Working in progress: powershell script to automatically fix DCOM errors which show up in the event log

readme.md

Error in the event viewer:

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Steps to fix the issue: http://answers.microsoft.com/en-us/windows/forum/windows_8-performance/event-id-10016-the-application-specific-permission/9ff8796f-c352-4da2-9322-5fdf8a11c81e?auth=1

finderrors.ps1

# Get-EvengLog doesn't quite work I guess:
# https://stackoverflow.com/questions/31396903/get-eventlog-valid-message-missing-for-some-event-log-sources#
# Get-EventLog Application -EntryType Error -Source "DistributedCOM"
# The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
#$logs = Get-EventLog -LogName "System" -EntryType Error -Source "DCOM" -Newest 1 -Message "The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID*"
# 2 is error
# 3 is warning
$EVT_MSG = "The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID"
# Search for System event log ERROR entries starting with the specified EVT_MSG
$logEntry = Get-WinEvent -FilterHashTable @{LogName='System'; Level=2} | Where-Object { $_.Message -like "$EVT_MSG*" } | Select-Object -First 1
if ($logEntry -eq $null) {
    Write-Host "No event log entries found."
    exit 1
}

# Get CLSID and APPID from the event log entry
# which we'll use to look up keys in the registry
$CLSID = $logEntry.Properties[3].Value
Write-Host "CLSID is $CLSID"
$APPID = $logEntry.Properties[4].Value
Write-Host "APPID is $APPID"

fixerrors.ps1

# TODO: make these parameters?
$CLSID = "{D63B10C5-BB46-4990-A94F-E40B9D520160}"
$APPID = "{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}"

# To take ownership of a registry key:
# https://social.technet.microsoft.com/Forums/windowsserver/en-US/e718a560-2908-4b91-ad42-d392e7f8f1ad/take-ownership-of-a-registry-key-and-change-permissions?forum=winserverpowershell

# Originally from here maybe?
# http://www.leeholmes.com/blog/2010/09/24/adjusting-token-privileges-in-powershell/

# ************************* START enable-privilege
function enable-privilege {
 param(
  ## The privilege to adjust. This set is taken from
  ## http://msdn.microsoft.com/en-us/library/bb530716(VS.85).aspx
  [ValidateSet(
   "SeAssignPrimaryTokenPrivilege", "SeAuditPrivilege", "SeBackupPrivilege",
   "SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege", "SeCreatePagefilePrivilege",
   "SeCreatePermanentPrivilege", "SeCreateSymbolicLinkPrivilege", "SeCreateTokenPrivilege",
   "SeDebugPrivilege", "SeEnableDelegationPrivilege", "SeImpersonatePrivilege", "SeIncreaseBasePriorityPrivilege",
   "SeIncreaseQuotaPrivilege", "SeIncreaseWorkingSetPrivilege", "SeLoadDriverPrivilege",
   "SeLockMemoryPrivilege", "SeMachineAccountPrivilege", "SeManageVolumePrivilege",
   "SeProfileSingleProcessPrivilege", "SeRelabelPrivilege", "SeRemoteShutdownPrivilege",
   "SeRestorePrivilege", "SeSecurityPrivilege", "SeShutdownPrivilege", "SeSyncAgentPrivilege",
   "SeSystemEnvironmentPrivilege", "SeSystemProfilePrivilege", "SeSystemtimePrivilege",
   "SeTakeOwnershipPrivilege", "SeTcbPrivilege", "SeTimeZonePrivilege", "SeTrustedCredManAccessPrivilege",
   "SeUndockPrivilege", "SeUnsolicitedInputPrivilege")]
  $Privilege,
  ## The process on which to adjust the privilege. Defaults to the current process.
  $ProcessId = $pid,
  ## Switch to disable the privilege, rather than enable it.
  [Switch] $Disable
 )

 ## Taken from P/Invoke.NET with minor adjustments.
 $definition = @'
 using System;
 using System.Runtime.InteropServices;
  
 public class AdjPriv
 {
  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
   ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
  
  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
  [DllImport("advapi32.dll", SetLastError = true)]
  internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);
  [StructLayout(LayoutKind.Sequential, Pack = 1)]
  internal struct TokPriv1Luid
  {
   public int Count;
   public long Luid;
   public int Attr;
  }
  
  internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
  internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
  internal const int TOKEN_QUERY = 0x00000008;
  internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
  public static bool EnablePrivilege(long processHandle, string privilege, bool disable)
  {
   bool retVal;
   TokPriv1Luid tp;
   IntPtr hproc = new IntPtr(processHandle);
   IntPtr htok = IntPtr.Zero;
   retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
   tp.Count = 1;
   tp.Luid = 0;
   if(disable)
   {
    tp.Attr = SE_PRIVILEGE_DISABLED;
   }
   else
   {
    tp.Attr = SE_PRIVILEGE_ENABLED;
   }
   retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
   retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
   return retVal;
  }
 }
'@

 $processHandle = (Get-Process -id $ProcessId).Handle
 $type = Add-Type $definition -PassThru
 $type[0]::EnablePrivilege($processHandle, $Privilege, $Disable)
}
# ************************* END enable-privilege

try {
    Write-Host "Script start"
    
    # Steps we are automating are listed here:
    # http://answers.microsoft.com/en-us/windows/forum/windows_8-performance/event-id-10016-the-application-specific-permission/9ff8796f-c352-4da2-9322-5fdf8a11c81e?auth=1

    # Adjust the permissions for these keys
    Write-Host "CLSID is $CLSID"
    Write-Host "APPID is $APPID"

    # to check your priviledges:
    # whoami /priv
    enable-privilege SeTakeOwnershipPrivilege
    enable-privilege SeRestorePrivilege
    # To change the owner you need SeRestorePrivilege
    # http://stackoverflow.com/questions/6622124/why-does-set-acl-on-the-drive-root-try-to-set-ownership-of-the-object
    $key = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey("CLSID\$CLSID",[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership)

    if ($key -eq $null) {
        Write-Host "Unable to get registry key HKCR:\CLSID\$CLSID"
        exit 1
    }

    Write-Host "Opened registry key $($key.Name)"

    # You must get a blank acl for the key b/c you do not currently have access
    #$acl = $key.GetAccessControl([System.Security.AccessControl.AccessControlSections]::None)
    #$me = [System.Security.Principal.NTAccount]"t-alien\tome"
    #$admin = [System.Security.Principal.NTAccount]"Administrator"
    #$acl.SetOwner($admin)
    #$key.SetAccessControl($acl)
    $cname = $env:computername
    $admin = [System.Security.Principal.NTAccount]"$cname\Administrator"
    Write-Host "Setting owner to $($admin.Value)"

    $acl = $key.GetAccessControl()
    $acl.SetOwner($admin)
    $key.SetAccessControl($acl)
    $key.Close()

    # After you have set owner you need to get the acl with the perms so you can modify it.
    
    #$rule = New-Object System.Security.AccessControl.RegistryAccessRule("Administrator","FullControl","Allow")
    #$acl.SetAccessRule($rule)
    #$key.SetAccessControl($acl)
} catch {
    $ErrorMessage = $_.Exception.Message
    $FailedItem = $_.Exception.ItemName
    Write-Host "Error running setDCOMpermissions"
    Write-Host $_.Exception|format-list
    exit 1
}


# Code originally from:
# https://social.technet.microsoft.com/Forums/systemcenter/en-US/dfc465bc-7bbd-483e-b98b-2ba56fa98313/the-applicationspecific-permission-settings-do-not-grant-local-launch-permission-for-the-com-server?forum=configmgrgeneral

#$CLSID = "{3f2db10f-6368-4702-a4b1-e5149d931371}"
# New-PSDrive Creates temporary and persistent mapped network drives.
#New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | Out-Null
#$key = Get-Item "HKCR:\CLSID\$CLSID\"
#$values = Get-ItemProperty $key.PSPath
#$values.'(default)'

#$key = Get-Item "HKCR:\AppID\$CLSID\"
#$values = Get-ItemProperty $key.PSPath
#$values.'(default)'
#Remove-PSDrive -Name  HKCR
Write-Host "Script complete"

If this works, you'll be FAMOUS, Kit!

Exhibit A: https://support.microsoft.com/en-us/help/4022522/dcom-event-id-10016-is-logged-in-windows-10-and-windows-server-2016

Cause
These 10016 events are recorded when Microsoft components tries to access DCOM components without the required permissions. In this case, this is expected and by design. A coding pattern has been implemented where the code first tries to access the DCOM components with one set of parameters. If the first attempt is unsuccessful, it tries again with another set of parameters. The reason why it does not skip the first attempt is because there are scenarios where it can succeed. In those scenarios, that is preferable.

Workaround
These events can be safely ignored because they do not adversely affect functionality and are by design. This is the recommend action for these events. If desired, advanced users and IT professionals can suppress these events from view in the Event Viewer by creating a filter and manually editing the filter’s XML query

I thought this was a wonderful idea. Combined both parts into a single script that would fix all of them at once.

Pasting the code here was ugly, so here's a link where you can get it., Use at your own risk.
https://cloud.gci.org/files/FixDCOMErrors.ps1

@BBB771 ,
Many of us are experiencing total system freeze ups that coincide precisely with those DCom Errors. the freeze ups on my system can range from 30 seconds to 5 minutes and sometimes not unfreeze at all requiring a Hard Reset.

When using Intel Hardware Acceleration (QSV) for encoding and decoding, this error occurs. Each time I view a video my laptop gets random black screens for a second.

I had so really hoped this would work. Unfortunately :( maybe something to do with permissions or UEV?
I'll check this post every now and then, hoping for a solution. Until then, I guess i have to fix it manually :) http://www.itexperience.net/event-id-10016-fix-the-application-specific-permission-settings-do-not-grant-local-activation-permission-for-the-com-server-application-with-clsid/

You can make this easier if you download and install SetACL. Install both 32 and 64 in system32 and SysWOW64 respectively. Use SetACL to modify the registry. You can also set them back to TrustedInstaller when changes are complete. Then the task is the DCOM modifications.

For language independent administrators group replace

$admin = [System.Security.Principal.NTAccount]"$cname\Administrator"

with

$admin = New-Object System.Security.Principal.NTAccount(Get-LocalGroup -SID S-1-5-32-544)

A proper working automated script https://github.com/Simbiat/Anti10016