,Japan
With the update to Windows 10 v1809, three event logs that seem to be related to Windows Security Center are now recorded.
[CLSID]
- Windows.SecurityCenter.WscBrokerManager
- Windows.SecurityCenter.SecurityAppBroker
- Windows.SecurityCenter.WscDataProtection
[Guid]
- {1b562e86-b7aa-4131-badc-b6f3a001407e}
* A ~ C same Guid
The event log offers the following solutions:
"This security permission can be modified by using the Component Services administration tool."
Unfortunately,
Since "APPID: Unavailable", the APPID cannot be specified even if the component service is started.
Well, the main subject.
I don't know how to fix it at the time of writing, so the handling of this log is as follows.[PLAN-A, B]
- Ignore until repaired naturally (Microsoft recommended)
- Stop recording event log
The Microsoft official recommends [Event ID 10016: DCOM error] to be ignored as it is the result of the Windows OS operating as specified.
If you select PLAN-A, this article ends here, so I will share the procedure for PLAN-B.
Event Log
The event log is reprinted.In order to keep a record, we reprint three types of messages that differ only in CLSID.
message | CLSID for application-specific permission settings Windows.SecurityCenter.WscBrokerManager And APPID unusable Local launch permissions for this COM server application to user NT AUTHORITY\SYSTEM SID (S-1-5-18) at address LocalHost (using LRPC) running at application container unavailable SID (not available) You can not. This security permission can be modified using the Component Services administration tool. |
log name | system |
Source | DistributedCOM |
Event id | 10016 |
level | error |
user | SYSTEM |
Opcode | information |
Guid | {1b562e86-b7aa-4131-badc-b6f3a001407e} |
message | CLSID for application-specific permission settings Windows.SecurityCenter.SecurityAppBroker And APPID unusable Local launch permissions for this COM server application to user NT AUTHORITY\SYSTEM SID (S-1-5-18) at address LocalHost (using LRPC) running at application container unavailable SID (not available) You can not. This security permission can be modified using the Component Services administration tool. |
log name | system |
Source | DistributedCOM |
Event id | 10016 |
level | error |
user | SYSTEM |
Opcode | information |
Guid | {1b562e86-b7aa-4131-badc-b6f3a001407e} |
message | CLSID for application-specific permission settings Windows.SecurityCenter.WscDataProtection And APPID unusable Local launch permissions for this COM server application to user NT AUTHORITY\SYSTEM SID (S-1-5-18) at address LocalHost (using LRPC) running at application container unavailable SID (not available) You can not. This security permission can be modified using the Component Services administration tool. |
log name | system |
Source | DistributedCOM |
Event id | 10016 |
level | error |
user | SYSTEM |
Opcode | information |
Guid | {1b562e86-b7aa-4131-badc-b6f3a001407e} |
Steps to stop logging
When I perform the steps described, logging stops, but it is an underlying error and is not a fundamental solution.The advantage is that the event viewer is refreshing.
[procedure]
- Start Registry Editor
- Search for {1b562e86-b7aa-4131-badc-b6f3a001407e}
- Change the value of Enabled from 1 to 0
Registry operations are at your own risk
Before working with Registry EditorMake a backup copy of your registry in case something goes wrong.
2. Search for {1b562e86-b7aa-4131-badc-b6f3a001407e}
Hit in multiple places. The destinations are as follows.
\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\WMI\Autologger\EventLog-System\{1b562e86-b7aa-4131-badc-b6f3a001407e}
3. Change the value of Enabled from 1 to 0
After changing to Enable: 0, restart the computer, wait a few seconds, and then start Event Viewer to check.* Since the Security Center service is delayed, it is not possible to confirm the effect immediately after starting the PC.
Afterword
[Event ID 10016] is logged when a Windows component accesses a DCOM component without the required permissions.And this behavior is according to the specifications. ('ω')
The result of the component operating according to the specifications of Windows is recorded as a 10016 event, so it should be left alone until it recovers naturally.
Since the error of Windows.SecurityCenter.WscBrokerManager that I wrote down in the past is not recorded when the COM + application error is repaired, this error may be solved by repairing another error.
2019/05/30
When you open the Windows Service Control Manager (commonly called service) and change the startup type of Security Center (wscsvc) from "Automatic (delayed start)" to "Automatic", the event ID that you wrote down this time is no longer recorded. It was
However, since the Security Center startup type is grayed out, special operations are required to change the operation.
Please read the related article for specific information.
Validation: Windows 10 Pro October 2018 Update, v1809
:SC2
このサイトを検索 | Search this site