The Software Protection service

I ran across an interesting issue on Windows 2012 the other day, that I figured I would share.  I had a customer that had 4 virtual machines on the same host that were all indicating they were not genuine.  Aside from this we had 2 other strange behaviors.

  1. Server Manager would not populate any of the local server information fields.  All fields showed Unknown.
  2. Slmgr commands were failing with “Error:0x80070422 On a computer running Microsoft Windows non-core edition, run ‘slui.exe 0x2a 0x80070422’ to display the error text.”

When running the command slui.exe 0x2a 0x80070422 we get the following description.  The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.So which service is it talking about?

The Software Protection service. This service runs in the background and checks every minute or so whether the OS is licensed properly.  In this particular case someone had disabled the sppsvc (Software Protection service).  The fix was easy, re-enable the service and start it.

This brings me to another issue I have seen with sppsvc on several occasions.  What if the service cannot be started due to an Access Denied error.  This can typically be fixed, but we need to know where the Access Denied is coming from.  The best tool, I have found, to do the job is Process Monitor.  With this tool it is possible to see every time the filesystem or registry is touched and which process did it.

Here is how you setup Process Monitor.

  1. First download the tool here.
  2. Run procmon.exe from the zip file.
  3. Accept the EULA.
  4. Stop capturing (Ctrl+E) and Clear the display (Ctrl+X)
  5. Create a filter (Ctrl+L) with the following attributes.  Result is ACCESS DENIED then Include.  Add the filter and click OK.  See the picture below.

procmon filter

6. Start capturing events in Process Monitor (Ctrl+E) and immediately start the Software Protection service.
7. As soon as the Access Denied error pops up, stop capturing events in Process Monitor.

At this point there should be one or more ACCESS DENIED events.  When I have seen this issue, it has always been 2 registry keys that are missing permissions; HKLM\SYSTEM\WPA and HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform.

To correct the access denied issue the registry permissions will need to be restored.  Normally that would mean restoring the permission for the account starting the service, in this case Network Service.  The Software Protection service is a little different though.  There is a special account that needs to be added, “NT Service\sppsvc”.  Below are the special permissions that need to be granted on the registry keys.

  • HKEY_LOCAL_MACHINE\SYSTEM\WPA.  All subkeys need to inherit these permissions.
    • Query Value
    • Set Value
    • Create Subkey
    • Enumerate Subkeys
    • Read Control
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform
    • Set Value
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PayloadOverride
    • Full Control

 

Advertisements

3 thoughts on “The Software Protection service

  1. Thanks Glenn – This is a useful reminder of the power of Procmon in troubleshooting! Permissions on HKLM\SYSTEM\WPA were 100% the cause of my error starting Software Protection Service

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s