在今天的帖子中,我们将找出原因,然后针对Windows 10正常操作过程中可能出现在Windows事件查看器中的(Windows)DCOM (DistributedCOM) Event ID 10016错误问题提供可能的解决方案。
分布式组件对象模型 (DCOM)是(Distributed Component Object Model (DCOM))Windows计算机上网络通信的 一个组成部分。这是一项专有的Microsoft技术,每当应用程序连接到 Internet 时,它就会立即生效。传统的 COM 只能访问同一台机器上的信息,而DCOM可以访问远程服务器上的数据。
例如,许多网站和服务使用访问远程服务器的脚本。当您的系统使用脚本或其他方式发出请求时,DCOM会将请求转发给特定的脚本对象。鉴于现代应用程序使用网络连接的频率以及我们对计算机的一般使用,您可以看到DCOM的使用频率。
DCOM 事件 ID 10016 错误
您可能会注意到在运行Windows 10(Windows 10)、Windows Server 2016、Windows Server 2019、Windows Server版本 1903 或Windows Server 1909的计算机上的系统事件日志中记录了以下事件 10016 :
Source: Microsoft-Windows-DistributedCOM
Event ID: 10016
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
通常,您会遇到在事件查看器中记录的上述错误。但是,值得注意的是,事件 ID 10016(Event ID 10016)错误有多种变体。然而(Nevertheless),减轻错误的过程基本相同。
当应用程序或服务尝试使用DCOM但没有适当的权限时,通常会发生DCOM错误。(DCOM)大多数情况下,DCOM错误不会影响您的系统,只会阻塞您的 Event Viewer。当Microsoft(Microsoft)组件在没有所需权限的情况下尝试访问DCOM组件时,会记录这些 10016 事件。在这种情况下,这是意料之中的,也是设计使然。
DCOM 错误无需担心——您可以放心地忽略它们。但是,您可以遵循一些过程来解决发生的事件ID 10016错误。
如何解决DCOM事件ID 10016错误
要解决此问题,Microsoft建议创建一个 XML 筛选器来抑制DCOM事件ID 10016错误。
就是这样:
- 打开事件查看器(Event Viewer)(按 Windows(Press Windows)键 + R。在“运行”(Run)对话框中,键入eventvwr并按 Enter)。
- 点击Windows 日志(Windows Logs)>系统(System)。
- 单击 操作(Action)窗格下的过滤当前日志 。(Filter current log )
- 选择 XML 选项卡并选中手动编辑查询(Edit query manually)选项。
- 将以下 XML 文本复制并粘贴到过滤器对话框。
<QueryList>
<Query Id="0" Path="System">
<Select Path="System">*</Select>
<Suppress Path="System">
*[System[(EventID=10016)]]
and
*[EventData[
(
Data[@Name='param4'] and Data='{D63B10C5-BB46-4990-A94F-E40B9D520160}' and
Data[@Name='param5'] and Data='{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}' and
Data[@Name='param8'] and Data='S-1-5-18'
)
or
(
Data[@Name='param4'] and Data='{260EB9DE-5CBE-4BFF-A99A-3710AF55BF1E}' and
Data[@Name='param5'] and Data='{260EB9DE-5CBE-4BFF-A99A-3710AF55BF1E}'
)
or
(
Data[@Name='param4'] and Data='{C2F03A33-21F5-47FA-B4BB-156362A2F239}' and
Data[@Name='param5'] and Data='{316CDED5-E4AE-4B15-9113-7055D84DCC97}' and
Data[@Name='param8'] and Data='S-1-5-19'
)
or
(
Data[@Name='param4'] and Data='{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}' and
Data[@Name='param5'] and Data='{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}' and
Data[@Name='param8'] and Data='S-1-5-19'
)
]]
</Suppress>
</Query>
</QueryList>
在这个查询中, param4 对应COM Server应用程序CLSID, param5 对应 APPID, param8 对应安全上下文SID,所有这些都记录在 10016 事件日志中。
现在隐藏了事件 ID 为 10016(Event ID 10016)的DCOM错误条目。
或者,您可以使用注册表编辑器(Registry Editor)和DCom 配置(DCom Config)工具修复DCOM 权限(DCOM Permissions)问题。
就是这样:
该修复涉及注册表调整 - 作为预防措施,建议您备份注册表(back up the registry)或创建系统还原点。
要防止记录事件,请按照以下步骤向具有特定CLSID(CLSIDs)和APPID的(APPIDs)DCOM组件授予权限。
首先,您需要确定哪个进程或服务与错误中列出的CLASS ID相关联。(CLASS ID)为此,请继续复制事件描述中列出的CLSID 。在这种情况下,它是{D63B10C5-BB46-4990-A94F-E40B9D520160}。确保也复制两个花括号。
现在,启动注册表编辑器。打开注册表编辑器后,单击 Edit ,然后 单击Find。继续并将CLSID粘贴到搜索框中,然后按 Enter(Enter)。
注册表现在将启动搜索。一段时间后,您应该会在HK_CLASSES_ROOT\CLSID 键下获得结果。在右侧,它应该有两个键, 默认(Default)的应该列出服务的名称。在这种情况下,它应该是RuntimeBroker。
现在您已经确定了该过程,您现在可以按照以下步骤修复错误。
- 尽管如此,在注册表编辑器中,导航到与 RuntimeBroker 关联的以下AppID键:(AppID)
HKEY_CLASSES_ROOT\AppID\{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
默认情况下,TrustedInstaller拥有此注册表项及其子项。将 Administrator 设置(Set Administrator)为密钥及其子密钥的所有者。有关详细信息,请参阅 如何获得注册表项的所有权(how to take ownership of registry keys) 。
- 将Administrators设置 为所有者后,分配 Administrators 组和 SYSTEM 帐户对密钥和子密钥具有完全控制(Full Control)权限。
- 退出注册表编辑器。
接下来,启动DCOM 配置(DCOM Configuration)工具(按Windows键 + R。在“运行”(Run)对话框中,键入dcomcnfg.exe 并按 Enter。
- 单击组件服务(Component Services)>计算机(Computers)>我的(My Comput)计算机> DCOM 配置(DCOM Config)。
- 右键单击与事件日志中记录的(Right-click)AppID对应的应用程序,然后选择Properties。
此示例中的应用程序名称是我们之前确定的RuntimeBroker。如果DCom Config工具列出了两个RuntimeBroker条目。要找到正确的,请右键单击一项并单击属性并将应用程序 ID(App ID)与注册表中的应用程序 ID 匹配。
- 选择安全(Security)选项卡。
- 在启动和激活权限(Launch and Activation Permissions)下,选择自定义(Customize),然后单击编辑(Edit)。
如果DCOM Config的(DCOM Config)RuntimeBroker应用程序属性(Properties)页面中的Edit按钮灰显,则需要验证AppID注册表项权限。
- 在组或用户名下(Group or user names),选择添加(Add)。
- 输入(Enter)记录在事件日志中的组或用户名。例如,日志中记录的帐户可能是NT AUTHORITY\NETWORK SERVICE、NT AUTHORITY\SYSTEM或其他一些组或帐户。
- 单击确定(OK)。
- 为您添加的用户或组分配本地激活(Assign Local Activation)权限,然后完成该过程。
此过程可防止与DCOM权限相关的事件日志错误事件 ID(Event ID):10016 。
注意(Note):Microsoft不建议使用修改DCOM组件权限的方法来防止记录此错误,因为这些错误不会对功能产生不利影响,并且修改权限可能会产生意想不到的副作用。
Hope this helps!
How to fix DCOM Event ID 10016 error on Windows 10
In today’s post, we will identify the causе and then provide the possible solutions to the issue of DCOM (DistributedCOM) Event ID 10016 error that might show up in the Windows event viewer in the course of normal operations of Windows 10.
The Distributed Component Object Model (DCOM) is an integral aspect of networked communication on Windows computers. It is a proprietary Microsoft technology that whirs into action every time an application makes a connection to the internet. A traditional COM can only access information on the same machine, whereas DCOM can access data on remote servers.
For example, many websites and services use scripts that access a remote server. When your system makes a request using a script or otherwise, DCOM forwards the request to the specific script object. Given how frequently modern applications use a network connection and our general use of computers, you can see how frequently DCOM comes into use.
DCOM Event ID 10016 error
You may notice the below event 10016 logged in the system event logs on a computer that is running Windows 10, Windows Server 2016, Windows Server 2019, Windows Server, version 1903 or Windows Server 1909:
Source: Microsoft-Windows-DistributedCOM
Event ID: 10016
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Typically, you’ll encounter the above error logged in the event viewer. However, it’s noteworthy that there are variations of the Event ID 10016 error. Nevertheless, the procedure to mitigate the error is essentially the same.
A DCOM error usually occurs when an application or service attempts to use DCOM but does not have the proper permissions. Most of the time, DCOM errors won’t affect your system, other than clogging up your Event Viewer. These 10016 events are recorded when Microsoft components try to access DCOM components without the required permissions. In this case, this is expected and by design.
DCOM errors are nothing to worry about – you can safely ignore them. However, there are procedures you can follow to resolve the event ID 10016 error whenever it occurs.
How to resolve DCOM event ID 10016 error
To resolve this issue, Microsoft suggests creating an XML filter to suppress the DCOM event ID 10016 error.
Here’s how:
- Open Event Viewer (Press Windows key + R. In the Run dialog box, type eventvwr and hit Enter).
- Ckick Windows Logs > System.
- Click Filter current log under the Action pane.
- Select the XML tab and check Edit query manually option.
- Copy and paste the following XML text to the filter dialog.
<QueryList>
<Query Id="0" Path="System">
<Select Path="System">*</Select>
<Suppress Path="System">
*[System[(EventID=10016)]]
and
*[EventData[
(
Data[@Name='param4'] and Data='{D63B10C5-BB46-4990-A94F-E40B9D520160}' and
Data[@Name='param5'] and Data='{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}' and
Data[@Name='param8'] and Data='S-1-5-18'
)
or
(
Data[@Name='param4'] and Data='{260EB9DE-5CBE-4BFF-A99A-3710AF55BF1E}' and
Data[@Name='param5'] and Data='{260EB9DE-5CBE-4BFF-A99A-3710AF55BF1E}'
)
or
(
Data[@Name='param4'] and Data='{C2F03A33-21F5-47FA-B4BB-156362A2F239}' and
Data[@Name='param5'] and Data='{316CDED5-E4AE-4B15-9113-7055D84DCC97}' and
Data[@Name='param8'] and Data='S-1-5-19'
)
or
(
Data[@Name='param4'] and Data='{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}' and
Data[@Name='param5'] and Data='{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}' and
Data[@Name='param8'] and Data='S-1-5-19'
)
]]
</Suppress>
</Query>
</QueryList>
In this query, param4 corresponds to the COM Server application CLSID, param5 corresponds to the APPID, and param8 corresponds to the security context SID, all of which are recorded in the 10016 event logs.
The DCOM error entries with the Event ID 10016 are now hidden from view.
Alternatively, you can fix DCOM Permissions issue using Registry Editor & DCom Config tool.
Here’s how:
The fix involves a registry tweak – so as a precautionary measure, it’s recommended that you back up the registry or create a system restore point.
To prevent the events from being logged, follow these steps to grant permission to the DCOM components that have specific CLSIDs and APPIDs.
First, you’ll need to figure out which process or service is associated with the CLASS ID listed in the error. To do this, go ahead and copy the CLSID listed in the event description. In this case, it is {D63B10C5-BB46-4990-A94F-E40B9D520160}. Make sure to copy both the curly braces also.
Now, launch Registry Editor. When you have the registry editor opened, click on Edit and then Find. Go ahead and paste the CLSID into the search box and hit Enter.
The registry will now initiate a search. After some time, you should get a result under the HK_CLASSES_ROOT\CLSID key. On the right-hand side, it should have two keys and the Default one should list out the name of the service. In this case, it should be RuntimeBroker.
Now that you have identified the process, you can now proceed as follows to fix the error.
- Still, in the registry editor, navigate to the following AppID key associated with the RuntimeBroker:
HKEY_CLASSES_ROOT\AppID\{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
By default, TrustedInstaller owns this registry key and its subkeys. Set Administrator as the owner of the key and its subkeys. See how to take ownership of registry keys for more information.
- After setting Administrators as the owner, assign Administrators group and SYSTEM account have Full Control permission for the key and subkeys.
- Exit the Registry Editor.
Next, start the DCOM Configuration tool (press Windows key + R. In the Run dialog box, type dcomcnfg.exe and hit Enter.
- Click Component Services > Computers > My Computer > DCOM Config.
- Right-click the application that corresponds to the AppID that’s recorded in the event log, and then select Properties.
The application name in this example is RuntimeBroker which we identified earlier. If the DCom Config tool lists two RuntimeBroker entries. To find the right one, right-click on an item and click Properties and match the App ID with the one in the registry.
- Select the Security tab.
- Under Launch and Activation Permissions, select Customize, and click Edit.
If the Edit button is grayed out in RuntimeBroker application Properties page in DCOM Config, you’ll need to verify the AppID registry key permissions.
- Under Group or user names, select Add.
- Enter the group or user name that’s recorded in the event log. For example, the account recorded in the log may be NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\SYSTEM, or some other group or account.
- Click OK.
- Assign Local Activation permission for that user or group you added, and complete the process.
This procedure prevents the event log errors Event ID: 10016 relating to DCOM permissions.
Note: Microsoft does not recommend the method of modifying the permissions on DCOM components to prevent this error from being logged because these errors do not adversely affect the functionality and modifying the permissions can have unintended side effects.
Hope this helps!
