Local Activation Permission

Page 5 of 5 FirstFirst ... 345
  1. f14tomcat's Avatar
    Posts : 53,102
    Multi-boot Windows 10 - RTM, RP, Beta, and Insider
       #41

    ddelo said:
    To resolve the EventID 513 CAPI2 errors, when making a backup or creating a restore point,
    In an elevated command prompt:

    1. Run: SC sdshow MSLLDP
    You will get an SDDL similar to that:
    DD;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO; ;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)

    2. If it's not exactly the same as this one (it'll most probably be), make a note of your SDDL by copying and pasting the string you received.

    3. Apply an extra permission for the NT SERVICE\CryptSvc, by adding the string: (A;;CC;;;S-1-5-80-242729624-280608522-2219052887-3187409060-2225943459) to the existing MSLLDP, right after the (A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453) block

    4. To do that you should run the following command, making sure that there are no spaces or line breaks:
    sc sdset MSLLDP <Your SDDL>(A;;CC;;;S-1-5-80-242729624-280608522-2219052887-3187409060-2225943459)

    or in our example:
    Code:
    sc sdset MSLLDP D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)(A;;CC;;;S-1-5-80-242729624-280608522-2219052887-3187409060-2225943459)
    That's it! No CAPI2 errors.
    There's a good TechNet article on the whole process, along with what to look for, and watch out for. Just FYI:

    Error source CAPI2 id 513 - Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object
      My Computers

  2. ddelo's Avatar
    Posts : 2,228
    Windows 10 Pro x64
       #42

    I've read it Dick and thanks a lot for pointing it out.

    The problem with the article (which works perfectly) is that for solving the issue provides a whole bunch of permissions to NT AUTHORITY\SERVICE, which is not necessary.

    We just need to provide SERVICE_QUERY_CONFIG permission to the NT SERVICE\CryptSvc. That's more efficient and lighter, does not open the whole thing to NT AUTHORITY\SERVICE, works as perfectly and there is no need to reapply the fix after a Windows update.

    You can take a look if you wish to Microsoft Community
      My Computer

  3. Steve C's Avatar
    Posts : 6,287
    Windows 10 Pro 64 bit
       #43

    I have the same error is listed below. I can usually fix these 10016 errors. I found APPID {F72671A9-012C-4725-9D2F-2A4D32D65169} is associated with "Interactive User" but "Interactive User" is not listed in the DCOMCNFG DCOM Config window. Please advise how to proceed from here.

    Error 03/09/2017 07:15:11 Microsoft-Windows-DistributedCOM 10016 None
    "The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {8D8F4F83-3594-4F07-8369-FC3C3CAE4919} and APPID {F72671A9-012C-4725-9D2F-2A4D32D65169} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool."
      My Computers

  4. lx07's Avatar
    Posts : 5,479
    2004
       #44

    did you see this post earlier in the thread? Local Activation Permission - Page 2 - Windows 10 Forums

    {F72671A9-012C-4725-9D2F-2A4D32D65169} is in DCOM as a GUID at the bottom - it is still there for me in 16281 insider build.
      My Computer

  5. Steve C's Avatar
    Posts : 6,287
    Windows 10 Pro 64 bit
       #45

    lx07 said:
    did you see this post earlier in the thread? Local Activation Permission - Page 2 - Windows 10 Forums

    {F72671A9-012C-4725-9D2F-2A4D32D65169} is in DCOM as a GUID at the bottom - it is still there for me in 16281 insider build.
    OK, I've found it lurking there thanks. Why do some of these have meaningful titles and some gobbledegook titles?
      My Computers

  6. lx07's Avatar
    Posts : 5,479
    2004
       #46

    Steve C said:
    OK, I've found it lurking there thanks. Why do some of these have meaningful titles and some gobbledegook titles?
    Honestly? In my opinion it is because it doesn't matter what event viewer says..

    My concern is granting some DCOM authority for a process that we don't know what it does is a risk.

    Your issue was with CDPComActivityStore but what is that? God knows. Should SYSTEM have authority or not? If it should then why - for what purpose? If it should not then why give it the authority? Just to stop an event viewer entry?

    If we automatically grant DCOM authorities to match messages in the log saying "give me authority" then there is no point in having authority at all.

    Perhaps changing permissions to match errors is not necessarily correct. It could be the permissions are correct and the error messages are wrong. In that case granting permissions to get rid of event viewer log entries is in fact a bad idea.

    Thanks for the rep anyway
      My Computer

  7. Steve C's Avatar
    Posts : 6,287
    Windows 10 Pro 64 bit
       #47

    lx07 said:
    Honestly? In my opinion it is because it doesn't matter what event viewer says..

    My concern is granting some DCOM authority for a process that we don't know what it does is a risk.

    Your issue was with CDPComActivityStore but what is that? God knows. Should SYSTEM have authority or not? If it should then why - for what purpose? If it should not then why give it the authority? Just to stop an event viewer entry?

    If we automatically grant DCOM authorities to match messages in the log saying "give me authority" then there is no point in having authority at all.

    Perhaps changing permissions to match errors is not necessarily correct. It could be the permissions are correct and the error messages are wrong. In that case granting permissions to get rid of event viewer log entries is in fact a bad idea.

    Thanks for the rep anyway
    Hmm. Excellent point!
      My Computers


 
Page 5 of 5 FirstFirst ... 345

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 03:04.
Find Us




Windows 10 Forums