Fix unable to start the Application Identity Service

Posted on Christian By Christian No Comments on Fix unable to start the Application Identity Service
AppLocker

In this article, you will learn how to “fix unable to start the Application Identity Service”. The Application Identity service (AppIDSvc) is a Windows service that determines and verifies the identity of an application. This service is crucial for enforcing AppLocker policies, which help control which applications and files users can run on a system. Please see How to enable or disable User Account Control, ow to Check if Windows Updates were installed, and how to “Prevent Local Administrators from managing BitLocker with the manage-bde command‘.

Note: According to Microsoft, AppLocker is a defense-in-depth security feature and not considered a defensible Windows security feature. Since the rise of Ransomware and high profile attacks, AppLocker can help in the prevention of malware infection. To help protect against these risks, the Defense in Depth approach must be employed.

Please see “how to Disable UAC with Group Policy and enable PIN in Windows Hello, how to fix “Application pool has been disabled or Changing identity user for IIS Application Pool (Event ID 5059)“, and how to WinPE USB Drive: Fixing System Boot Issues.

Reason for “Application Identity Service Access Denied

The Application Identity Service could not start via the Services Manager due to the error message prompted as shown below is related to system configuration issues.

Starting with Windows 10, the Application Identity service is now a protected process. As a result, you can no longer manually set the service Startup type to Automatic by using the Services snap-in

Error 5 Access denied
Access denied

Note: The Application Identity service determines and verifies the identity of an app. When this service is not running, AppLocker policies from being enforced.

Configure Application identity Services to Start

Starting a service through the Services Manager might not always prompt for elevation or the correct administrative rights. Group Policies and Registry modifications often ensure that the necessary permissions are applied.

Note: The Application Identity Service might require elevated permissions that are not granted when starting it manually through the Services Manager.

To fix this issue, open the Registry Editor by pressing Win + R, type regedit, and press Enter to open the Registry Editor.

Note: If prompted by User Account Control (UAC), click Yes.

Launch registry

Navigate to the Application Identity Service Key via the Registry Editor

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppIDSvc
AppIDSVC-Start

This registry key contains the configuration settings for the Application Identity service.

Check and Modify the Registry Values. In the AppIDSvc key, locate the Start value in the right pane. The Start value determines the startup type of the service.

Change from 3 to 2

Set the Start value to 2 to configure the service to start automatically:

  • Value: 2 (Automatic)
  • Value: 3 (Manual)
  • Value: 4 (Disabled)

To change the value, double-click on Start and enter 2 in the Value data field and click OK

Changed to 2

After making these changes, close the Registry Editor. Restart your computer to apply the changes.

restart PC

Upon device restart, you should be able to set the Application identity Services to Automatic.

Application identity properties

The Application identity service is running as shown below.

Application Identity set to automatic

Please see Microsoft Account Password Reset via Web and Windows, and ‘MFA on Root Account: Create a User on AWS and Register MFA“.

Note: To disable this service in the future, you also have to use the GPO or Windows Registry Editor. Else, you will be prompted with the Access Denied wizard.

Set AppIDSvc via command prompt or PowerShell

Open an elevated command prompt or PowerShell and enter the command below and press Enter. 

sc.exe config appidsvc start=auto

I prefer to use this command below since I also want to have the services started.

sc config "AppIDSvc" start=auto & net start "AppIDSvc"
Enable Application Identity Service

Note: The Startup type of the AppIDSvc cannot be set to Manual using sc.exe. Therefore, it is recommend to perform a system backup before changing it.

Start the Application Identity service automatically using GPO

Please launch the Group Policy Management Console (gpmc.msc) ad navigate to the console tree

Computer Configuration\Windows Settings\Security Settings, select System Services

In the details pane, double-click Application Identity. In Application Identity Properties, configure the service to start automatically.

I hope you found this guide very useful on how to Fix unable to start the Application Identity Service. Please feel free to leave a comment below.

5/5 - (1 vote)
Windows Tags:, ,

Related Posts

More Related Articles

screenshot 2020 02 07 at 21.59.33 Prerequisites for setting up a Single and Multi App Kiosk Windows
fix windows activation 0x87E10BC6 error Fix Error 0x87E10BC6 on a PC running Windows non-core Edition Windows
How to keep Apps up to date on Windows How to keep Apps up to date on Windows devices Windows
Rport RPORT the free and open source remote management tool Linux
BitRecDelegation Delegate control for BitLocker recovery keys in Active Directory Windows
Computer policy could not be updated How to fix Computer Policy could not be updated successfully Windows

Leave a Reply