Understanding the impact of IPSEC errors on RDP performance

I run into IPSEC errors when a Windows server or desktop suddenly has slow or broken RDP sessions. The machine boots, network looks up, but Remote Desktop feels sluggish or times out. This guide shows what to look for, the commands to run, the likely registry culprits and a safe fix path that I use on live kit.

Common error message you will find in the System event log:

• “Could not start the IPSEC Services service on Local Computer. Error 2: The system cannot find the file specified.”
• Event ID 7023 with description: “The IPSEC Services service terminated with the following error: The system cannot find the file specified.”

Symptoms tied to IPSEC errors and RDP performance:

• Slow RDP login or long black screen before desktop. Sessions take 30–90 seconds to appear.
• Intermittent network failures from the affected host while other machines are fine.
• Services that depend on IPSEC fail to start or are stuck at “starting”.

Visual indicators:

• In Services.msc the “IPsec Policy Agent” (PolicyAgent) is stopped or cannot start.
• Event Viewer contains repeated 7023 or 7000 entries related to PolicyAgent.
• Network icon shows connected, but RDP or domain resources are unresponsive.

If you see that exact error line and slow RDP, treat IPSEC services as a prime suspect.

Where it happens

Typical environments

• Terminal servers and VM guests after a snapshot or resource shortage on the host.
• Machines which had Group Policy edits or third-party security tools installed or removed.
• Systems moved between networks or with corrupted local policies.

Specific Windows versions

• This problem appears on older and modern Windows builds. It is common on Server 2003/2008-era machines in legacy notes, but I have seen it on Windows Server 2016/2019 and Windows 10/11 when local policy keys are damaged.

Network configurations prone to issues

• Hosts using L2TP/IPsec VPN or custom IPSEC policies.
• Domain-joined hosts where Group Policy pushes IPSEC settings.
• Machines with intercepted system updates or image customisations that left the policy store inconsistent.

If RDP performance drops only on one host and the PolicyAgent service is not running, the network security stack is likely the source.

Finding the cause

Start with quick diagnostics. Commands I run and what I expect.

1) Check service status:

• Command: sc query PolicyAgent
• Expected (healthy):
  STATUS : 4 RUNNING
• Actual (faulty):
  STATE : 1 STOPPED
  If it is stopped or fails to start, the event log will have Event ID 7023.

2) Try starting the service with verbose output:

• Command: net start PolicyAgent
• Expected:
  The IPsec Policy Agent service was started successfully.
• Actual:
  “System error 2 has occurred. The system cannot find the file specified.”

3) Check for policy registry key presence:

• Command: reg query “HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local”
• Expected (no error, returns subkeys or values) when policy present.
• Actual (common failure): “ERROR: The system was unable to find the specified registry key or value.”

4) Run system file check:

• Command: sfc /scannow
• Expected: No integrity violations or successful repair message.
• Actual: If sfc reports unrepairable files, fix those first.

Why this happens

• A missing or corrupted local IPSEC policy store causes PolicyAgent to fail. Microsoft documents that deletion or corruption of IPSec\Policy\Local registry keys can cause service-start failures and loss of connectivity. I also follow community writeups that describe Error 2 and the same registry-rooted cause. See Microsoft guidance and a practical fix writeup here and here.
  Microsoft: Cannot connect to Internet or domain (IPSec policy store)
  Fixing IPSec Error 2 — rebuild policy store

If the registry key is missing, PolicyAgent has no local policy to open and exits with Error 2.

Fix

I follow a cautious, order-of-operations approach. Back up the registry before you touch it.

1) Backup

• Export HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec to a .reg file or create a full system restore point.

2) Rebuild the local policy store

• If HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local exists and looks corrupted, delete just that Local subkey:
  • Command (run elevated): reg delete “HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local” /f
• If the whole IPSec key is missing, skip deletion and continue.

3) Re-register the policy store DLL

• Command (elevated):
  regsvr32 polstore.dll
• Expected:
  DllRegisterServer in polstore.dll succeeded.
• If regsvr32 fails, check polstore.dll exists in System32. If missing, run sfc /scannow or restore from known-good image.

4) Start the service

• Command: net start PolicyAgent
• Expected:
  The IPsec Policy Agent service was started successfully.
• If the service starts, give it 10–30 seconds and check Event Viewer for new entries.

5) Confirm dependent services

• Some RDP slowdowns were due to other services blocked while PolicyAgent failed. Check IKEEXT and RasMan as needed:
  • sc query IKEEXT
  • sc query RasMan

6) Reboot if necessary. I prefer to restart the host once the service starts cleanly.

This sequence rebuilds the local policy store and restores the service binary registration so Windows can read policies again.

Fixing the IPSEC services this way has resolved slow RDP logins in multiple cases I’ve handled. If the service still fails after these steps, the next checks are sfc /scannow, restoring the polstore DLL from a clean image and reviewing recent Group Policy changes.