en[EVENT10016] Windows.SecurityCenter.WscDataProtection

このサイトを検索 | Search this site
,Japan

With the update to Windows 10 v1809, three event logs that seem to be related to Windows Security Center are now recorded.

[CLSID]

  1. Windows.SecurityCenter.WscBrokerManager
  2. Windows.SecurityCenter.SecurityAppBroker
  3. Windows.SecurityCenter.WscDataProtection

[Guid]
  • {1b562e86-b7aa-4131-badc-b6f3a001407e}
    * A ~ C same Guid

The event log offers the following solutions:

"This security permission can be modified by using the Component Services administration tool."

Unfortunately,

Since "APPID: Unavailable", the APPID cannot be specified even if the component service is started.

Well, the main subject.

I don't know how to fix it at the time of writing, so the handling of this log is as follows.

[PLAN-A, B]

  1. Ignore until repaired naturally (Microsoft recommended)
  2. Stop recording event log

The Microsoft official recommends [Event ID 10016: DCOM error] to be ignored as it is the result of the Windows OS operating as specified.

If you select PLAN-A, this article ends here, so I will share the procedure for PLAN-B.


Event Log

The event log is reprinted.

In order to keep a record, we reprint three types of messages that differ only in CLSID.

Event Log
messageCLSID for application-specific permission settings
Windows.SecurityCenter.WscBrokerManager
And APPID
unusable
Local launch permissions for this COM server application to user NT AUTHORITY\SYSTEM SID (S-1-5-18) at address LocalHost (using LRPC) running at application container unavailable SID (not available) You can not. This security permission can be modified using the Component Services administration tool.
log namesystem
SourceDistributedCOM
Event id10016
levelerror
userSYSTEM
Opcodeinformation
Guid{1b562e86-b7aa-4131-badc-b6f3a001407e}

Event Log
messageCLSID for application-specific permission settings
Windows.SecurityCenter.SecurityAppBroker
And APPID
unusable
Local launch permissions for this COM server application to user NT AUTHORITY\SYSTEM SID (S-1-5-18) at address LocalHost (using LRPC) running at application container unavailable SID (not available) You can not. This security permission can be modified using the Component Services administration tool.
log namesystem
SourceDistributedCOM
Event id10016
levelerror
userSYSTEM
Opcodeinformation
Guid{1b562e86-b7aa-4131-badc-b6f3a001407e}

Event Log
messageCLSID for application-specific permission settings
Windows.SecurityCenter.WscDataProtection
And APPID
unusable
Local launch permissions for this COM server application to user NT AUTHORITY\SYSTEM SID (S-1-5-18) at address LocalHost (using LRPC) running at application container unavailable SID (not available) You can not. This security permission can be modified using the Component Services administration tool.
log namesystem
SourceDistributedCOM
Event id10016
levelerror
userSYSTEM
Opcodeinformation
Guid{1b562e86-b7aa-4131-badc-b6f3a001407e}

Steps to stop logging

When I perform the steps described, logging stops, but it is an underlying error and is not a fundamental solution.

The advantage is that the event viewer is refreshing.

[procedure]
  1. Start Registry Editor
  2. Search for {1b562e86-b7aa-4131-badc-b6f3a001407e}
  3. Change the value of Enabled from 1 to 0

Registry operations are at your own risk
Before working with Registry Editor
Make a backup copy of your registry in case something goes wrong.

1. Start Registry Editor
Windows key + R> Name: regedit

regedit
2. Search for {1b562e86-b7aa-4131-badc-b6f3a001407e}
Hit in multiple places. The destinations are as follows.
\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\WMI\Autologger\EventLog-System\{1b562e86-b7aa-4131-badc-b6f3a001407e}
Search{1b562e86-b7aa-4131-badc-b6f3a001407e}
3. Change the value of Enabled from 1 to 0
After changing to Enable: 0, restart the computer, wait a few seconds, and then start Event Viewer to check.

* Since the Security Center service is delayed, it is not possible to confirm the effect immediately after starting the PC.

Enabled{1b562e86-b7aa-4131-badc-b6f3a001407e}

Afterword

[Event ID 10016] is logged when a Windows component accesses a DCOM component without the required permissions.

And this behavior is according to the specifications. ('ω')

The result of the component operating according to the specifications of Windows is recorded as a 10016 event, so it should be left alone until it recovers naturally.

Since the error of Windows.SecurityCenter.WscBrokerManager that I wrote down in the past is not recorded when the COM + application error is repaired, this error may be solved by repairing another error.

2019/05/30

When you open the Windows Service Control Manager (commonly called service) and change the startup type of Security Center (wscsvc) from "Automatic (delayed start)" to "Automatic", the event ID that you wrote down this time is no longer recorded. It was

However, since the Security Center startup type is grayed out, special operations are required to change the operation.

Please read the related article for specific information.

Validation: Windows 10 Pro October 2018 Update, v1809
SC2
Windowsランキング 将棋ランキング スマホ・携帯ランキング にほんブログ村 IT技術ブログ ライフハックへ にほんブログ村 その他趣味ブログ 将棋へ

このサイトを検索 | Search this site