en[EVENT10016] Windows.SecurityCenter.WscDataProtection

SC2 2019-01-06

2021-08-17

Atom | RSS

このサイトを検索 | Search this site

,Japan

en[EVENT10016] Windows.SecurityCenter.WscDataProtection

to japanese

With the update to Windows 10 v1809, three event logs that seem to be related to Windows Security Center are now recorded.

[CLSID]

Windows.SecurityCenter.WscBrokerManager
Windows.SecurityCenter.SecurityAppBroker
Windows.SecurityCenter.WscDataProtection

[Guid]

{1b562e86-b7aa-4131-badc-b6f3a001407e}
* A ~ C same Guid

The event log offers the following solutions:

"This security permission can be modified by using the Component Services administration tool."

Unfortunately,

Since "APPID: Unavailable", the APPID cannot be specified even if the component service is started.

Well, the main subject.

I don't know how to fix it at the time of writing, so the handling of this log is as follows.

[PLAN-A, B]

Ignore until repaired naturally (Microsoft recommended)
Stop recording event log

The Microsoft official recommends [Event ID 10016: DCOM error] to be ignored as it is the result of the Windows OS operating as specified.

If you select PLAN-A, this article ends here, so I will share the procedure for PLAN-B.

Event Log

The event log is reprinted.

In order to keep a record, we reprint three types of messages that differ only in CLSID.

Event Log
message	CLSID for application-specific permission settings Windows.SecurityCenter.WscBrokerManager And APPID unusable Local launch permissions for this COM server application to user NT AUTHORITY\SYSTEM SID (S-1-5-18) at address LocalHost (using LRPC) running at application container unavailable SID (not available) You can not. This security permission can be modified using the Component Services administration tool.
log name	system
Source	DistributedCOM
Event id	10016
level	error
user	SYSTEM
Opcode	information
Guid	{1b562e86-b7aa-4131-badc-b6f3a001407e}

Event Log
message	CLSID for application-specific permission settings Windows.SecurityCenter.SecurityAppBroker And APPID unusable Local launch permissions for this COM server application to user NT AUTHORITY\SYSTEM SID (S-1-5-18) at address LocalHost (using LRPC) running at application container unavailable SID (not available) You can not. This security permission can be modified using the Component Services administration tool.
log name	system
Source	DistributedCOM
Event id	10016
level	error
user	SYSTEM
Opcode	information
Guid	{1b562e86-b7aa-4131-badc-b6f3a001407e}

Event Log
message	CLSID for application-specific permission settings Windows.SecurityCenter.WscDataProtection And APPID unusable Local launch permissions for this COM server application to user NT AUTHORITY\SYSTEM SID (S-1-5-18) at address LocalHost (using LRPC) running at application container unavailable SID (not available) You can not. This security permission can be modified using the Component Services administration tool.
log name	system
Source	DistributedCOM
Event id	10016
level	error
user	SYSTEM
Opcode	information
Guid	{1b562e86-b7aa-4131-badc-b6f3a001407e}

Steps to stop logging

When I perform the steps described, logging stops, but it is an underlying error and is not a fundamental solution.

The advantage is that the event viewer is refreshing.

[procedure]

Start Registry Editor
Search for {1b562e86-b7aa-4131-badc-b6f3a001407e}
Change the value of Enabled from 1 to 0

Registry operations are at your own risk

Before working with Registry Editor
Make a backup copy of your registry in case something goes wrong.

1. Start Registry Editor

Windows key + R> Name: regedit

How to start Registry Editor: Scrap 2nd.

2. Search for {1b562e86-b7aa-4131-badc-b6f3a001407e}

Hit in multiple places. The destinations are as follows.

\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\WMI\Autologger\EventLog-System\{1b562e86-b7aa-4131-badc-b6f3a001407e}

Search{1b562e86-b7aa-4131-badc-b6f3a001407e}

3. Change the value of Enabled from 1 to 0

After changing to Enable: 0, restart the computer, wait a few seconds, and then start Event Viewer to check.

* Since the Security Center service is delayed, it is not possible to confirm the effect immediately after starting the PC.

Enabled{1b562e86-b7aa-4131-badc-b6f3a001407e}

Afterword

[Event ID 10016] is logged when a Windows component accesses a DCOM component without the required permissions.

And this behavior is according to the specifications. ('ω')

The result of the component operating according to the specifications of Windows is recorded as a 10016 event, so it should be left alone until it recovers naturally.

Since the error of Windows.SecurityCenter.WscBrokerManager that I wrote down in the past is not recorded when the COM + application error is repaired, this error may be solved by repairing another error.

2019/05/30

When you open the Windows Service Control Manager (commonly called service) and change the startup type of Security Center (wscsvc) from "Automatic (delayed start)" to "Automatic", the event ID that you wrote down this time is no longer recorded. It was

However, since the Security Center startup type is grayed out, special operations are required to change the operation.

Please read the related article for specific information.

Validation: Windows 10 Pro October 2018 Update, v1809

en-event の記事 (Articles about the en-event)

新着順 (New arrival order)

タイトル：en[EVENT10016] Windows.SecurityCenter.WscDataProtection：SC2

このサイトを検索 | Search this site

投稿者 SC2

将棋ウォッチャーのカシミヤです。元SE。（@sc2kzstock）検証したことをメモに残しています。質問は受け付けていません。Windows、Android、将棋の話題。 --- I am taking notes on what I have verified. No questions are accepted. Information welcome! (@sc2kzstock) Topics related to Windows, Android, free software, and Japanese chess.