Application-specific Permission Settings
On a Windows 10 Pro system with all the latest patches I'm getting a lot of errors with Event Id 10016. An example:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user COLOSSUS\Slacker SID (S-1-5-21-550145320-736483266-2972815005-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
I've come across advice that directs me to use regedit to change the permissions on the items with corresponding keys. When I try to do that, I'm denied the ability to make changes.
Also, the permissions dialog has an entry I've never seen before when it comes up, listing an "Account Unknown(S-1-15-3...
". I can't remove that account, either.
Question: How do I go about changing the permissions to eliminate the 10016 errors, or is it okay to ignore them?
Note: I don't remember seeing them crop up until relatively recently (e.g., perhaps after the Spring 2018 update).
As per Microsoft, you should just ignore these 10016 Event IDs and it is not recommended to try to fix through manipulating security of objects and such to circumvent as these occur by design. In the Workaround section there's an XML filtering query method for advanced users to suppress.
Safely Ignore these Event IDs 10016
The specific points and to those points per the vendor Microsoft for the 10016 Event ID. . .
"These events can be safely ignored because they do not adversely affect functionality and are by design. This is the recommend action for these events."
"You can also work around this issue by modifying the permissions on DCOM components to prevent this error from being logged. However, we do not recommend this method because these errors do not adversely affect functionality and modifying the permissions can have unintended side effects."
DCOM event ID 10016 is logged in Windows
Symptoms
Applies to: Windows 10, version 1909 Windows Server, version 1909 (Datacenter, Standard) Windows 10, version 1903 Windows Server, version 1903 Windows 10, version 1809 Windows Server 2019, all versions Windows Server version 1803 Windows 10, version 1803 Windows 10, version 1709 Windows 10, version 1703 Windows 10, version 1607 Windows Server 2016 Standard Windows Server 2016 Datacenter Windows Server 2016 Standard edition Nano Server installation option Windows Server 2016 Datacenter edition Nano Server installation option Windows Server 2016 Essentials
Application-specific Permission Settings Related Events
Source: Microsoft-Windows-DistributedCOM Event ID: 10016 Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {260EB9DE-5CBE-4BFF-A99A-3710AF55BF1E} and APPID {260EB9DE-5CBE-4BFF-A99A-3710AF55BF1E} to the user machine\user SID (S-1-5-21-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxx) from address LocalHost (using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.14393.726_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx). This security permission can be modified using the Component Services administrative tool.
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52} and APPID {4839DDB7-58C2-48F5-8283-E1D1807D0D7D} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Cause
These 10016 events are recorded when Microsoft components tries to access DCOM components without the required permissions. In this case, this is expected and by design.
A coding pattern has been implemented where the code first tries to access the DCOM components with one set of parameters. If the first attempt is unsuccessful, it tries again with another set of parameters. The reason why it does not skip the first attempt is because there are scenarios where it can succeed. In those scenarios, that is preferable.
Workaround
These events can be safely ignored because they do not adversely affect functionality and are by design. This is the recommend action for these events.
If desired, advanced users and IT professionals can suppress these events from view in the Event Viewer by creating a filter and manually editing the filter’s XML query similar to the following:
<QueryList> <Query Id="0" Path="System"> <Select Path="System">*</Select> <Suppress Path="System"> *[System[(EventID=10016)]] and *[EventData[ ( Data[@Name='param4'] and Data='{D63B10C5-BB46-4990-A94F-E40B9D520160}' and Data[@Name='param5'] and Data='{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}' ) or ( Data[@Name='param4'] and Data='{260EB9DE-5CBE-4BFF-A99A-3710AF55BF1E}' and Data[@Name='param5'] and Data='{260EB9DE-5CBE-4BFF-A99A-3710AF55BF1E}' ) or ( Data[@Name='param4'] and Data='{C2F03A33-21F5-47FA-B4BB-156362A2F239}' and Data[@Name='param5'] and Data='{316CDED5-E4AE-4B15-9113-7055D84DCC97}' ) or ( Data[@Name='param4'] and Data='{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}' and Data[@Name='param5'] and Data='{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}' ) or ( Data[@Name='param4'] and Data='{C2F03A33-21F5-47FA-B4BB-156362A2F239}' and Data[@Name='param5'] and Data='{316CDED5-E4AE-4B15-9113-7055D84DCC97}' ) ]] </Suppress> </Query> </QueryList>
In this query, param4 corresponds to the COM Server application CLSID and param5 corresponds to the APPID which are recorded in the 10016 event logs.
For more information about manually constructing Event Viewer queries, see Advanced XML filtering in the Windows Event Viewer.
You can also work around this issue by modifying the permissions on DCOM components to prevent this error from being logged. However, we do not recommend this method because these errors do not adversely affect functionality and modifying the permissions can have unintended side effects.
Source
I'm not sure if this is a 100% fix but I had to share it. You can read the lengthy description of it in this thread. The error you seeing is likely to be a symptom of this.
Source thread on tenforums.com
And the tl;dr fix:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
Change the DWORD DelayedAutoStart from 1 to 0.