DistributedCOM Error 10016 in Windows: The Application-specific Permission Settings do not Grant Local Activation Permission

In this post I’ll show you how to fix the error with the EventID 10016 from the DistributedCOM source on a computer running Windows 10 or Windows Server 2012 R2. The DCOM 10016 event is quite common in both client and server Windows versions, starting from Windows XP and you can fix this error in the same way regardless of the Windows version.

The problem shows itself as follows: the following error appears in the Windows Event Viewer in the System section when the computer boots or attempts to start or install some application:

According to the error description: some user (for example, IIS Apppool) or a system (NT AUTHORITY\SYSTEM) tries to start some COM component using DCOM infrastructure and cannot do this due to the missing of the “Local Launch” or “Local Activation” permission. The error code contains only the codes of the classes for the COM component and the application. Let’s try to determine which particular application the identifier belongs to and grant the permissions that are necessary to successfully launch and activate it.

Copy the CLSID and APPID from the event description. In my case it is:

CLSID : {000209FF-0000-0000-C000-000000000046}
APPID: {AD65A69D-3831-40D7-9629-9B0B50A93843}

(in some cases, the application identifier may not be specified – APPID Unavailable).

Also note what permissions are missing (Local Activation permission) and for which account (NT AUTHORITY\SYSTEM or IIS APPPOOL\appIISPool SID — S-1-5-82-3351576649-1006875745-771203599-42452693-1279824824).

1. Run the Registry Editor (regedit.exe);
2. Go to the registry key corresponding to your CLSID. In my case it is HKEY_CLASSES_ROOT\CLSID\{000209FF-0000-0000-C000-000000000046};
   In some cases, you need to check also the registry key HKEY_CLASSES_ROOT\Wow6432Node\CLSID\. When you remotely connected to the registry, it will be located in the registry section HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID.
3. In the class parameter the app name must be specified (in my case it is Microsoft Word Application);
   Most often the DCOM error 10016 occurs with the following components: Immersive Shell
   CLSID: {C2F03A33-21F5-47FA-B4BB-156362A2F239}
   APPID: {316CDED5-E4AE-4B15-9113-7055D84DCC97}
   RuntimeBroker
   CLSID: {D63B10C5-BB46-4990-A94F-E40B9D520160}
   APPID : {9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
   
4. Right-click on the registry key and select Permissions;
5. Click on the Advanced button;
6. NT Service\TrustedInstaller or SYSTEM will be specified in the Owner section;
7. Click the Change button and specify the name of your administrator account. Save the changes;
8. Please note that the name of the current registry key owner has changed to your account. Check the box Replace owner on subcontainers and objects and click “OK”;
9. Add your administrator account to the permissions list and grant Full Control permissions to it;
10. You have granted the permissions to the registry key with CLSID. Now you need to repeat the previous steps and change ownership and permissions for administrator account on the registry key of your APPID from the error description (for example, HKEY_CLASSES_ROOT\AppID\{AD65A69D-3831-40D7-9629-9B0B50A93843};
11. Now run the component management console (dcomcnfg) as administrator (Control Panel -> All Control Panel Items -> Administrative Tools -> Component Services);
12. In the component console go to the section Component Services -> Computers -> My computer -> DCOM Config. In the COM component list find the name of the component that you defined in the second step (the value in the Application ID column must match your CLSID from the DCOM 10016 error description);
    If you cannot find your component in the list, you probably use a 64-bit version of Windows, and the component you want to run is 32-bit one. In this case, you need to start the DCOM console using the command: mmc comexp.msc /32.
13. Click the Security tab. All of the form controls to be accessible to change;
    If you open the dcomcnfg console before changing permissions on the component registry key, all the settings on the Security tab will be locked (cannot be changed), despite the fact that you started the console as an administrator.
14. In my case, the application did not have the permission for Local Activation. In the Launch and Activation Permissions section, select Customize and click the Edit button;
15. You need to add to the ACL an account that was specified in the error description. Depending on the text in the DCOM 10016 error, this could be SYSTEM, a specific user, or the account under which the IIS pool runs (in this case, you need to add access for the local IIS_IUSR group);
    If NT AUTHORITY\NETWORK SERVICE was specified in the initial error instead of NT AUTHORITY\SYSTEM, you must assign the local launch and activation permissions for the NetworkService account.
16. Grant the necessary permissions for the account. For example, Local Launch = Allow and Local Activation = Allow.
17. Restart the computer and check the event logs. The error DCOM 10016 should disappear.