Foundation - User-mode Driver Framework
Windows Event Log
Windows Font Cache Service
Windows Image Acquisition (WIA)
Windows Live ID Sign-in Assistant
Windows Management Instrumentation
Windows Media Player Network Sharing Service
Windows Presentation Foundation Font Cache 3.0.0.0
Windows Search
Windows Update
WinHTTP Web Proxy Auto-Discovery Service
WLAN AutoConfig
Workstation

The command completed successfully.


----------



## jenae (Jun 17, 2008)

Hi, open a cmd prompt as admin and type:-


```
set devmgr_show_nonpresent_devices=1
```
 press enter

Next:-

Type the following command 


```
start devmgmt.msc
```
 (press enter)

Device manager will open click on "view" select "show hidden devices" expand the Non_ Plug and play drivers right click on "windows firewall authorization driver" select properties make sure under current status it shows started and startup type is "demand"

Also run this :-


```
reg query "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile"> 0 & notepad 0
```
 press enter, here we want to make sure:- EnableFirewall REG_DWORD 0x1

Next type:-

```
net start MpsSvc
```
 press enter, let us know how you get on, any error messages please post.


----------



## Arronwy (Mar 30, 2012)

Followed your steps.

It was already set to demand so I didn't change anything there.

This is what was in the text file after doing the "reg query "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile"> 0 & notepad 0" command.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts

And on the final part it says this:

The Windows Firewall service is starting.
The Windows Firewall service could not be started.

A service specififc error occurred: 5.

More help is available by typing NET HELPMSG 3547.


----------



## jenae (Jun 17, 2008)

Hi, it is a profile problem, this may resolve it. Run the attached .zip file double click on the returned .reg file (1standard.reg) and agree to allow it to add to registry. Restart computer, see if firewall starts now, let us know how you get on. 

View attachment 1Standard.zip


----------



## Arronwy (Mar 30, 2012)

Still getting the same error.


----------



## jenae (Jun 17, 2008)

Hi, may be other reg entries we need to change, could you run the reg query cmd in my post #14 again and post the notepad outcome here.

Also create a new user profile (as admin) log in with this new profile and see how you go.


----------



## Arronwy (Mar 30, 2012)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
EnableFirewall REG_DWORD 0x1
DisableNotifications REG_DWORD 0x0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging


Can't turn it on the new profile either.


----------



## jenae (Jun 17, 2008)

Hi, from cmd (as admin)


```
sc query MpsSvc> 0 & notepad 0
```
 (press enter) post notepad outcome here.

Any joy on the new profile, if it is a permissions problem It's difficult to see what registry area needs it, the dependencies are all started as is the driver. There are some more reg keys to check for firewall startup.

Run this as well :- cmd as admin

reg query "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" > 0 & notepad 0 (press enter)

post notepad outcome here.


----------



## Arronwy (Mar 30, 2012)

SERVICE_NAME: MpsSvc 
TYPE : 20 WIN32_SHARE_PROCESS 
STATE : 1 STOPPED 
WIN32_EXIT_CODE : 1066 (0x42a)
SERVICE_EXIT_CODE : 5 (0x5)
CHECKPOINT : 0x0
WAIT_HINT : 0x0






HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications


----------



## jenae (Jun 17, 2008)

Hi, while i explore the sc query run this zip (add to registry) as before for domain startup.

View attachment domain.zip
Restart computer check firewall.


----------



## Arronwy (Mar 30, 2012)

Just tried that. Still not working with the same error.


----------



## jenae (Jun 17, 2008)

Hi, well your registry is a mess those last two zip files were returning defaults, they should have been, as we now have them, how many more problems exist I do not know. The error from the sc query cmd indicates an internal service error, this is difficult to track down, could you go to start search and run eventvwr.msc expand windows logs and see if any events give some clues.

Press the win + r keys together in the run box type: regedit press OK

Navigate to:-

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc

Right click on this and select permissions, highlight your account and post a screen shot of what you see here.

To be honest it is possible for someone like me in front of your computer for some time to repair this, remotely on a forum it is next to impossible , I would prepare if I were you to reinstall your OS, back up and rather then do a over the top reinstall I would do a format and fresh install.

I might add if you had a simple little free program called ERUNT then all of this could have been easily fixed, I recommend everyone use it.


----------



## Arronwy (Mar 30, 2012)

Yea, looks like I should just reinstall windows. Got a quick guide for a format and fresh install? Do I just need to move the documents I want to my external harddrive and format my drive and then reinstall windows?


----------



## davidman25 (Sep 2, 2012)

Im having the exact same problem on my laptop and i have tried everything but the firewall wont turn on and same goes for the Base filtering engine gives me error 5 I am trying to fix it without having to re-install windows


----------



## jenae (Jun 17, 2008)

Hi, you should start your own thread as cmds run on one computer can be different on another. To see if your problem is permissions related go to start search and type:- cmd, right click on the returned cmd.exe and select "run as administrator" at the prompt type:-



```
net localgroup Administrators /add networkservice
press enter then type:
net localgroup Administrators /add localservice
press enter then type:
exit
press enter and restart your computer
```
Try to open the services now.


----------



## davidman25 (Sep 2, 2012)

Still nothing, i changed permissions i even Added Everyone and still nothing. I have no viruses i tried Malewarebytes, Boot Scan, My friend who deals with computers is stumped as well he ran Combofix and still nothing helped. You are my last hope before reinstalling windows. I am attaching the Combofix log i dont know if it will help.

thank you in advence


----------

