Fix: Event ID 10016 DistributedCOM Errors Recorded in the Event Log

Even in a fresh Windows 10 installation, you might see some DistributedCOM (DCOM) errors Event ID: 10016 in the System event log. Here are some sample events:

Log Name: System
 Source: Microsoft-Windows-DistributedCOM
 Date:
 Event ID: 10016
 Task Category: None
 Level: Error
 Keywords: Classic
 User: DESKTOP-JKJ4G5Q\ramesh
 Computer: DESKTOP-JKJ4G5Q
 Description:
 The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
 {C2F03A33-21F5-47FA-B4BB-156362A2F239}
 and APPID
 {316CDED5-E4AE-4B15-9113-7055D84DCC97}
 to the user DESKTOP-JKJ4G5Q\ramesh SID (S-1-5-21-***) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.Cortana_1.9.6.16299_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742). This security permission can be modified using the Component Services administrative tool.
Log Name: System
 Source: Microsoft-Windows-DistributedCOM
 Date:
 Event ID: 10016
 Task Category: None
 Level: Error
 Keywords: Classic
 User: DESKTOP-JKJ4G5Q\ramesh
 Computer: DESKTOP-JKJ4G5Q
 Description:
 The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
 {D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID
 {9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user DESKTOP-JKJ4G5Q\ramesh SID (S-1-5-21-***) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

The most common Event ID: 10016 errors reported by users are:

Immersive Shell
 GUID  : {C2F03A33-21F5-47FA-B4BB-156362A2F239}
 APPID : {316CDED5-E4AE-4B15-9113-7055D84DCC97}

RuntimeBroker
 GUID  : {D63B10C5-BB46-4990-A94F-E40B9D520160}
 APPID : {9CA88EE3-ACB7-47C8-AFC4-AB702511C276}

These event log error entries appear if certain processes do not have permissions to the DCOM components mentioned in the event logs. Despite these errors, the system may be functioning well without any major issues, and in that case the errors can be ignored safely. As they say “If it ain’t broke, don’t fix it“, if the system is functioning fine anyway, simply ignore the DCOM errors.

Workaround for Windows.SecurityCenter DCOM Event ID 10016

Log Name:      System
Source:        Microsoft-Windows-DistributedCOM
Date:          
Event ID:      10016
Task Category: None
Level:         Warning
Keywords:      Classic
User:          SYSTEM
Computer:      DESKTOP-JKJ4G5Q
Description:
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID 
Windows.SecurityCenter.WscBrokerManager
 and APPID 
Unavailable to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.


Log Name:      System
Source:        Microsoft-Windows-DistributedCOM
Date:          
Event ID:      10016
Task Category: None
Level:         Warning
Keywords:      Classic
User:          SYSTEM
Computer:      DESKTOP-JKJ4G5Q
Description:
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID 
Windows.SecurityCenter.SecurityAppBroker
and APPID 
Unavailable
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Log Name:      System
Source:        Microsoft-Windows-DistributedCOM
Date:          
Event ID:      10016
Task Category: None
Level:         Warning
Keywords:      Classic
User:          SYSTEM
Computer:      DESKTOP-JKJ4G5Q
Description:
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID 
Windows.SecurityCenter.WscDataProtection and APPID
Unavailable
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

For the above Windows.SecurityCenter related errors, setting the Security Center service (wscsvc) to Automatic start instead of Automatic (delayed start) seems to prevent the DCOM errors. To set the Security Center service (wscsvc) to Automatic start, set the DelayedAutoStart DWORD value to 0 in the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc

dcom error security center disable delayed start

Simply ignore the DCOM errors

As per Microsoft:

These 10016 events are recorded when Microsoft components try to access DCOM components without the required permissions. In this case, this is expected and by design.

A coding pattern has been implemented where the code first tries to access the DCOM components with one set of parameters. If the first attempt is unsuccessful, it tries again with another set of parameters. The reason why it does not skip the first attempt is because there are scenarios where it can succeed. In those scenarios, that is preferable.

For more information see Microsoft article DCOM event ID 10016 is logged in Windows 10, Windows Server 2016 and Windows Server 2019. Microsoft suggests creating a filter (XML source provided in the article) to hide the DCOM 10016 events.



Suppress DCOM 10016 events using this filter

<QueryList>
  <Query Id="0" Path="System">
    <Select Path="System">*</Select>
    <Suppress Path="System">
      *[System[(EventID=10016)]]
      and
      *[EventData[
        (
          Data[@Name='param4'] and Data='{D63B10C5-BB46-4990-A94F-E40B9D520160}' and
          Data[@Name='param5'] and Data='{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}' and
          Data[@Name='param8'] and Data='S-1-5-18'
        ) 
        or
        (
          Data[@Name='param4'] and Data='{260EB9DE-5CBE-4BFF-A99A-3710AF55BF1E}' and
          Data[@Name='param5'] and Data='{260EB9DE-5CBE-4BFF-A99A-3710AF55BF1E}'
        ) 
        or
        (
          Data[@Name='param4'] and Data='{C2F03A33-21F5-47FA-B4BB-156362A2F239}' and
          Data[@Name='param5'] and Data='{316CDED5-E4AE-4B15-9113-7055D84DCC97}' and
          Data[@Name='param8'] and Data='S-1-5-19'
        )
        or
        (
          Data[@Name='param4'] and Data='{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}' and
          Data[@Name='param5'] and Data='{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}' and
          Data[@Name='param8'] and Data='S-1-5-19'
        ) 
      ]]
    </Suppress>
  </Query>
</QueryList>
  1. Open Event Viewer. Expand Windows Logs → System.
  2. Click Filter current log…
  3. Select the XML tab and enable Edit query manually
  4. Copy/Paste the above XML to the filter dialog, and click OK.

The DCOM error entries with the Event ID 10016 are now hidden from view.

dcom error filter event log xml

If, on the other hand, some app or feature (eg., Cortana) is not working correctly due to incorrect DCOM permissions, here is how to fix it.

Fix DCOM Permissions Using Registry Editor & DCom Config

To prevent the events from being logged, follow these steps to grant permission to the DCOM components that have specific CLSIDs and APPIDs. Let’s take the case of RuntimeBroker, whose CLSID as reported in the event log is {D63B10C5-BB46-4990-A94F-E40B9D520160} APPID is {9CA88EE3-ACB7-47C8-AFC4-AB702511C276}

Important: Before proceeding, create a System Restore point as incorrectly configuring DCOM Permissions can break Windows. It’s advisable to take a complete image backup if that’s feasible.

  1. Start the Registry Editor (regedit.exe).
  2. Go to the following key:
    HKEY_CLASSES_ROOT\CLSID\{D63B10C5-BB46-4990-A94F-E40B9D520160}

    runtimebroker dcom permissions

  3. Note down the (default) value data in the above key, which in this case is RuntimeBroker
  4. Go to the following AppID key now:
    HKEY_CLASSES_ROOT\AppID\{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
  5. By default, TrustedInstaller owns this registry key and its subkeys. Set Administrator as the owner of the key and its subkeys. See how to take ownership of registry keys and assign full permissions for more information.
  6. After setting Administrators as the owner, assign Administrators group and SYSTEM account have Full Control permission for the key and subkeys.
  7. Exit the Registry Editor.
  8. Start the DCOM Configuration tool dcomcnfg.exe
  9. Expand Component Services | Computers | My Computer | DCOM Config.
  10. Right-click the application that corresponds to the AppID that’s recorded in the event log, and then select Properties. The application name in this example is RuntimeBroker which you’ve found in Step 3 above. The DCom Config tool lists two RuntimeBroker entries. To find the right one, right-click on an item and click Properties and match the App ID with the one in the registry (Figure 1).
    dcomcnfg runtimebroker
  11. Select the Security tab.
  12. Under Launch and Activation Permissions, select Customize, and click Edit.
    dcomcnfg properties edit button

    Note that if the Edit button is grayed out in RuntimeBroker application Properties page in DCOM Config, you’ll need to verify the AppID registry key permissions (redo steps 4-6 above).

  13. Under Group or user names, select Add.
  14. Enter the group or user name that’s recorded in the event log. For example, the account recorded in the log may be NT AUTHORITY\NETWORK SERVICENT AUTHORITY\SYSTEM, or some other group or account.
  15. Click OK.
  16. Assign Local Activation permission for that user or group you added, and complete the process.

This prevents the event log errors Event ID: 10016 relating to DCOM permissions.


One small request: If you liked this post, please share this?

One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
  • Pin it!
  • Share it to your favorite blog + Facebook, Reddit
  • Tweet it!
So thank you so much for your support, my reader. It won't take more than 10 seconds of your time. The share buttons are right below. :)

About the author

Ramesh Srinivasan founded Winhelponline.com back in 2005. He is passionate about Microsoft technologies and he has been a Microsoft Most Valuable Professional (MVP) for 10 consecutive years from 2003 to 2012.

4 thoughts on “Fix: Event ID 10016 DistributedCOM Errors Recorded in the Event Log”

  1. Only Time i get the Error 10016 with this APPID is when i run a game named; ROBLOX and i have given all the permission and followed all these steps but still when i launch a ROBLOX game the PC will reboot and try fix itself. I can play anyother game without a Problem i have tried uninstalling and removing all the files in ROBLOX but i have run out of solutions. Please help.

    Reply
  2. I have had the same Paul’s problem. The button is inactive. I have done permisson to the two keys like Administators, the like administrator, but i haven’t been able to add the users.

    Thanks

    Reply
  3. if the button is “inactive”:
    HKEY_CLASSES_ROOT\CLSID\{D63B10C5-BB46-4990-A94F-E40B9D520160}

    right click / permissions click full permission on Administrators

    click advanced on top of page change from trusted installer to Administrators search & ok it to your name.

    Apply and exit and it should stayed checked in the properties window when you close it. Reopen it and make sure.

    Do same for next

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{9CA88EE3-ACB7-47c8-AFC4-AB702511C276}

    Then to the component service RuntimeBroker and top item will ask something about improper other key/permission needs changed… ok that(same key in few other locations in regedit) then you can give your self full permissions.

    Reply

Leave a Comment