Fix DCOM Event ID 10016 error on Windows 10

In today’s publication, we will identify the cause and then suggest possible solutions to the problem DCOM (DistributedCOM) event ID 10016 error that might appear in Windows Event Viewer during normal Windows 10 operations.

the Distributed Component Object Model (DCOM) is an integral part of network communication on Windows computers. It is proprietary Microsoft technology that takes action every time an application establishes a connection to the Internet. A traditional COM can only access information on the same machine, while DCOM can access data on remote servers.

For example, many websites and services use scripts that access a remote server. When your system makes a request using a script or otherwise, DCOM passes the request to the specific script object. Given the frequency with which modern applications use a network connection and our general use of computers, you can see the frequency with which DCOM is used.

DCOM event ID error 10016

You may notice the event below 10016 recorded in the system event logs on a computer running Windows 10, Windows Server 2016, Windows Server 2019, Windows Server, version 1903, or Windows Server 1909:

Source: Microsoft-Windows-DistributedCOM
Event ID: 10016
Description: Application-specific authorization settings do not grant local activation authorization for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the NT AUTHORITY SYSTEM SID user (S-1-5-18) from the LocalHost address (using LRPC) running in the SID application container not available (not available). This security permission can be changed using the Component Services administration tool.

Typically, you will encounter the above error logged in the Event Viewer. However, it should be noted that there are variants of the Event ID 10016 error. However, the procedure for mitigating the error is essentially the same.

A DCOM error typically occurs when an application or service attempts to use DCOM but does not have the appropriate permissions. In most cases, DCOM errors won’t affect your system, other than obstructing your Event Viewer. These 10016 events are logged when Microsoft components attempt to access DCOM components without the required permissions. In this case, this is planned and by design.

DCOM errors don’t worry you – you can safely ignore them. However, there are procedures you can follow to resolve the event ID error 10016 each time it occurs.

How to resolve event ID DCOM error 10016

To resolve this issue, Microsoft suggests creating an XML filter to remove the DCOM event ID error 10016.

Here’s how:

• Open the Event Viewer (press Windows key + R. In the Run dialog box, type eventvwr and press Enter).
• ckick Windows logs > System.
• Click on Filter the current newspaper under the action window.
• Select the XML tab and check Edit the query manually option.
• Copy and paste the following XML text into the filter dialog.

  
    *
    
      *[System[(EventID=10016)]]
      and
      *[EventData[
        (
          Data[@Name='param4'] and Data='{D63B10C5-BB46-4990-A94F-E40B9D520160}' and
          Data[@Name='param5'] and Data='{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}' and
          Data[@Name='param8'] and Data='S-1-5-18'
        ) 
        or
        (
          Data[@Name='param4'] and Data='{260EB9DE-5CBE-4BFF-A99A-3710AF55BF1E}' and
          Data[@Name='param5'] and Data='{260EB9DE-5CBE-4BFF-A99A-3710AF55BF1E}'
        ) 
        or
        (
          Data[@Name='param4'] and Data='{C2F03A33-21F5-47FA-B4BB-156362A2F239}' and
          Data[@Name='param5'] and Data='{316CDED5-E4AE-4B15-9113-7055D84DCC97}' and
          Data[@Name='param8'] and Data='S-1-5-19'
        )
        or
        (
          Data[@Name='param4'] and Data='{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}' and
          Data[@Name='param5'] and Data='{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}' and
          Data[@Name='param8'] and Data='S-1-5-19'
        ) 
      ]]
    
  

In this request, param4 corresponds to the CLSID application of the COM server, param5 corresponds to the APPID, and param8 corresponds to the SID security context, all of which are logged in event logs 10016.

DCOM error entries with event ID 10016 are now hidden.

You can also resolve the DCOM permissions issue using the Registry Editor and the DCom Configuration Tool.

Here’s how:

The fix involves editing the registry. As a precaution, it is therefore recommended to back up the registry or create a system restore point.

To prevent event logging, follow these steps to grant permission to DCOM components that have specific CLSID and APPID.

First, you will need to determine which process or service is associated with the CLASS ID listed in the error. To do this, go ahead and copy the CLSID listed in the event description. In this case, it is {D63B10C5-BB46-4990-A94F-E40B9D520160}. Be sure to also copy the two braces.

Now launch the Registry Editor. When the registry editor is open, click Edit then Find. Go ahead and paste the CLSID into the search box and hit enter.

The registry will now start a search. After a while, you should get a result under the HK_CLASSES_ROOT CLSID key. On the right side, it should have two keys and the fault list the name of the service. In this case, it must be RuntimeBroker.

Now that you have identified the process, you can now do the following to correct the error.

• Still in the registry editor, access the following AppID key associated with RuntimeBroker:

HKEY_CLASSES_ROOT AppID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276}

By default, TrustedInstaller has this registry key and its subkeys. Set Administrator as the owner of the key and its subkeys. See how to take ownership of registry keys for more information.

• After adjustment administrators as owner, assign administrators group and SYSTEM account have Full Control permission for the key and subkeys.
• Exit the Registry Editor.

Then start the DCOM configuration tool (press the Windows key + R. In the Run dialog box, type dcomcnfg.exe and press Enter.

• Click on Component services > Computers > My computerst> DCOM configuration.
• Right-click the application that corresponds to the AppID recorded in the event log, and then select Properties.

The name of the application in this example is RuntimeBroker that we identified earlier. If the DCom Config tool lists two RuntimeBroker entries. To find the correct one, right-click an item and click Properties and match the application ID with that of the registry.

• Select the security tongue.
• Under Launch and activation permissions, select Personalizeand click Edit.

If the Edit button is grayed out on the Properties page of the RuntimeBroker application in DCOM Config, you will need to check the permissions of the AppID registry key.

• Under Group or user names, select Add.
• Enter the name of the group or user recorded in the event log. For example, the account recorded in the journal can be NT AUTHORITY NETWORK SERVICE, NT AUTHORITY SYSTEMor another group or account.
• Click on Okay.
• Assign local activation permission to the user or group you added and complete the process.

This procedure prevents event ID: 10016 event log errors regarding DCOM permissions.

Note: Microsoft does not recommend the method of modifying permissions on DCOM components to prevent the recording of this error because these errors do not affect functionality, and modifying permissions can have unintended side effects.

I hope this helps you!