Skip to content

Instantly share code, notes, and snippets.

@kitmenke
Created August 1, 2016 02:45
Show Gist options
  • Save kitmenke/3213d58ffd60ae9873ca466f143945f4 to your computer and use it in GitHub Desktop.
Save kitmenke/3213d58ffd60ae9873ca466f143945f4 to your computer and use it in GitHub Desktop.
Working in progress: powershell script to automatically fix DCOM errors which show up in the event log

Error in the event viewer:

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Steps to fix the issue: http://answers.microsoft.com/en-us/windows/forum/windows_8-performance/event-id-10016-the-application-specific-permission/9ff8796f-c352-4da2-9322-5fdf8a11c81e?auth=1

# Get-EvengLog doesn't quite work I guess:
# https://stackoverflow.com/questions/31396903/get-eventlog-valid-message-missing-for-some-event-log-sources#
# Get-EventLog Application -EntryType Error -Source "DistributedCOM"
# The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
#$logs = Get-EventLog -LogName "System" -EntryType Error -Source "DCOM" -Newest 1 -Message "The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID*"
# 2 is error
# 3 is warning
$EVT_MSG = "The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID"
# Search for System event log ERROR entries starting with the specified EVT_MSG
$logEntry = Get-WinEvent -FilterHashTable @{LogName='System'; Level=2} | Where-Object { $_.Message -like "$EVT_MSG*" } | Select-Object -First 1
if ($logEntry -eq $null) {
Write-Host "No event log entries found."
exit 1
}
# Get CLSID and APPID from the event log entry
# which we'll use to look up keys in the registry
$CLSID = $logEntry.Properties[3].Value
Write-Host "CLSID is $CLSID"
$APPID = $logEntry.Properties[4].Value
Write-Host "APPID is $APPID"
# TODO: make these parameters?
$CLSID = "{D63B10C5-BB46-4990-A94F-E40B9D520160}"
$APPID = "{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}"
# To take ownership of a registry key:
# https://social.technet.microsoft.com/Forums/windowsserver/en-US/e718a560-2908-4b91-ad42-d392e7f8f1ad/take-ownership-of-a-registry-key-and-change-permissions?forum=winserverpowershell
# Originally from here maybe?
# http://www.leeholmes.com/blog/2010/09/24/adjusting-token-privileges-in-powershell/
# ************************* START enable-privilege
function enable-privilege {
param(
## The privilege to adjust. This set is taken from
## http://msdn.microsoft.com/en-us/library/bb530716(VS.85).aspx
[ValidateSet(
"SeAssignPrimaryTokenPrivilege", "SeAuditPrivilege", "SeBackupPrivilege",
"SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege", "SeCreatePagefilePrivilege",
"SeCreatePermanentPrivilege", "SeCreateSymbolicLinkPrivilege", "SeCreateTokenPrivilege",
"SeDebugPrivilege", "SeEnableDelegationPrivilege", "SeImpersonatePrivilege", "SeIncreaseBasePriorityPrivilege",
"SeIncreaseQuotaPrivilege", "SeIncreaseWorkingSetPrivilege", "SeLoadDriverPrivilege",
"SeLockMemoryPrivilege", "SeMachineAccountPrivilege", "SeManageVolumePrivilege",
"SeProfileSingleProcessPrivilege", "SeRelabelPrivilege", "SeRemoteShutdownPrivilege",
"SeRestorePrivilege", "SeSecurityPrivilege", "SeShutdownPrivilege", "SeSyncAgentPrivilege",
"SeSystemEnvironmentPrivilege", "SeSystemProfilePrivilege", "SeSystemtimePrivilege",
"SeTakeOwnershipPrivilege", "SeTcbPrivilege", "SeTimeZonePrivilege", "SeTrustedCredManAccessPrivilege",
"SeUndockPrivilege", "SeUnsolicitedInputPrivilege")]
$Privilege,
## The process on which to adjust the privilege. Defaults to the current process.
$ProcessId = $pid,
## Switch to disable the privilege, rather than enable it.
[Switch] $Disable
)
## Taken from P/Invoke.NET with minor adjustments.
$definition = @'
using System;
using System.Runtime.InteropServices;
public class AdjPriv
{
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
[DllImport("advapi32.dll", SetLastError = true)]
internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);
[StructLayout(LayoutKind.Sequential, Pack = 1)]
internal struct TokPriv1Luid
{
public int Count;
public long Luid;
public int Attr;
}
internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
internal const int TOKEN_QUERY = 0x00000008;
internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
public static bool EnablePrivilege(long processHandle, string privilege, bool disable)
{
bool retVal;
TokPriv1Luid tp;
IntPtr hproc = new IntPtr(processHandle);
IntPtr htok = IntPtr.Zero;
retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
tp.Count = 1;
tp.Luid = 0;
if(disable)
{
tp.Attr = SE_PRIVILEGE_DISABLED;
}
else
{
tp.Attr = SE_PRIVILEGE_ENABLED;
}
retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
return retVal;
}
}
'@
$processHandle = (Get-Process -id $ProcessId).Handle
$type = Add-Type $definition -PassThru
$type[0]::EnablePrivilege($processHandle, $Privilege, $Disable)
}
# ************************* END enable-privilege
try {
Write-Host "Script start"
# Steps we are automating are listed here:
# http://answers.microsoft.com/en-us/windows/forum/windows_8-performance/event-id-10016-the-application-specific-permission/9ff8796f-c352-4da2-9322-5fdf8a11c81e?auth=1
# Adjust the permissions for these keys
Write-Host "CLSID is $CLSID"
Write-Host "APPID is $APPID"
# to check your priviledges:
# whoami /priv
enable-privilege SeTakeOwnershipPrivilege
enable-privilege SeRestorePrivilege
# To change the owner you need SeRestorePrivilege
# http://stackoverflow.com/questions/6622124/why-does-set-acl-on-the-drive-root-try-to-set-ownership-of-the-object
$key = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey("CLSID\$CLSID",[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership)
if ($key -eq $null) {
Write-Host "Unable to get registry key HKCR:\CLSID\$CLSID"
exit 1
}
Write-Host "Opened registry key $($key.Name)"
# You must get a blank acl for the key b/c you do not currently have access
#$acl = $key.GetAccessControl([System.Security.AccessControl.AccessControlSections]::None)
#$me = [System.Security.Principal.NTAccount]"t-alien\tome"
#$admin = [System.Security.Principal.NTAccount]"Administrator"
#$acl.SetOwner($admin)
#$key.SetAccessControl($acl)
$cname = $env:computername
$admin = [System.Security.Principal.NTAccount]"$cname\Administrator"
Write-Host "Setting owner to $($admin.Value)"
$acl = $key.GetAccessControl()
$acl.SetOwner($admin)
$key.SetAccessControl($acl)
$key.Close()
# After you have set owner you need to get the acl with the perms so you can modify it.
#$rule = New-Object System.Security.AccessControl.RegistryAccessRule("Administrator","FullControl","Allow")
#$acl.SetAccessRule($rule)
#$key.SetAccessControl($acl)
} catch {
$ErrorMessage = $_.Exception.Message
$FailedItem = $_.Exception.ItemName
Write-Host "Error running setDCOMpermissions"
Write-Host $_.Exception|format-list
exit 1
}
# Code originally from:
# https://social.technet.microsoft.com/Forums/systemcenter/en-US/dfc465bc-7bbd-483e-b98b-2ba56fa98313/the-applicationspecific-permission-settings-do-not-grant-local-launch-permission-for-the-com-server?forum=configmgrgeneral
#$CLSID = "{3f2db10f-6368-4702-a4b1-e5149d931371}"
# New-PSDrive Creates temporary and persistent mapped network drives.
#New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | Out-Null
#$key = Get-Item "HKCR:\CLSID\$CLSID\"
#$values = Get-ItemProperty $key.PSPath
#$values.'(default)'
#$key = Get-Item "HKCR:\AppID\$CLSID\"
#$values = Get-ItemProperty $key.PSPath
#$values.'(default)'
#Remove-PSDrive -Name HKCR
Write-Host "Script complete"
@TheRealKnurft
Copy link

TheRealKnurft commented Dec 14, 2018

I had so really hoped this would work. Unfortunately :( maybe something to do with permissions or UEV?
I'll check this post every now and then, hoping for a solution. Until then, I guess i have to fix it manually :) http://www.itexperience.net/event-id-10016-fix-the-application-specific-permission-settings-do-not-grant-local-activation-permission-for-the-com-server-application-with-clsid/

@jacknickles
Copy link

You can make this easier if you download and install SetACL. Install both 32 and 64 in system32 and SysWOW64 respectively. Use SetACL to modify the registry. You can also set them back to TrustedInstaller when changes are complete. Then the task is the DCOM modifications.

@Simbiat
Copy link

Simbiat commented Aug 2, 2021

For language independent administrators group replace

$admin = [System.Security.Principal.NTAccount]"$cname\Administrator"

with

$admin = New-Object System.Security.Principal.NTAccount(Get-LocalGroup -SID S-1-5-32-544)

@Simbiat
Copy link

Simbiat commented Aug 3, 2021

A proper working automated script https://github.com/Simbiat/Anti10016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment