Windows 10 Event ID 10010 and 10016 Errors With DistributedCOM

Steve C · 21 Nov 2017

I fail to understand why you are all wasting your time trying to fix these 'problems'.

ddelo · 21 Nov 2017

You can avoid all the hassle of changing the owner to Administrator and back to Trustedinstaller (needed step that has to be taken!) by running DCOMCNFG.EXE as Trustedinstaller via the PowerRun or ExecTI tool.

But, I would agree with the opinion of other users, that is a waste of time and effort, as Microsoft needs to resolve these problems and until that time comes there is a great possibility, that the next update will revert all manual fixes!

Soyabeaner · 24 Feb 2018

It only took Microsoft over 2 years to report they acknowledged this error, only to inform that we should ignore it

.

https://support.microsoft.com/af-za/...ws-server-2016 :

Cause

The event logs are recorded because certain processes don't have permissions to the DCOM components that are mentioned in the event logs. The specific communications that are blocked are determined to have no adverse functionality other than generating 10016 event logs. These event logs can be safely ignored.

Workaround

You may change the permissions on DCOM components to prevent this error from being logged. However, this workaround may have side effects. It's better to just ignore these errors because they don't adversely affect functionality.

Status

These events can be safely ignored.

I highlighted in red the "scary part", which could mean if one forgets to revert the ownership to Trustedinstaller. That's not bad. That's progress. Perhaps another 2 years for the actual fix?

Edit: fixed link

fdegrove · 24 Feb 2018

Hi,

These errors are easy enough to fix if you follow the instructions or better still if you use @lxo7 's PS script in elevated mode.
That said DCOM is really unimportant and most errors can safely be ignored.

I've always been able to fix any of them but that's just because MS doesn't care to fix them in a permanent manner anyhow.

lx07 's script which works fine for EV ID 10010 and 10016:

Code:

function enable-privilege
{ param(
 ## The privilege to adjust. This set is taken from http://msdn.microsoft.com/en-us/libr...16(VS.85).aspx
  [ValidateSet(
 "SeAssignPrimaryTokenPrivilege", "SeAuditPrivilege", "SeBackupPrivilege", "SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege",
 "SeCreatePagefilePrivilege", "SeCreatePermanentPrivilege", "SeCreateSymbolicLinkPrivilege", "SeCreateTokenPrivilege",
 "SeDebugPrivilege", "SeEnableDelegationPrivilege", "SeImpersonatePrivilege", "SeIncreaseBasePriorityPrivilege",
 "SeIncreaseQuotaPrivilege", "SeIncreaseWorkingSetPrivilege", "SeLoadDriverPrivilege", "SeLockMemoryPrivilege",
 "SeMachineAccountPrivilege", "SeManageVolumePrivilege", "SeProfileSingleProcessPrivilege", "SeRelabelPrivilege",
 "SeRemoteShutdownPrivilege", "SeRestorePrivilege", "SeSecurityPrivilege", "SeShutdownPrivilege", "SeSyncAgentPrivilege",
 "SeSystemEnvironmentPrivilege", "SeSystemProfilePrivilege", "SeSystemtimePrivilege", "SeTakeOwnershipPrivilege", "SeTcbPrivilege",
 "SeTimeZonePrivilege", "SeTrustedCredManAccessPrivilege", "SeUndockPrivilege", "SeUnsolicitedInputPrivilege")]
 $Privilege,
 ## The process on which to adjust the privilege. Defaults to the current process.
 $ProcessId = $pid,
 ## Switch to disable the privilege, rather than enable it.
 [Switch] $Disable
 )
 ## Taken from P/Invoke.NET with minor adjustments.
 $definition = @'
 using System;
 using System.Runtime.InteropServices;
  
 public class AdjPriv
 {
  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
   ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
  
  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
  [DllImport("advapi32.dll", SetLastError = true)]
  internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);
  [StructLayout(LayoutKind.Sequential, Pack = 1)]
  internal struct TokPriv1Luid
  {
   public int Count;
   public long Luid;
   public int Attr;
  }
  
  internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
  internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
  internal const int TOKEN_QUERY = 0x00000008;
  internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
  public static bool EnablePrivilege(long processHandle, string privilege, bool disable)
  {
   bool retVal;
   TokPriv1Luid tp;
   IntPtr hproc = new IntPtr(processHandle);
   IntPtr htok = IntPtr.Zero;
   retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
   tp.Count = 1;
   tp.Luid = 0;
   if(disable)
   {
    tp.Attr = SE_PRIVILEGE_DISABLED;
   }
   else
   {
    tp.Attr = SE_PRIVILEGE_ENABLED;
   }
   retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
   retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
   return retVal;
  }
 }
'@
 $processHandle = (Get-Process -id $ProcessId).Handle
 $type = Add-Type $definition -PassThru
 $type[0]::EnablePrivilege($processHandle, $Privilege, $Disable)
}
#------------------------------------------------------------------------------------------------------------------------------------------------------
function Takeown-Registry($key) 
{ switch ($key.split('\')[0])
 { "HKEY_CLASSES_ROOT" 
  { $reg = [Microsoft.Win32.Registry]::ClassesRoot
   $key = $key.substring(18)
  }
        "HKEY_CURRENT_USER"
  { $reg = [Microsoft.Win32.Registry]::CurrentUser
   $key = $key.substring(18)
  }
  "HKEY_LOCAL_MACHINE"
  { $reg = [Microsoft.Win32.Registry]::LocalMachine
   $key = $key.substring(19)
  }
 }
 # take ownership
 $key = $reg.OpenSubKey($key, "ReadWriteSubTree", "TakeOwnership")
 $owner = [Security.Principal.NTAccount]"Administrators"
 $acl = $key.GetAccessControl()
 $acl.SetOwner($owner)
 $key.SetAccessControl($acl)
 # set FullControl
 $acl = $key.GetAccessControl()
 $rule = New-Object System.Security.AccessControl.RegistryAccessRule("Administrators", "FullControl", "Allow")
 $acl.SetAccessRule($rule)
 $key.SetAccessControl($acl)
 
 # reset owner
 $owner = [Security.Principal.NTAccount]"NT SERVICE\TrustedInstaller"
 $acl = $key.GetAccessControl()
 $acl.SetOwner($owner)
 $key.SetAccessControl($acl)
}
#------------------------------------------------------------------------------------------------------------------------------------------------------
# Grant authority to registry key
Write-Host; Write-Host "Elevating privileges for this process" -f yellow; Write-Host
do {$result = enable-privilege SeTakeOwnershipPrivilege } 
until ($result -eq $true)
do {$result = enable-privilege SeRestorePrivilege } 
until ($result -eq $true)
$key="HKEY_CLASSES_ROOT\AppID\{9CA88EE3-ACB7-47c8-AFC4-AB702511C276}"
Write-Host "Granting authority to $key"
Takeown-Registry($key)
$key="HKEY_CLASSES_ROOT\CLSID\{D63B10C5-BB46-4990-A94F-E40B9D520160}"
Write-Host "Granting authority to $key"
Takeown-Registry($key)
Write-Host; Write-Host "Done"; Write-Host

Cheers,

EDIT: @ Soyabeaner : The link does not work .

Joanne · 24 Feb 2018

@fdegrove

Can you please remind me:

- So, I just copy and paste all that code [from your post above] in an elevated CMD? Or in PowerShell?

?

And that's it, that is all I have to do?

?

Thank you

Soyabeaner · 24 Feb 2018

fdegrove said:

EDIT: @ Soyabeaner : The link does not work .

Thanks. Fixed. I prefer the old fashion, slow method. Funny how I had the errors back in the earliest builds, then the Anniversary Update fixed it for me, now it's back on Fall Creators Update.

fdegrove · 24 Feb 2018

Hi,

That code should be run in an elevated Powershell box, @ Joanne.
And yes, you can just copy the code and paste it into PS. Just press Enter and it will run. When finished restart your machine and the DCOM error should no longer occur for both the error IDs I mentioned above.
You probably only have error ID 10016 I guess.

Cheers,

Joanne · 24 Feb 2018

fdegrove said:

Hi,

That code should be run in an elevated Powershell box, @ Joanne.
And yes, you can just copy the code and paste it into PS. Just press Enter and it will run. When finished restart your machine and the DCOM error should no longer occur for both the error IDs I mentioned above.
You probably only have error ID 10016 I guess.

Cheers,

Yes, only 10016. I will clean my Event Viewer now, run all that code in an Elevated PowerShell, reboot (a couple of times), and I will report back.

Thank you.

fdegrove · 24 Feb 2018

Hi,

Soyabeaner said:

Thanks. Fixed. I prefer the old fashion, slow method. Funny how I had the errors back in the earliest builds, then the Anniversary Update fixed it for me, now it's back on Fall Creators Update.

Same thing for everyone I reckon.
The latest one (ID 10016) is a bit more complicated to fix manually as it involves lady Cortana (an app) but the PS script still does the trick.
Which is why I dug it up again.

Cheers,

Joanne · 24 Feb 2018

Ahh.... Unfortunately, it appeared again on my system...

It says:

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user MYCOMPUTER\me SID (S-1-5-21-1426068633-1628407926-2868926636-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.