Event ID 10016 - DistributedCOM

[thor.a]

Thank you for the excellent article which describes the background of the event warning.

Nevertheless the described solution would be easier if you omit the part of changing the registry keys (i. e. taking ownership ot the keys). Just start the 'Component Services Administrative Tool' as user 'SYSTEM' and not under your account. As user SYSTEM you are allowed to alter the rights without any problem, they are not greyed out anymore.

To start the tool (or other adminstrative programs like regedit) under the user account SYSTEM you have to use a tool which allows this. I can recommend two tools which work without any problem:

- PowerRun from http://www.sordum.org/9416/powerrun-v1-1-run-with-highest-privileges
- AdvancedRun from http://www.nirsoft.net/utils/advanced_run.html

Personally I prefer PowerRun because you can store your favorites there (e.g. regedit.exe). Start PowerRun, insert comexp.msc ('Component Services Administrative Tool') in the list, start comexp.msc, and alter the rights. That's all.

This way is not easier, but it's much 'cleaner'. Because the rights of system registry keys won't be changed.

Thorsten

 

[Bob53]

Followed the procedure and now i get a different 10016 event.
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
This seems to relate to Runtime Broker.
Any ideas?

 

[thor.a]

>This seems to relate to Runtime Broker.
Yes, you could do exactly the same with Runtime Broker (I did it). Follow my advice from Tuesday to open the Component Services directly as user 'system'.

 

[DCOM Dummy]

Got to the bottom of the instructions and am puzzled by "At this point if you wish you could restore permissions for the two registry keys back to their original status. In my case the CLASS ID was owned by the SYSTEM, and the AppID was owned by TrustedInstaller, so to change it back I'd enter the following commands in an elevated command prompt:":
Now that I added the missing owner (which was LOCAL SERVICES in my case) I don't remember what the original permission owners were. How important is this step?
thank you

 

[Regedit32]

Now that I added the missing owner (which was LOCAL SERVICES in my case) I don't remember what the original permission owners were. How important is this step?

Hi and Welcome to the Forum DCOM Dummy,

It's not absolutely critical, as leaving the Owner as yourself, simply means you could continue to alter the Distributed COM without having to take ownership again.

Having said that, you'll need to monitor your computer's performance, to see whether there are any other issues that arise.

You could use a Restore point that pre-dates the date/time you modified the Registry to get things back to as they were, but then you'd need to do all the steps again if you wanted to modify the Distributed COM.


If you tell me what CLSID or AppID you modified I could check what the defaults are and let you know.

 

[csmdew]

I have followed these instructions as well as the ones on the other win 10 forum and still can only get 1 runtime broker to be edited, the other one stays grayed out. So every time I start chrome browser I get dcom error 10016; I may get 20 per day.

 

[onepb]

Hi Regedit32,

Thank you very much for your great article! I had two separate AppIDs causing problems on my machine. The first was fixed by following your instructions. However, the second AppID produced a new error message after following your instructions.

Originally the error was:

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

After following you instructions it changed to:

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user PETER-LAPTOP\psalv SID (S-1-5-21-1537930251-1255437764-1913892686-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

So, it is basically the same error, but a different user. I repeated your instructions for the user (me) in the new error message. However, this time the error remains unchanged and occurs when I restart my machine. Any ideas why granting user psalv Local Activation permission does not alleviate this error message?

Thank you,

Peter

 

[Tim Durham]

Peter,

I have been though the "grant access to X and now the error wants access for Y" spiral. I may have found the answer as I have had no 10016 errors reported for two days.

As usual, run Component Services and find the RuntimeBroker entry. Right click and go to Properties and the Security tab. In Launch and Activation Permissions click the Edit button. I found an unknown user in the list and deleted that. I then clicked the Add button and added the LOCAL SERVICE user (type local service in the box and click the Check Names button). I then gave Local Service Local Launch and Local Activation privileges. Check the privileges for the other two options (Access and Configuration) for Local Service while you are there.

I hope this helps,

Tim

 

[onepb]

Hi Tim,

Thanks for the idea, but it doesn't appear to have fixed my problem. I also added LOCAL SERVICE and psalv to "Access" and "Configuration" to no avail.

Thanks,

Peter

 

[csmdew]

1 runtime broker stays grayed out no matter what I do while 1 is editable and has been edited but still get the error.

 

[Clay Horvath]

I tried this & got a different result! I was unable to change anything! I had a Microst tech via remote & even they couldn't figure this out! WHAT DO I DO? I'm at a witz-end over this deal! I would GLADLY PAY to get this resolved, it's driving me nuts & I can't figure this out! EXHAUSTED!!!! Here is a copy of the EVENT LOG which is FULL of DIST 10016
Log Name: System
Source: Microsoft-Windows-DistributedCOM
Date: 2/14/2018 8:24:05 AM
Event ID: 10016
Task Category: None
Level: Error
Keywords: Classic
User: NETWORK SERVICE
Computer: MAXIMUSPRIME
Description:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" />
<EventID Qualifiers="0">10016</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2018-02-14T14:24:05.272263200Z" />
<EventRecordID>13709</EventRecordID>
<Correlation />
<Execution ProcessID="1084" ThreadID="4560" />
<Channel>System</Channel>
<Computer>MAXIMUSPRIME</Computer>
<Security UserID="S-1-5-20" />
</System>
<EventData>
<Data Name="param1">application-specific</Data>
<Data Name="param2">Local</Data>
<Data Name="param3">Activation</Data>
<Data Name="param4">{D63B10C5-BB46-4990-A94F-E40B9D520160}</Data>
<Data Name="param5">{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}</Data>
<Data Name="param6">NT AUTHORITY</Data>
<Data Name="param7">NETWORK SERVICE</Data>
<Data Name="param8">S-1-5-20</Data>
<Data Name="param9">LocalHost (Using LRPC)</Data>
<Data Name="param10">Unavailable</Data>
<Data Name="param11">Unavailable</Data>
</EventData>
</Event>

ANY HELP / REMOTE / STEP BY STEP / PRAYER / !!!!!!

 

[Regedit32]

Are you able to clarify at which point in my instructions you were unable to achieve the result you wanted?

For example, are you having difficulty obtaining permissions?

 

[Clay Horvath]

I cannot apply permissions at all & the Microsoft tech even tried & was unable to accomplish the goal. I even took it to a well recognized PC repair tech & even he couldn't do it. When I installed the SetACL I thought that would resolve the issue, I got the first command line to show but nothing else. I have NOTHING to hide if your interested in a remote repair, I would gladly pay a reasonable amount to resolve the issue. I get the same errors 7023 / 7034 & 10016 pretty consistently & have researched with no avail! I have TeamViewer13 & use it quite often helping others but this one has me totally stumped! I've not changed anything since the Microsoft Tech tried to resolve it! <<<<<<<<<<< HELP >>>>>>>>>>
Here is a pic of the event viewer: https://gyazo.com/6c9c170edf98692df47e61f0002c6a96
Here is a pic of 7024: https://gyazo.com/0dc16ff38673b3b941485a843bdedf36
Here is all the DCOM ERRORS: https://gyazo.com/05e794ac8690dabcb46db83e5d3479e2
Here is the CMD ( Admin as per your instructions: https://gyazo.com/eacdfe1b3691dc30ffbdee98eff00656
I didn't quite understand this: Don't forget to leave the speech marks in too! ???
This is as far as I can get: https://gyazo.com/9ca3db68fc44e6da45633d23df251709
YEAP, you guessed it, I'm Lost Scared & Confused!
I keep this system CLEAN / Kasperski / Spybot / Malwarebytes & run the sfc /scannow to be certain the registry has no errors & I even keep the ipconfig /flushdns clean but this DCOM error I can't complete! I have MS & sometimes have a hard time staying focused on somethings so It took me 2 hours to simply make this reply!

 

[Regedit32]

Hi Clay,

Based on the images you provided your issue is arising when SYSTEM attempts to Locally Activate your ShellServiceHost

You mentioned you had issues obtaining permissions using the SetACL.exe application I recommended using, and that may be because you were unsure what I meant by making sure the speech marks " ", ' ' were left in the commands I gave to execute. If you do not leave these in or use the correct ones then the command would fail.

If you prefer I can walk you through manually setting permissions on the two registry keys [ without the need to use the SetACL.exe application ], and then take you through the steps needed to modify the Local Activation in the dCOM Configuration [ a part of the Component Services discussed in my Article ].

If you would like me to take you through one step at a time, let me know. Also, before we get started, can you type Create a restore point in your search field then select that from the search results and actually create a restore point - as a precaution before we start altering things.

When you are ready let me know and I'll post how to set permissions manually along with some pictures so you can see what to do. When that is done and you have succeeded, I'll post another response on what to do next in the Component Services.

 

[Clay Horvath]

First off, I want to THANK YOU VERY MUCH for your time & effort as it is EXCEPTIONAL & GREATLY APPRECIATED! Not many people in the World today would take the time & effort to help others! YES I would be TOTALLY ESTATIC towards getting this resolved once & for all. I will create a restore point right now but before I do I will clean all temp files & do all the scans then complete the restore point. Ready in 25 min. Once again THANK YOU VERY MUCH!

ONWARD WE GO ( EXCITED )

 

[Clay Horvath]

Okay, I cleaned the entire system, ran all scans ect. Created a Restore Point per your instructions. I also ran the sfc /scannow to be certain the registry has no violations. ALL IS 100% ready to go!

 

[Clay Horvath]

Yes I also created a restore point once I had finished all the scans & what I considered important steps to make the restore point a clean mirror per say. Once again I Thank You for your help!

 

[Clay Horvath]

Here once again is the latest Event Viewer Log:

 

[Clay Horvath]

Here are several things that I attempted with no success:

 

[Regedit32]

The two commands that failed in your attached image appear to be missing the SetACL.exe -on before the "HKEY_CLASSES_ROOT ... " section.

Anyway, to manually set permissions you'll need to modify the permissions of the two offending registry keys.

• Press Windows Key + R to open the run dialog
• In the run dialog type regedit then click OK
• Click Yes when the User Account Control prompts you

You'll now see the Registry Editor opened.

In the Registry Editor's Address bar type or copy & paste the following:

HKEY_CLASSES_ROOT\CLSID\{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}

Sample Image

Press your Enter key to expand to the {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52} hive

You'll now see this hive highlighted at the bottom on the left pane

​

• Right-click on this hive and select Permissions
• In the Permissions for {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52} window click Advanced
• This will open the Advanced Security Settings for {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}. At the top you'll see the current Owner is TrustedInstaller. Click the Change to the right of Owner.

Sample Images

• After clicking Change you'll see the Select User or Group window. Click the Advanced button.

​

• After clicking the Advanced button you'll be presented with an expanded Select User or Group window. Click the Find Now button. This will cause a long list of options to appear in the bottom window. Scroll down this list and left-click once to highlight your Username [i.e. the name you sign-in with], then click OK

Sample Images

​

• After clicking OK you'll be returned to the previous window, where you'll see your username like so:

Assuming you selected the correct username, click OK​

• After clicking OK you'll be returned to the previous window where you ought to now see the Owner is the username you selected. Click OK

​

• After clicking OK you'll be returned to the Permissions window.
  • Click the Add button
  • This opens the Select User or Groups window again. Click the Advanced button
  • Now click the Find Now button.
  • Now scroll the list of names and left-click on your username again to highlight it, then click OK
  • Click OK again on the Select User or Groups window
  • Now back at the Permissions window again, in the top pane you should see your username in the list. Left-click once on this username, then in the lower pane below the Allow column place a check in the Full Control box. This will automatically check the Read box and leave the Special Permissions box empty.
  • At this point click OK

Sample Images

You now own and have full control of this Registry CLASS ID!​

• At this point you will be back at the main Registry Editor window. In its Address bar type or copy & paste the following, then press Enter key to expand to this new hive:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}

You now need to do the above steps for this Registry Hive to take ownership of it and give yourself full control, just as you did for the previous Registry Class ID.

Let me know how you go.​