To totally unlock this section you need to Log-in
Login
Checking Logon Permissions
First you should verify that the "Log on as:" account is set to Local Service.
The Base Filtering Engine, Windows Firewall, and NLA services should all be set to Log on as the "Local Service" account.
I'm only including one screenshot as an example because it is the same for all of the services that use Local Service. Note that the Password fields are ignored for this account.
The Windows Firewall Service Fails to start. Check Logon Permissions
IPsec Policy agent uses the "Network Service" account.
The Windows Firewall Service Fails to start. Check Logon Permissions
Next we will want to verify the security descriptor definition language string, or SDDL string. This string defines the string format that the ConvertSecurityDescriptorToStringSecurityDescriptor and ConvertStringSecurityDescriptorToSecurityDescriptor functions use to describe a security descriptor as a text string.
We can use SC SDSHOW to show the SDDL string for the services of interest.
Syntax: sc sdshow <Service Name>
Note: You will want to run this command against a working machine in your environment for comparison but here are the default settings from a clean install.
Windows 7 default installation
Service Name: NLASVC
D:(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A
;;CCLCSWRPLORC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPRC;;;S-1-5-80-3141615172-2
057878085-1754447212-2405740020-3916490453)
Service Name: BFE
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWRPWPDTLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Service Name: MPSSVC
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCR
RC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCRP;;;S-1-5-80-2006800713-1441093265-249754
844-3404434343-1444102779)S:(AU;FA;CCDCKCSWRPWPDTLOCRSDRCWDWO;;;WD)
Service Name: SharedAccess
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWRPWPDTLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Windows Vista default installation
Service Name: NLASVC
D:(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A
;;CCLCSWRPLORC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPRC;;;S-1-5-80-3141615172-2
057878085-1754447212-2405740020-3916490453)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Service Name: BFE
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWRPWPDTLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Service Name: MPSSVC
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCR
RC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCRP;;;S-1-5-80-2006800713-1441093265-249754
844-3404434343-1444102779)S:(AU;FA;CCDCKCSWRPWPDTLOCRSDRCWDWO;;;WD)
Service Name: SharedAccess
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWRPWPDTLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Using SC SDSET to set the SDDL string
You can restore the default permissions via the SDDL strings above or get similar data from a working machine in your own environment.
SC sdset <Service Name> <SDDL string>
Example:
SC sdset SharedAccess D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
Notice that the end of each is SY = Local System, BA = Administrator, AU = Authenticated Users, PU = Power Users.
Microsoft FixIT
You could give a try even to this package, from Microsoft, that will try to fix the unfortunately common Code Error 0x5 Access Denied of Windows Firewall:
[wpfilebase tag="file" id=112 /]
SOURCE | LINK | LANGUAGE | ENGLISH |
 |  | ||
The Windows Firewall Service Fails to start. Check Logon Permissions – http://heelpbook.altervista.org/?p=37357 – HeelpBook – Visit http://www.heelpbook.net OR http://mobile.heelpbook.net on your tablet! #heelpbook #howto #tutorial #guide