64 replies to this topic

[Broni]

The above issue is often caused by computer's infection.
If Windows firewall problem started at the time your computer got infected save yourself a lot of time by running the following tool first.

Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  
  • Internet Services
    
  • Windows Firewall
    
  • System Restore
• Press "Scan".
  
• It will create a log (FSS.txt) in the same directory the tool is run.
  
• Please copy and paste the log to your reply.

In most cases you'll see following errors:

Quote

Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.

If that's the case the fix is listed below. If you have a different error message, sign up at our forum and we'll try to help you out.

Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
XP - http://support.microsoft.com/kb/948247
Vista and Seven - http://www.howtogeek...system-restore/

Download Vista.zip or Seven.zip (depending on your Windows version) file from here: http://www.smartestc...y-network-keys/
Unzip the file.
You'll find several files inside.
Right click on bfe.reg file, click "Merge".
Allow registry merge.
Right click on mpssvc.reg file, click "Merge".
Allow registry merge.

Restart computer.

Click Start and in "Start search" type in:
regedit
Press Enter.

Registry editor will open.
Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE
Right click on BFE key, click "Permissions"
Click on Add button, type Everyone and click OK.
Now click once on Everyone
Below, in "Permissions" pane checkmark "Alow" in "Full control" row.
Click OK.

In a set of files you downloaded in previous step find start_services.bat.
Right click on it, click "Run As Administrator" to run the fix.

Check on firewall issue.

IMPORTANT!
In case you have any "legacy_xxx" key missing you have to perform the following BEFORE importing any "legacy" key:

Please go to Start=>Run (alternatively use Windows key+R), type regedit and click OK.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
Right-Click Root and select Permissions...
Under Security type while Everyone is selected put a check mark in the box under Allow next to Full Control.
Click Apply and OK.
When done with registry key(s) import.....
Please go back to the the Root key again while Everyone is selected remove check mark in the box under Allow next to Full Control and close the registry.


===================
NOTE. I'd like to thank narenxp from http://www.bleepingc...ter.com/forums/ for some very valuable advice


======================================================================================================
======================================================================================================

If your problem has nothing to do with any infection then you can investigate further....

Go Start>Run type in:
services.msc (Vista and Windows 7 users type this in "Start search")
Click OK (Vista and Windows 7 users press Enter)

In services window scroll down to Window Firewall service.
Make sure "Startup type" is set to "Automatic".

If Windows Firewall service is missing it can be caused by missing/corrupted registry key(s).
Check following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess - this is Windows Firewall service key, which depends on following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc - Windows Firewall Authorization Driver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE - Base Filtering Engine


Also check in Device Manager if the above driver (Windows Firewall Authorization Driver) is present and correctly set.
Go to Device Manager, click on "View" tab and select show hidden devices.
Expand "No plug and play drivers", select Windows firewall authorization driver.
Right click on it and click "Properties".
Click on "Driver" tab.
Set "Startup" to "Demand" and click on "Start" button"

References:
MichaelPlatts - 5 parts article
Part 1 - http://blogs.technet...troduction.aspx
Part 2 - http://blogs.technet...ermissions.aspx
Part 3 - http://blogs.technet...ermissions.aspx
Part 4 - http://blogs.technet...ege-access.aspx
Part 5 - http://blogs.technet...pendencies.aspx

This post has been promoted to an article

This post has been promoted to an article

This post has been promoted to an article

This post has been promoted to an article

[jk13]

Just wanted to say thanks. I was attempting to install F-Secure on my daughter's laptop and the installation was failing. Customer service at F-Secure was not much help. I decided to check the Windows firewall and found that the service was missing. I tried Microsoft help but that didn't get me far. A google search led me to this thread and it worked very well. I was able to restore the Windows Firewall and successfully install F-Secure.

Thanks again.

John

[Broni]

You're very welcome

[jonhptx2]

Thanks for the previous dialog here. I searched "far and wide" to find this finally relevant solution to my problem. I was going along fine until I got to merging the missing bfe and MpsSvc registry items. Like the original poster, both are missing from my registry after getting rid of Vista Security 2012 virus. When I right click on the file, and click merge, a notepad opens up with the registry info, but that's all. I get no option box to allow merging. I'm not confident enough to edit my registry without some further direction so, at this point I'm stuck. Can you give any insight into why I do not get an option on allowing a merge or more detailed steps to cut and paste the two missing registry entries? Thanks!

I'm using Vista.

[Broni]

You may have file association settings messed up.

What happens when you double click on .reg file?

Is it Vista computer?

[jonhptx2]

It is a Dell laptop with Vista operating system.

When I double click on the file, the same thing happens, Notepad opens with the registry data for the file.

[Broni]

Download and run reg fix from here: http://www.winhelpon...dows-Vista.html

[jonhptx2]

went to the link downloaded rg from matrix board extracted and trird merge but still same resut notepad file opens, but no allow merge popup box.

[Broni]

Go Start and in "Start search" type:
regedit
Press Enter.

Registry editor will open.
Navigate to:
HKEY_CLASSES_ROOT\.REG
If the key is present (if it's not, skip this step), right click on .REG, click "Export".
Save the file to known location like your desktop.

Now go File>Import (top menu).
Navigate to unzippped file you just downloaded (regfix_vista.reg).
Select that file, click "Open" button.
Confirm the prompt.

Restart computer and see if the issue is solved.

[jonhptx2]

Not sure what happened with last post but it was supposed to say:

I went to the link and downloaded reg from the matrix. I extracted it and tried to merge, but with the same result, notepad opens but no allow merge pop up box option.

[Broni]

Your other post is still there :)

Read my previous reply.

[jonhptx2]

That procedure allowed me to edit the registry it seems, but still no Firewall service I ran the FSS again and here is the report log belowl. Do you think I need to do the same thing for the bfe and MpsSvc keys?

Farbar Service Scanner
Ran by Ruby (administrator) on 17-01-2012 at 14:23:22
Windows Vista ™ Home Basic Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking LEGACY_MpsSvc: Attention! Unable to open LEGACY_MpsSvc\0000 registry key. The key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.
Checking LEGACY_bfe: Attention! Unable to open LEGACY_bfe\0000 registry key. The key does not exist.

mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.


Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.
Checking LEGACY_SDRSVC: Attention! Unable to open LEGACY_SDRSVC\0000 registry key. The key does not exist.


System Restore Disabled Policy:
========================


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2011-11-08 20:31] - [2011-09-20 16:02] - 0913280 ____A (Microsoft Corporation) 16731B631F28F63CD9F4CB60940E7DDD

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

[Broni]

You still have 4 registry keys missing:
mpssvc.reg
bfe.reg
legacy_bfe
legacy_mpssvc.reg

[jonhptx2]

Procedure to merge the regfix and the bfe key seemed to complete. Have restarted but still no firewall. Tried to merge the other missing keys above, but could not. legacy_mpssve gives "..Error accessing the registry." same for legacy_sdrsvc. Legacy_bfe does not appear in the list of registry key fixes. Here is my latest log:
Farbar Service Scanner
Ran by Ruby (administrator) on 17-01-2012 at 16:00:32
Windows Vista ™ Home Basic Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.
Checking LEGACY_MpsSvc: Attention! Unable to open LEGACY_MpsSvc\0000 registry key. The key does not exist.

bfe Service is not running. Checking service configuration:
The start type of bfe service is OK.
The ImagePath of bfe service is OK.
The ServiceDll of bfe service is OK.


Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.
Checking LEGACY_SDRSVC: Attention! Unable to open LEGACY_SDRSVC\0000 registry key. The key does not exist.


System Restore Disabled Policy:
========================


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2011-11-08 20:31] - [2011-09-20 16:02] - 0913280 ____A (Microsoft Corporation) 16731B631F28F63CD9F4CB60940E7DDD

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

[Broni]

legacy_mpssvc.reg is still missing.

[jonhptx2]

that's right, when I try to merge it I get this error message from the Registry editor: Cannot import ...legacy_mpssvc.reg. Error accessing the registry.
Any ideas?

[Broni]

...and the error says?

[jonhptx2]

the error says: "Cannot import ... legacy_mpssvc.reg. Error accessing the registry.

Any ideas?

[jonhptx2]

this is the third time I've included what the error messge is and I'm wondering if somehow that part of my message is not showing up on your end?? :-)

[Broni]

Did you?

Quote

Click Start and in "Start search" type in:
regedit
Press Enter.

Registry editor will open.
Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE
Right click on BFE key, click "Permissions"
Click on Add button, type Everyone and click OK.
Now click once on Everyone
Below, in "Permissions" pane checkmark "Alow" in "Full control" row.