Fix: The Diagnostic Service Host service failed to start due to the following error. [ solved, no kidding ]

Lots of these Messages about the Diagnostic Service Host in the System Log

On Windows 7/10 Machines Attached to A Domain

The Diagnostic Service Host service failed to start due to the following error:
A privilege that the service requires to function properly does not exist in the service account configuration. You may use the Services Microsoft Management Console (MMC) snap-in (services.msc) and the Local Security Settings MMC snap-in (secpol.msc) to view the service configuration and the account configuration.  The good news is that you can fix it using active directory group policy or the Local Security Policy and just adding a few things to the Local Policies.  Same fix applies to both Windows 7 and Windows 10.  To Fix this using any Policy, you must be running a Professional or Enterprise version of Windows. If you have Home Edition, sorry.

Here's How to Fix It

You see this in your system logs repeatedly, and its dragging down your computer and making it run slow.  Startup is slow, and there are no real diagnostics. Plus it's difficult to search your event logs. This is one of the items to fix in our blog entry on making your computer run faster. There are lots of blog entries about how to fix this, plus many paid fix-it services such as experts-exchange say they have the fix, and even put [SOLVED] in the title.
Lot of messages about the Diagnostic Service Host repeatedly

How to Fix It with Group Policy

The first thing to do is to open a group policy object that applies to your desktop and server computers.  Hopefully you can edit your Domain group policy.  You have to adjust the following items:  Bypass Traverse Checking, Impersonate a Client After Authentication, and Profile System Performance by granting certain users permission.  

In the registry, you will see this:
Required privileges of the Diagnostic Service Host 
The registry shows what privileges are needed. You need to grant them to the service users.

SeChangeNotifyPrivilege  -- Bypass Traverse Checking
SeImpersonatePrivilege -- Impersonate a Client After Authentication
SeSystemProfilePrivilege  -- Profile System Performance

All in Computer Configuration -> Windows Settings -> Security Settings -> Local Policies

Edit the User Rights Assignment Policy Object, when done it will look like this.

by granting each one:

All need to have:
BUILTIN\Administrators
LOCAL SERVICE
NT SERVICE\WdiServiceHost
plus
SERVICE
Administrators
Plus on Windows 10, you need "Local Service"

Just like this for each one
When fixed, you will see this in services.msc
Finally, go to each machine and reboot it.

If you like what you just read, and it helped fix your problem, please leave a comment below.  We would love to hear back from you.  If you are tired of googling around for solutions to windows problems, visit my website for details on great MSP and break fix services in Southern California and beyond.  Bare Wire Networks

References:
https://blogs.technet.microsoft.com/markrussinovich/2005/10/19/the-bypass-traverse-checking-or-is-it-the-change-notify-privilege/

https://support.microsoft.com/en-us/help/821546/overview-of-the-impersonate-a-client-after-authentication-and-the-crea

http://setspn.blogspot.com/2010/09/fim-2010-sspr-diagnostic-service-host.html




Comments

Popular posts from this blog

Microsoft Visio 2010 Premium Product Keys

Mercedes Benz Diesel CDI EGR Emulator Circuit Diagrams