Wednesday, January 18, 2012

Fixing Security Center


Some of you have experienced the Windows Security Center failing to start after the removal of the ZeroAccess rootkit. Here is how you fix it:

Always be sure to double check by running a firewall reset, you can do this by opening command prompt as administrator and typing the following command:

netsh firewall reset

You should see something like this if it is working:



If it is off or broken by the infection, you will see an error that says “The Service has not been Started.” Here is what you need to do:

1. Download the missing registry entries here and extract the .reg files to the desktop. You need to restore all of the registry entries for the following services:



Base Filtering Engine - HKLM\System\CurrentControlSet\Services\BFE

Windows Security Center Service - HKLM\System\CurrentControlSet\Services\WscSvc

Windows Shared Access - HKLM\System\CurrentControlSet\Services\SharedAcccess

Windows Defender Service - HKLM\System\CurrentControlSet\Services\WinDefend

Windows Firewall Service - HKLM\System\CurrentControlSet\Services\MpsSvc

IP Helper Service - HKLM\System\CurrentControlSet\Services\iphlpsvc



You can find these service registry keys in the downloaded zip file or you can export them from a machine in which these services are functioning correctly. Just importing these registry entries is not enough to get all of these services back and running correctly, some of these entries need special permissions to run.

Import the registry keys by double-clicking each of the files for their respective service. Reboot the PC once you have all of the registry keys imported.

Important Note: After importing registry keys for these services, you need to reboot so that they can start correctly.

2. Now that you have all of the registry entries imported, you can start the Windows Security Center Service and the Windows Defender Service. In order to start the firewall service, you need to have the Base Filtering Engine Service up and running correctly. You’ll notice when you try to start “BFE” that you will get an error with error code 5 which means “Access Denied”. To fix this, you need to allow access to the proper account. Open up regedit and navigate here:

HKLM\System\CurrentControlSet\Services\BFE\Parameters.

Right-click and select “Permissions”. Click “Add…”


You want to add the account “NT Service\BFE” like this:


Once added, you should allow the “BFE” account “Full Control” as pictured above. Do not edit any of the other permissions for that service, you will do that next.

3. Run CMD as Administrator and copy/paste the following command (or have fun typing it out) You need to make sure that the command is all on one line and that there are no spaces between the sets of brackets (sorry for the word wrap but I only have so much space...)

sc sdset bfe D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWRPWPDTLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) 

This command resets the default security descriptors for the service and set all the permissions according to factory specs.

4. Now you need to do the same for the Windows SharedAccess Service. So, in regedit, navigate to HKLM\System\CurrentControlSet\Services\SharedAccess. There are 4 subkeys that need to have permissions reset, as well as some sub-subkeys (yea, it’s a word now, I just made it up) Here are the keys that you need to set permissions on:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Defaults\FirewallPolicy 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy

For each of the above keys, right-click and click “Permissions” than click on “Add…” just like you did above.



For the SharedAccess service, you need to add a different account which is called “NT Service\MpsSvc”



Also just like the BFE service, add “Full Control” and click “Apply” You will need to run another command to ensure that all other permissions are correct. Run CMD as Administrator and copy\paste this command to do it automatically:

sc sdset sharedaccess D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWRPWPDTLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) 

You should be able to start the all of the services correctly now. If not, check your dependencies and make sure all dependent services are started. You may also want to check your ICS service. For some reason, it helps me get the firewall running in some cases. Disable it again after you get the firewall service running. I recommend rebooting to make sure that all of the services are starting up Automatically as they should. Email me if you have any questions/comments.

6 comments:

  1. Nice guide - much appreciated. Only thing I would add is you will probably need to reboot after step 1, at least in the times I have done this.

    ReplyDelete
  2. You sire, Are effing awesome! I spent 3 days on this problem bouncing back and forth between websites and yours was the only 1 that provided a solution that I was able to understand/use/works! Just thought you should know that.

    Thanks!
    -Jarrod

    ReplyDelete
  3. I was wondering if you'd be willing to repost your FixServices.zip file again. Naturally, the Dropbox link you were kind enough to share has expired with time, and it certainly takes the guesswork out of things when you don't have to create your own from another machine. Either way, thank you for this *Excellent* guide. I have probably fixed 50 PCs using these steps since you posted it (just wish I had made more than one backup of your zip file).

    ReplyDelete
  4. Very nice Guide! Thank you for taking the time to share this.

    ReplyDelete
  5. Wish you'd put the file back up. Dropbox shows error.

    ReplyDelete
    Replies
    1. Unfortunately, I can't find the zip file anymore, but just below the link, it explains what reg keys you need to dump from a working machine. Just save the base keys from a known working machine to a .reg file, then run that on the machine that is broken.

      Delete