SCNG Technical Blog
Windows 11, Windows Server 2022

Event 10016 PerAppRuntimeBroker Warning

If we look at Windows 11 or Windows Server 2022 Event System Log, we can see Event 10016 PerAppRuntimeBroker (APPID: {15C20B67-12E7-4BB6-92BB-7AFF07997402}) Warning:

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{2593F8B9-4EAF-457C-B68A-50F6B8EA6B54}
and APPID
{15C20B67-12E7-4BB6-92BB-7AFF07997402}
to the user Username (…) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

 

Event 10016 PerAppRuntimeBroker Warning

 

Microsoft recommendation is (DCOM event ID 10016 is logged in Windows):
“These events can be safely ignored because they don’t adversely affect functionality and are by design. It’s the recommend action for these events.”

 

However, these warnings are very annoying and can confuse anyone, that something is wrongly configured.

 

With further analysis, we can find out, that DCOM application with ID {15C20B67-12E7-4BB6-92BB-7AFF07997402} is PerAppRuntimeBroker.

In this case, the current logged in user does not have permission to Local Launch (Local Activation) DCOM Application PerAppRuntimeBroker.

 

Solution:

 

It doesn’t help if we enable Local Launch (Local Activation) permission for logged in user for DCOM Application PerAppRuntimeBroker in Component Services application. We have to enable LocalLaunch (Local Activation) permission for local Users group!

 

We have to open Component Services application as Administrator, Computers, My Computer, DCOM Config and select Detail View from View Menu.

From the list we can find  Application PerAppRuntimeBroker with ID {15C20B67-12E7-4BB6-92BB-7AFF07997402}.

 

Component Services PerAppRuntimeBroker

 

If we right click on PerAppRuntimeBroker application and select Security Tab, everything is gray, because as administrator we don’t have permission to change DCOM Application permissions.

 

PerAppRuntimeBroker Properties

 

It is easy to change permissions for selected Application with Registry Editor (regedit.exe).

With Edit/Find command, we can find PerAppRuntimeBroker Application ID in Registry.

It is located in HKEY_CLASSES_ROOT\AppId\{15C20B67-12E7-4BB6-92BB-7AFF07997402}.

 

Registry PerAppRuntimeBroker

 

With right click and selected Permissions…, we can change permissions for selected AppId. First, we need to change the owner of registry Key.

Go to Advanced, Change Owner to Administrators group (local Administrators group, if computer is member of domain), select OK twice. Then open Permissions window once again and change permissions of Administrators group to Full Control.

 

PerAppRuntimeBroker permissions

 

Now, we have to open Component Services application as Administrator again, Computers, My Computer, DCOM Config and select Detail View from View Menu. If we right click on PerAppRuntimeBroker application and select Security Tab, we can edit Launch and Activation Permissions. When we click on Edit Button, we get a Windows Security window:

 

PerAppRuntimeBroker windows security

 

Obviously, something is wrong with permissions. So, we can choose a Remove button.

We have to Add Users group (local Users group, if computer is a member of domain). We have to set Local Launch and Local Activation Permissions for Users group.

 

Launch and Activation permission PerAppRuntimeBroker

 

That’s it. We will not see Event 10016 PerAppRuntimeBroker Warning any more in our OS.

 

Enjoy!!!

 

I invite you to solve also Event 10016 Windows.SecurityCenter Warnings in Windows 11!

 

13. December 2021by Simon Abolnar
Windows 11

Event 10016 Windows.SecurityCenter Warnings

If we install Windows 11 and we look in the Event System Log, we can see three types of “Event 10016 Windows.SecurityCenter DistributedCOM” Warnings:

  1. The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
    Windows.SecurityCenter.WscCloudBackupProvider
    and APPID
    Unavailable
    to the user Username SID (…) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
  2. The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
    Windows.SecurityCenter.SecurityAppBroker
    and APPID
    Unavailable
    to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
  3. The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
    Windows.SecurityCenter.WscDataProtection
    and APPID
    Unavailable
    to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Microsoft recommendation is (DCOM event ID 10016 is logged in Windows):
“These events can be safely ignored because they don’t adversely affect functionality and are by design. It’s the recommend action for these events.”

 

However, these warnings are very annoying and can confuse anyone, that something is wrongly configured.

 

Analysis:

 

The problem is related to the Windows Security Center. The Windows Security Center service (wscsvc) has a delayed automatic start. WscCloudBackupProvider, SecurityAppBroker and WscDataProtection objects start earlier with the OS. As soon as the objects are active, they try to communicate with the Windows Security Center service (wscsvc), which is not started. That is why, we get Event 10016 warnings.

 

Solution:

 

Solution of this problem is unusual. It has nothing to do with Local Launch permissions. We should start Windows Security Center service earlier, during OS starting procedure.

If we look at the registry with Registry Editor (regedit.exe), we can find Windows Security Center service settings at:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc

We have to change the DelayedAutoStart DWORD Value From 1 to 0.

 

Windows Security Center Registry

 

We can’t do it right away, because we don’t have a permission to do it. We right click on the wscsvc Registry Key and select Permissions…First, we need to change the owner of Registry Key. Go to Advanced, Change Owner from System to the Administrators group (local Administrators group, if computer is member of domain), select OK twice. Then open the Permissions window once again and change permissions of Administrators group to Full Control.

 

wscsvc Key Permissions

 

Now, we can change the DelayedAutoStart DWORD Value From 1 to 0. In this way, the Windows Security Center will start earlier.

 

That’s it. After OS restart, we will not see Event 10016 Windows.SecurityCenter Warnings anymore.

 

I invite you to solve also Event 10016 PerAppRuntimeBroker Warning in Windows 11!

 

12. December 2021by Simon Abolnar

About us

We are employed at School Center Nova Gorica (SCNG), which is located in Slovenia-EU and we are enthusiastic about new technologies, especially in Microsoft Technologies. We would like to share our knowledge, thoughts and solutions in different areas of Information Technologies.

Authors:

Categories

Links

Recent Posts

Recent Comments

Archives

Tags

Exchange Server Hyper-V Office 2021 SCCM SharePoint Windows 11 Windows Server 2022 WordPress