Local Activation Permission

f14tomcat · 06 Apr 2017

ddelo said:

To resolve the EventID 513 CAPI2 errors, when making a backup or creating a restore point,
In an elevated command prompt:

1. Run: SC sdshow MSLLDP
You will get an SDDL similar to that:
D

D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO; ;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)

2. If it's not exactly the same as this one (it'll most probably be), make a note of your SDDL by copying and pasting the string you received.

3. Apply an extra permission for the NT SERVICE\CryptSvc, by adding the string: (A;;CC;;;S-1-5-80-242729624-280608522-2219052887-3187409060-2225943459) to the existing MSLLDP, right after the (A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453) block

4. To do that you should run the following command, making sure that there are no spaces or line breaks:
sc sdset MSLLDP <Your SDDL>(A;;CC;;;S-1-5-80-242729624-280608522-2219052887-3187409060-2225943459)

or in our example:

Code:

sc sdset MSLLDP D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)(A;;CC;;;S-1-5-80-242729624-280608522-2219052887-3187409060-2225943459)

That's it! No CAPI2 errors.

There's a good TechNet article on the whole process, along with what to look for, and watch out for. Just FYI:

Error source CAPI2 id 513 - Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object

ddelo · 06 Apr 2017

I've read it Dick and thanks a lot for pointing it out.

The problem with the article (which works perfectly) is that for solving the issue provides a whole bunch of permissions to NT AUTHORITY\SERVICE, which is not necessary.

We just need to provide SERVICE_QUERY_CONFIG permission to the NT SERVICE\CryptSvc. That's more efficient and lighter, does not open the whole thing to NT AUTHORITY\SERVICE, works as perfectly and there is no need to reapply the fix after a Windows update.

You can take a look if you wish to Microsoft Community

Steve C · 06 Sep 2017

I have the same error is listed below. I can usually fix these 10016 errors. I found APPID {F72671A9-012C-4725-9D2F-2A4D32D65169} is associated with "Interactive User" but "Interactive User" is not listed in the DCOMCNFG DCOM Config window. Please advise how to proceed from here.

Error 03/09/2017 07:15:11 Microsoft-Windows-DistributedCOM 10016 None
"The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {8D8F4F83-3594-4F07-8369-FC3C3CAE4919} and APPID {F72671A9-012C-4725-9D2F-2A4D32D65169} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool."

lx07 · 06 Sep 2017

did you see this post earlier in the thread? Local Activation Permission - Page 2 - Windows 10 Forums

{F72671A9-012C-4725-9D2F-2A4D32D65169} is in DCOM as a GUID at the bottom - it is still there for me in 16281 insider build.

Steve C · 06 Sep 2017

lx07 said:

did you see this post earlier in the thread? Local Activation Permission - Page 2 - Windows 10 Forums

{F72671A9-012C-4725-9D2F-2A4D32D65169} is in DCOM as a GUID at the bottom - it is still there for me in 16281 insider build.

OK, I've found it lurking there thanks. Why do some of these have meaningful titles and some gobbledegook titles?

lx07 · 06 Sep 2017

Steve C said:

OK, I've found it lurking there thanks. Why do some of these have meaningful titles and some gobbledegook titles?

Honestly? In my opinion it is because it doesn't matter what event viewer says..

My concern is granting some DCOM authority for a process that we don't know what it does is a risk.

Your issue was with CDPComActivityStore but what is that? God knows. Should SYSTEM have authority or not? If it should then why - for what purpose? If it should not then why give it the authority? Just to stop an event viewer entry?

If we automatically grant DCOM authorities to match messages in the log saying "give me authority" then there is no point in having authority at all.

Perhaps changing permissions to match errors is not necessarily correct. It could be the permissions are correct and the error messages are wrong. In that case granting permissions to get rid of event viewer log entries is in fact a bad idea.

Thanks for the rep anyway

Steve C · 06 Sep 2017

lx07 said:

Honestly? In my opinion it is because it doesn't matter what event viewer says..

My concern is granting some DCOM authority for a process that we don't know what it does is a risk.

Your issue was with CDPComActivityStore but what is that? God knows. Should SYSTEM have authority or not? If it should then why - for what purpose? If it should not then why give it the authority? Just to stop an event viewer entry?

If we automatically grant DCOM authorities to match messages in the log saying "give me authority" then there is no point in having authority at all.

Perhaps changing permissions to match errors is not necessarily correct. It could be the permissions are correct and the error messages are wrong. In that case granting permissions to get rid of event viewer log entries is in fact a bad idea.

Thanks for the rep anyway

Hmm. Excellent point!