en[EVENT10016] RuntimeBroker {9CA88EE3-...}

このサイトを検索 | Search this site
,Japan

This article describes Event ID 10016.

EVENT-ID-10016 is recorded when there is a problem with the DCOM component.

In this case, the log shows that NETWORK SERVICE cannot access Runtime Broker.

It is possible to find the APPID and try to repair it.

Explanation of terms
NETWORK SERVICE:Windows built-in account
APPID:Application id
RuntimeBroker:APPID name (DCOM component)
Component services:Windows management tools

Well, the main subject.

This log informs that there is a problem with APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276}.

When you open Component Services, {9CA88EE3 -...} is given the name RuntimeBroker, so look for RuntimeBroker when repairing.

I will share the repair procedure I performed.

There is a RuntimeBroker with the same name with a different APPID, so be careful to correct the target to be repaired.


Event Log

The event log is reprinted.

Event Log
messageCLSID for application-specific permission settings
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 And APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 Local activation permissions for the COM server application to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) at address LocalHost (using LRPC) running in the application container unavailable SID (not available) Can't give This security permission can be modified using the Component Services administration tool.
log namesystem
SourceDistributedCOM (DCOM)
Event id10016
levelerror
userNETWORK SERVICE
APPID{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
APPID nameRuntimeBroker

Repair procedure

This procedure assumes that you are logged in to the PC with an account that belongs to Administrators or an account that has administrator privileges.

Since the repair procedure is long and moves back and forth between the registry editor and component services, I will write the whole flow.

[Overall flow | PLAN-A]
  1. Change the owner of APPID (Registry Editor)
  2. Set changed owner permissions to full control
  3. Add LOCAL SERVICE to APPID (component service)
  4. Revert the changed owner (Registry Editor)
  5. Restart your PC

PLAN-B
If you are not good at Registry Editor, please read the related article as there is also a way to skip the procedure of Registry Editor. (PLAN-B)

1. Change the owner of APPID

Registry operations are at your own risk
Before working with Registry Editor
Make a backup copy of your registry in case something goes wrong.

1.1 Start Registry Editor
  1. Start the execution by specifying the file name ( Win + R ).
  2. Type regedit in the box next to your name
  3. OK Click on the

regedit

1.2 Search APPID
  1. Launch the search dialog (Ctrl + F | Edit> Search)
  2. Enter {9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
  3. Click Find Next
search results:
\HKEY_CLASSES_ROOT\AppID\{9CA88EE3-ACB7-47c8-AFC4-AB702511C276}
1.3 Change Owner from TrustedInstaller to Administrators
Right-click and select "Permissions" from the context menu.

AppID

In my environment Administrators permissions were "read".

If you check Full Control and click OK, you will get an error, so you need to take ownership of the registry key before you can run it.

Security: Advanced settings

Click Advanced (V) , and the owner is TrustedInstaller on the transition screen, so click Change.

Owner: TrustedInstaller

Click Advanced (A) ... on the user or group selection screen .

Select user or group> Advanced settings

When you click Search (N) , Administrators will be listed, so select it and clickOK . Select the one with s at the end.

Advanced settings> Search

Once you have verified that the PC name in Please enter the object to be selected ¥ Administrators have been added OK click, the screen to transition OK and then click.

Administrators

2. Set changed owner permissions to full control

  1. Select Administrators of group name or user name
  2. Permission in the window below Full Control ☑ Check Permission and click OK
If the group name or user name does not have Administrators, you need to add it from the Add button.

Administrators: Full control

3. Start component service and add LOCAL SERVICE to APPID

3.1 Start Component Services
  • Launch Run , enter dcomcnfg as the name and click OK
  • Or Start Menu> Windows Administrative Tools> Component Services
3.2 Find Application ID
The APPID can be found visually in the "Application ID" column displayed in the right pane when you select the DCOM configuration. There is no search function.

Console root
∨ Component service
 ∨ Computer
  ∨ My computer
   >DCOM configuration

Look for {9CA88EE3-ACB7-47c8-AFC4-AB702511C276} in the Application ID column.

Application ID and name
APPID nameAPPID
RuntimeBroker{9CA88EE3-ACB7-47c8-AFC4-AB702511C276}
RuntimeBroker
3.3 Add NETWORK SERVICE to Runtime Broker
If you started Component Service (dcomcnfg) before editing the registry, you can edit it by restarting Component Service.

RuntimeBroker> Right click> Properties

Since multiple RuntimeBroker are registered, select the one corresponding to the application ID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to be edited.

RuntimeBroker: Property

Security tab> Launch and Activation Permission> Edit ...

Launch and Activation Permissions> Edit

Add > Detailed settings > Search
  1. Add> Go to advanced settings
  2. Click Search (N) from the displayed dialog
  3. Select NETWORK SERVICE from the search result list
  4. OK Click on the

NETWORK SERVICE addition screen

Confirm that NETWORK SERVICE is added in the window below "Enter the object name to select" and click OK .

Select user or group> OK

Launch and activation permissions

With NETWORK SERVICE selected, check ☑Activate from local under "Permissions" and click OK .

Click on OK (or OK after applying) as it transits to the property screen of RuntimeBroker.

Local activation

4. Revert the changed owner

We recommend that you regain ownership of the registry after completing the Component Services steps.

TrustedInstaller is not displayed even if it is searched, so enter it directly.
Input valueNT SERVICE\TrustedInstaller
Trustedinstaller

5. Restart your PC

Restart your PC and check the Event Viewer.

If the events no longer appear in the event log, the procedure was successful.

Summary

You cannot change the settings unless you change the owner of the Runtime Broker. And when you're done, don't forget to perform the process of returning the owner.

[procedure]
  1. Change Owner to TrustedInstaller → Administrators
  2. Change Runtime Broker settings
  3. Change the owner to Administrators → TrustedInstaller (Undo)

User type

The users logged in the DCOM error include:
  • LOCAL SERVICE
  • NETWORK SERVICE (This article)
  • Login Account
  • ... etc

ExecTI

I have found ExecTI, a free software that allows you to edit Runtime Brokers directly without using a registry editor.

The following steps are unnecessary.
  1. Launch Registry Editor and change APPID Owner
  2. Launch Registry Editor and restore APPID owner

ExecTI is published on Winaero.com.

For a concrete example of using ExecTI, please read the related article because the article that repaired Runtime Broker with a different APPID from this time is uploaded.
  • RuntimeBroker
  • APPID: {15C20B67-12E7-4BB6-92BB-7AFF07997402}

execti-comexp.msc

RuntimeBroker

When you search with RuntimeBroker, bad reputation such as "CPU usage 100%" is noticeable.

Such a phenomenon is not seen on our PC, but it seems better to deal with the error.
RuntimeBroker.exe monitors access to Windows APIs and ensures that your application does not violate Windows core security.

Checks if the Windows Store app has declared all permissions to access the resource while running. This also includes letting you know if you have permission.

This process handles security permissions for processes such as sensors, cameras.

Therefore, it helps protect your privacy when using Windows Store applications.
thewindowsclub.com

Timing at which event ID 10016 is recorded

The commentary article on the official Microsoft website is quoted.
DCOM Event ID 10016 is logged on Windows 10 and Windows Server 2016

This issue occurs because the particular process does not have the permissions on the DCOM component that are listed in the event log.
~
You can safely ignore these events.
support.microsoft.com

Validation: Windows 10 Pro Fall Creators Update, v1709
SC2
Windowsランキング 将棋ランキング スマホ・携帯ランキング にほんブログ村 IT技術ブログ ライフハックへ にほんブログ村 その他趣味ブログ 将棋へ

このサイトを検索 | Search this site

コメントを投稿

0 コメント