Working in progress: powershell script to automatically fix DCOM errors which show up in the event log

readme.md

Error in the event viewer:

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Steps to fix the issue: http://answers.microsoft.com/en-us/windows/forum/windows_8-performance/event-id-10016-the-application-specific-permission/9ff8796f-c352-4da2-9322-5fdf8a11c81e?auth=1

finderrors.ps1

# Get-EvengLog doesn't quite work I guess:
# https://stackoverflow.com/questions/31396903/get-eventlog-valid-message-missing-for-some-event-log-sources#
# Get-EventLog Application -EntryType Error -Source "DistributedCOM"
# The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
#$logs = Get-EventLog -LogName "System" -EntryType Error -Source "DCOM" -Newest 1 -Message "The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID*"
# 2 is error
# 3 is warning
$EVT_MSG = "The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID"
# Search for System event log ERROR entries starting with the specified EVT_MSG
$logEntry = Get-WinEvent -FilterHashTable @{LogName='System'; Level=2} | Where-Object { $_.Message -like "$EVT_MSG*" } | Select-Object -First 1
if ($logEntry -eq $null) {
    Write-Host "No event log entries found."
    exit 1
}

# Get CLSID and APPID from the event log entry
# which we'll use to look up keys in the registry
$CLSID = $logEntry.Properties[3].Value
Write-Host "CLSID is $CLSID"
$APPID = $logEntry.Properties[4].Value
Write-Host "APPID is $APPID"

fixerrors.ps1

# TODO: make these parameters?
$CLSID = "{D63B10C5-BB46-4990-A94F-E40B9D520160}"
$APPID = "{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}"

# To take ownership of a registry key:
# https://social.technet.microsoft.com/Forums/windowsserver/en-US/e718a560-2908-4b91-ad42-d392e7f8f1ad/take-ownership-of-a-registry-key-and-change-permissions?forum=winserverpowershell

# Originally from here maybe?
# http://www.leeholmes.com/blog/2010/09/24/adjusting-token-privileges-in-powershell/

# ************************* START enable-privilege
function enable-privilege {
 param(
  ## The privilege to adjust. This set is taken from
  ## http://msdn.microsoft.com/en-us/library/bb530716(VS.85).aspx
  [ValidateSet(
   "SeAssignPrimaryTokenPrivilege", "SeAuditPrivilege", "SeBackupPrivilege",
   "SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege", "SeCreatePagefilePrivilege",
   "SeCreatePermanentPrivilege", "SeCreateSymbolicLinkPrivilege", "SeCreateTokenPrivilege",
   "SeDebugPrivilege", "SeEnableDelegationPrivilege", "SeImpersonatePrivilege", "SeIncreaseBasePriorityPrivilege",
   "SeIncreaseQuotaPrivilege", "SeIncreaseWorkingSetPrivilege", "SeLoadDriverPrivilege",
   "SeLockMemoryPrivilege", "SeMachineAccountPrivilege", "SeManageVolumePrivilege",
   "SeProfileSingleProcessPrivilege", "SeRelabelPrivilege", "SeRemoteShutdownPrivilege",
   "SeRestorePrivilege", "SeSecurityPrivilege", "SeShutdownPrivilege", "SeSyncAgentPrivilege",
   "SeSystemEnvironmentPrivilege", "SeSystemProfilePrivilege", "SeSystemtimePrivilege",
   "SeTakeOwnershipPrivilege", "SeTcbPrivilege", "SeTimeZonePrivilege", "SeTrustedCredManAccessPrivilege",
   "SeUndockPrivilege", "SeUnsolicitedInputPrivilege")]
  $Privilege,
  ## The process on which to adjust the privilege. Defaults to the current process.
  $ProcessId = $pid,
  ## Switch to disable the privilege, rather than enable it.
  [Switch] $Disable
 )

 ## Taken from P/Invoke.NET with minor adjustments.
 $definition = @'
 using System;
 using System.Runtime.InteropServices;
  
 public class AdjPriv
 {
  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
   ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
  
  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
  [DllImport("advapi32.dll", SetLastError = true)]
  internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);
  [StructLayout(LayoutKind.Sequential, Pack = 1)]
  internal struct TokPriv1Luid
  {
   public int Count;
   public long Luid;
   public int Attr;
  }
  
  internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
  internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
  internal const int TOKEN_QUERY = 0x00000008;
  internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
  public static bool EnablePrivilege(long processHandle, string privilege, bool disable)
  {
   bool retVal;
   TokPriv1Luid tp;
   IntPtr hproc = new IntPtr(processHandle);
   IntPtr htok = IntPtr.Zero;
   retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
   tp.Count = 1;
   tp.Luid = 0;
   if(disable)
   {
    tp.Attr = SE_PRIVILEGE_DISABLED;
   }
   else
   {
    tp.Attr = SE_PRIVILEGE_ENABLED;
   }
   retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
   retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
   return retVal;
  }
 }
'@

 $processHandle = (Get-Process -id $ProcessId).Handle
 $type = Add-Type $definition -PassThru
 $type[0]::EnablePrivilege($processHandle, $Privilege, $Disable)
}
# ************************* END enable-privilege

try {
    Write-Host "Script start"
    
    # Steps we are automating are listed here:
    # http://answers.microsoft.com/en-us/windows/forum/windows_8-performance/event-id-10016-the-application-specific-permission/9ff8796f-c352-4da2-9322-5fdf8a11c81e?auth=1

    # Adjust the permissions for these keys
    Write-Host "CLSID is $CLSID"
    Write-Host "APPID is $APPID"

    # to check your priviledges:
    # whoami /priv
    enable-privilege SeTakeOwnershipPrivilege
    enable-privilege SeRestorePrivilege
    # To change the owner you need SeRestorePrivilege
    # http://stackoverflow.com/questions/6622124/why-does-set-acl-on-the-drive-root-try-to-set-ownership-of-the-object
    $key = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey("CLSID\$CLSID",[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership)

    if ($key -eq $null) {
        Write-Host "Unable to get registry key HKCR:\CLSID\$CLSID"
        exit 1
    }

    Write-Host "Opened registry key $($key.Name)"

    # You must get a blank acl for the key b/c you do not currently have access
    #$acl = $key.GetAccessControl([System.Security.AccessControl.AccessControlSections]::None)
    #$me = [System.Security.Principal.NTAccount]"t-alien\tome"
    #$admin = [System.Security.Principal.NTAccount]"Administrator"
    #$acl.SetOwner($admin)
    #$key.SetAccessControl($acl)
    $cname = $env:computername
    $admin = [System.Security.Principal.NTAccount]"$cname\Administrator"
    Write-Host "Setting owner to $($admin.Value)"

    $acl = $key.GetAccessControl()
    $acl.SetOwner($admin)
    $key.SetAccessControl($acl)
    $key.Close()

    # After you have set owner you need to get the acl with the perms so you can modify it.
    
    #$rule = New-Object System.Security.AccessControl.RegistryAccessRule("Administrator","FullControl","Allow")
    #$acl.SetAccessRule($rule)
    #$key.SetAccessControl($acl)
} catch {
    $ErrorMessage = $_.Exception.Message
    $FailedItem = $_.Exception.ItemName
    Write-Host "Error running setDCOMpermissions"
    Write-Host $_.Exception|format-list
    exit 1
}


# Code originally from:
# https://social.technet.microsoft.com/Forums/systemcenter/en-US/dfc465bc-7bbd-483e-b98b-2ba56fa98313/the-applicationspecific-permission-settings-do-not-grant-local-launch-permission-for-the-com-server?forum=configmgrgeneral

#$CLSID = "{3f2db10f-6368-4702-a4b1-e5149d931371}"
# New-PSDrive Creates temporary and persistent mapped network drives.
#New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | Out-Null
#$key = Get-Item "HKCR:\CLSID\$CLSID\"
#$values = Get-ItemProperty $key.PSPath
#$values.'(default)'

#$key = Get-Item "HKCR:\AppID\$CLSID\"
#$values = Get-ItemProperty $key.PSPath
#$values.'(default)'
#Remove-PSDrive -Name  HKCR
Write-Host "Script complete"

@BBB771 ,
Many of us are experiencing total system freeze ups that coincide precisely with those DCom Errors. the freeze ups on my system can range from 30 seconds to 5 minutes and sometimes not unfreeze at all requiring a Hard Reset.

When using Intel Hardware Acceleration (QSV) for encoding and decoding, this error occurs. Each time I view a video my laptop gets random black screens for a second.

I had so really hoped this would work. Unfortunately :( maybe something to do with permissions or UEV?
I'll check this post every now and then, hoping for a solution. Until then, I guess i have to fix it manually :) http://www.itexperience.net/event-id-10016-fix-the-application-specific-permission-settings-do-not-grant-local-activation-permission-for-the-com-server-application-with-clsid/

You can make this easier if you download and install SetACL. Install both 32 and 64 in system32 and SysWOW64 respectively. Use SetACL to modify the registry. You can also set them back to TrustedInstaller when changes are complete. Then the task is the DCOM modifications.

For language independent administrators group replace

$admin = [System.Security.Principal.NTAccount]"$cname\Administrator"

with

$admin = New-Object System.Security.Principal.NTAccount(Get-LocalGroup -SID S-1-5-32-544)

A proper working automated script https://github.com/Simbiat/Anti10016