Windows security monitoring dashboard showing firewall service status and event logs

Event ID 5025ErrorWindows FirewallWindows

Windows Event ID 5025 – Windows Firewall: Service Failed to Start

Event ID 5025 indicates the Windows Firewall service failed to start, typically due to corrupted service configuration, missing dependencies, or registry corruption affecting system security.

Emanuel DE ALMEIDA

18 March 202612 min read 0

Event ID 5025Windows Firewall 5 methods 12 min

Event Reference

What This Event Means

Event ID 5025 represents a critical failure in the Windows Firewall service startup process, indicating that the Microsoft Protection Service (MpsSvc) could not initialize properly. This service is fundamental to Windows security architecture, providing network-level protection through packet filtering, connection monitoring, and application-based firewall rules.

The Windows Firewall service operates as a Windows service that interfaces with the Windows Filtering Platform (WFP) kernel components. When Event ID 5025 occurs, it means the service encountered an unrecoverable error during its initialization phase, preventing it from loading the necessary firewall policies, network profiles, or establishing communication with dependent services.

Common scenarios triggering this event include corrupted service registry entries, missing or damaged system files, failed Windows updates that affect firewall components, third-party security software conflicts, or hardware-level network adapter issues. In enterprise environments, this event often correlates with Group Policy conflicts, domain controller communication failures, or certificate-related authentication problems.

The impact extends beyond basic firewall protection - many Windows features depend on the firewall service, including Network Discovery, File and Printer Sharing, Remote Desktop connections, and Windows Defender integration. When Event ID 5025 occurs, these dependent services may also fail or operate in degraded modes, creating cascading system issues that affect network connectivity and security posture.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025

Analysis

Possible Causes

Corrupted Windows Firewall service registry entries in HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc
Missing or damaged Base Filtering Engine (BFE) service dependencies
Third-party antivirus or security software interfering with Windows Firewall components
Failed Windows updates that corrupted firewall policy files or service binaries
Network adapter driver conflicts preventing proper WFP kernel integration
Insufficient system permissions for the Network Service account
Corrupted Windows Filtering Platform (WFP) database files
Group Policy conflicts in domain environments blocking firewall service startup
System file corruption affecting svchost.exe or firewall-related DLL files
Hardware-level network interface issues preventing service initialization

Resolution Methods

Troubleshooting Steps

Check Service Dependencies and Status

Start by examining the Windows Firewall service and its dependencies to identify immediate issues.

Step 1: Open an elevated PowerShell session and check service status:

Get-Service -Name MpsSvc, BFE, Dnscache, RpcSs | Select-Object Name, Status, StartType

Step 2: Review the specific error details in Event Viewer:

Navigate to Event Viewer → Windows Logs → System and filter for Event ID 5025. Note the error code and description.

Step 3: Check dependent services that must be running:

$dependencies = @('BFE', 'RpcSs', 'Dnscache')
foreach ($service in $dependencies) {
    $svc = Get-Service -Name $service
    if ($svc.Status -ne 'Running') {
        Write-Host "$service is $($svc.Status) - attempting to start" -ForegroundColor Yellow
        Start-Service -Name $service
    }
}

Step 4: Attempt to start the Windows Firewall service:

Start-Service -Name MpsSvc -Verbose

If this method succeeds, monitor the system for 24 hours to ensure the service remains stable.

Reset Windows Firewall Configuration

Reset the Windows Firewall to default settings to resolve configuration corruption issues.

Step 1: Stop the Windows Firewall service if it's running:

Stop-Service -Name MpsSvc -Force

Step 2: Reset firewall settings to defaults using netsh:

netsh advfirewall reset

Step 3: Clear the Windows Filtering Platform (WFP) state:

netsh wfp set options netevents=on
netsh wfp show state

Step 4: Reset network security policies:

secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose

Step 5: Restart the Base Filtering Engine and Windows Firewall services:

Restart-Service -Name BFE -Force
Start-Service -Name MpsSvc

Warning: This method resets all custom firewall rules. Document existing rules before proceeding or export them using netsh advfirewall export.

Repair Service Registry Configuration

Manually repair corrupted registry entries that prevent the Windows Firewall service from starting.

Step 1: Create a registry backup before making changes:

reg export "HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc" C:\Temp\MpsSvc_backup.reg

Step 2: Check the service registry key for corruption:

Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\MpsSvc" | Format-List

Step 3: Verify the ImagePath value points to the correct svchost.exe group:

$imagePath = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\MpsSvc" -Name "ImagePath"
if ($imagePath.ImagePath -ne "%SystemRoot%\system32\svchost.exe -k LocalServiceNoNetwork") {
    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\MpsSvc" -Name "ImagePath" -Value "%SystemRoot%\system32\svchost.exe -k LocalServiceNoNetwork"
}

Step 4: Reset service permissions using sc.exe:

sc.exe sdset MpsSvc "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)"

Step 5: Rebuild service dependencies:

sc.exe config MpsSvc depend= BFE/RpcSs

Step 6: Test service startup:

Start-Service -Name MpsSvc -ErrorAction Stop

Run System File Checker and Component Store Repair

Use Windows built-in repair tools to fix corrupted system files affecting the firewall service.

Step 1: Run DISM to repair the Windows component store:

DISM /Online /Cleanup-Image /RestoreHealth

Step 2: Execute System File Checker to repair corrupted files:

sfc /scannow

Step 3: Check CBS.log for specific firewall-related repairs:

Select-String -Path "C:\Windows\Logs\CBS\CBS.log" -Pattern "MpsSvc|BFE|firewall" | Select-Object -Last 20

Step 4: Reset Windows Update components if firewall issues stem from failed updates:

Stop-Service -Name wuauserv, cryptSvc, bits, msiserver -Force
Rename-Item -Path "C:\Windows\SoftwareDistribution" -NewName "SoftwareDistribution.old" -Force
Rename-Item -Path "C:\Windows\System32\catroot2" -NewName "catroot2.old" -Force
Start-Service -Name wuauserv, cryptSvc, bits, msiserver

Step 5: Re-register firewall-related DLL files:

$dlls = @('firewallapi.dll', 'hnetcfg.dll', 'fwpuclnt.dll')
foreach ($dll in $dlls) {
    regsvr32 /s $dll
}

Step 6: Restart the system and verify service startup:

Restart-Computer -Force

Advanced WFP Database Rebuild and Network Stack Reset

Perform a complete Windows Filtering Platform database rebuild for persistent issues.

Step 1: Boot into Safe Mode to prevent service conflicts during repair.

Step 2: Stop all network-related services:

$services = @('MpsSvc', 'BFE', 'Dnscache', 'NlaSvc', 'Dhcp')
foreach ($service in $services) {
    Stop-Service -Name $service -Force -ErrorAction SilentlyContinue
}

Step 3: Delete corrupted WFP database files:

Remove-Item -Path "C:\Windows\System32\config\BCD-Template" -Force -ErrorAction SilentlyContinue
Remove-Item -Path "C:\Windows\System32\wfp\*" -Recurse -Force -ErrorAction SilentlyContinue

Step 4: Reset the entire network stack:

netsh int ip reset
netsh winsock reset
netsh advfirewall reset

Step 5: Rebuild network adapter bindings:

Get-NetAdapter | Reset-NetAdapterAdvancedProperty
Restart-NetAdapter -Name "*"

Step 6: Re-initialize the Base Filtering Engine:

Start-Service -Name BFE
Start-Sleep -Seconds 10
Start-Service -Name MpsSvc

Pro tip: After this method, you'll need to reconfigure all network settings, firewall rules, and network profiles. Keep network configuration documentation handy.

Overview

Event ID 5025 fires when the Windows Firewall service (MpsSvc) fails to initialize during system startup or manual service start attempts. This critical security event appears in the System log and indicates that your system's primary network protection layer is compromised. The Windows Firewall service depends on several core Windows components including the Base Filtering Engine (BFE), Network Location Awareness, and Remote Procedure Call services.

When this event occurs, your system becomes vulnerable to network-based attacks since the built-in firewall protection is offline. The event typically manifests during boot sequences, after Windows updates, or following system configuration changes. Modern Windows versions from 2024-2026 have enhanced dependency checking that makes this event more descriptive, often including specific error codes that point to the root cause.

This event requires immediate attention as it represents a fundamental security service failure. The Windows Firewall service manages both inbound and outbound traffic filtering, application-specific rules, and network profile enforcement across domain, private, and public networks.

Frequently Asked Questions

What does Event ID 5025 mean and why is it critical?+

Event ID 5025 indicates that the Windows Firewall service failed to start, which means your system has no network-level protection against malicious traffic. This is critical because the Windows Firewall is the primary defense mechanism that filters incoming and outgoing network connections. Without it running, your system is vulnerable to network-based attacks, malware, and unauthorized access attempts. The event typically occurs due to service corruption, dependency failures, or conflicts with third-party security software.

Can I use third-party firewalls instead of fixing Windows Firewall?+

While third-party firewalls can provide network protection, many Windows features depend specifically on the Windows Firewall service being operational. Features like Network Discovery, HomeGroup, Windows Defender integration, and certain Remote Desktop configurations require the native Windows Firewall service to function properly. Additionally, some enterprise Group Policy settings and Windows security features expect the built-in firewall to be available. It's recommended to fix the Windows Firewall service rather than rely solely on third-party alternatives.

How do I prevent Event ID 5025 from recurring after fixing it?+

To prevent recurrence, ensure Windows Updates are applied regularly, avoid installing conflicting security software, and monitor the health of dependent services like Base Filtering Engine (BFE). Create a scheduled task to check firewall service status daily using PowerShell: Get-Service MpsSvc | Where-Object {$_.Status -ne 'Running'}. Also, maintain regular system backups, avoid manual registry modifications in the firewall service keys, and ensure your antivirus software has proper exclusions for Windows system processes.

What should I do if Event ID 5025 occurs after a Windows update?+

If Event ID 5025 appears after a Windows update, first try restarting the system to allow Windows to complete any pending configuration changes. If the issue persists, run 'DISM /Online /Cleanup-Image /RestoreHealth' followed by 'sfc /scannow' to repair any corrupted files from the update. Check Windows Update history in Settings to identify which specific update caused the issue. In severe cases, you may need to uninstall the problematic update temporarily while Microsoft releases a fix, but this should be done cautiously in enterprise environments.

How can I monitor Windows Firewall service health proactively?+

Set up proactive monitoring using PowerShell scripts scheduled to run every hour: Create a script that checks 'Get-Service MpsSvc' status and logs results. Use Windows Event Forwarding to centralize firewall events in enterprise environments. Configure Windows Performance Toolkit (WPT) to monitor firewall service performance counters. Set up email alerts when Event ID 5025 occurs using Task Scheduler triggered by event logs. For advanced monitoring, use System Center Operations Manager (SCOM) or similar tools to track firewall service dependencies and performance metrics across multiple systems.

Documentation

References (2)

Microsoft Learn - Windows Firewall with Advanced SecurityComprehensive guide to Windows Firewall architecture, configuration, and troubleshooting including service dependencies and common issues.https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/

Windows Filtering Platform DocumentationTechnical documentation covering the Windows Filtering Platform that underlies the Windows Firewall service functionality.https://learn.microsoft.com/en-us/windows/win32/fwp/windows-filtering-platform-start-page

Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Discussion

Share your thoughts and insights

You must be logged in to comment.

Loading comments...