After upgrading or migrating to Server 2016, I was getting errors about Distributed COM not being able to activate certain certain AppIDs from either the SYSTEM account or from a custom account that I use for running batch jobs. This mostly happened on the RuntimeBroker but I had it on another AppID that didn’t have a name.
Here’s a typical error:
Log Name: System
Event ID: 10016
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
The solution is to grant that user Activation permission on the AppID. But before we can change the COM permissions, we have to take ownership of the corresponding registry item.
In this example, we’ll work on AppID 9CA88EE3-ACB7-47C8-AFC4-AB702511C276, which as we will see, is the RuntimeBroker.
Step 1: RegEdit
- Start regedit. Navigate to the AppID, in this case HKEY_CLASSES_ROOT\AppID\9CA88EE3-ACB7-47C8-AFC4-AB702511C276. Right-click and Export the key to your desktop as a backup.
- Right-click and choose Permissions. Click the Advanced button. Next to Owner, click the Change link. Change From this Location to the local computer if it’s not already the local computer. Change the Owner to Administrators.
- Note the AppID’s name if it’s in the “(Default)” entry:
AppID 9CA88EE3-ACB7-47C8-AFC4-AB702511C276 = RuntimeBroker
- Close the Advanced permissions dialog. Highlight Administrators and give that group Full Control of the registry key. This will allow you to change the Activation permissions in the next step.
Step 2: DComCnfg
- Start DcomCnfg.
- Navigate to Component Services > Computers > My Computer > DCOM Config.
- Right-click on the named COM object (here “Runtime Broker”) and select Properties. If you are using this procedure for an AppID that doesn’t have a name (the “Default” key in the registry was empty), you should find it listed by the long AppID or CLSID.
- On the Security tab, under Launch and Activation Permissions, choose Customize, then click the Edit button. If you get a long message about “an unrecognized or application-specific (callback) type, ” click Remove. (And no I don’t understand that message nor do I know if it is safe to Remove—do at your own risk!)
- Add the required user(s) as specified in the 10016 error message (SYSTEM and/or your local service account) and grant it Local Launch and Local Activation permissions. I only had to add Local Activation; it already had Local Launch.
Step 3: RegEdit
Back in RegEdit:
- Open the AppID Permissions again.
- Remove Full Control from Adminstrators.
- Click on Advanced. Set the owner to NT SERVICE\TrustedInstaller. Note that under “From this location”, you may have to set the location to the local computer, not the domain directory.
Update March 6, 2019
Here’s a PowerShell module that will let you do all of the above in one line:
I’ve run it a couple times and it seems fine, but use at your own risk!