DCOM event ID 10016 is logged in Windows

Applies to: Windows 10, version 1809Windows Server 2019, all versionsWindows Server version 1803 More

Symptoms


On a computer that is running Windows 10, Windows Server 2016 or Windows Server 2019, you notice the following event logged in the system event logs.

Cause


These 10016 events are recorded when Microsoft components tries to access DCOM components without the required permissions. In this case, this is expected and by design.

A coding pattern has been implemented where the code first tries to access the DCOM components with one set of parameters. If the first attempt is unsuccessful, it tries again with another set of parameters. The reason why it does not skip the first attempt is because there are scenarios where it can succeed. In those scenarios, that is preferable.

Workaround


These events can be safely ignored because they do not adversely affect functionality and are by design. This is the recommend action for these events.

If desired, advanced users and IT professionals can suppress these events from view in the Event Viewer by creating a filter and manually editing the filter’s XML query similar to the following:

<QueryList>  <Query Id="0" Path="System">    <Select Path="System">*</Select>    <Suppress Path="System">      *[System[(EventID=10016)]]      and      *[EventData[        (          Data[@Name='param4'] and Data='{D63B10C5-BB46-4990-A94F-E40B9D520160}' and          Data[@Name='param5'] and Data='{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}'        )         or        (          Data[@Name='param4'] and Data='{260EB9DE-5CBE-4BFF-A99A-3710AF55BF1E}' and          Data[@Name='param5'] and Data='{260EB9DE-5CBE-4BFF-A99A-3710AF55BF1E}'        )         or        (          Data[@Name='param4'] and Data='{C2F03A33-21F5-47FA-B4BB-156362A2F239}' and          Data[@Name='param5'] and Data='{316CDED5-E4AE-4B15-9113-7055D84DCC97}'        )        or        (          Data[@Name='param4'] and Data='{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}' and          Data[@Name='param5'] and Data='{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}'        )         or        (          Data[@Name='param4'] and Data='{C2F03A33-21F5-47FA-B4BB-156362A2F239}' and          Data[@Name='param5'] and Data='{316CDED5-E4AE-4B15-9113-7055D84DCC97}'        )      ]]    </Suppress>  </Query></QueryList>

In this query, param4 corresponds to the COM Server application CLSID and param5 corresponds to the APPID which are recorded in the 10016 event logs.

For more information about manually constructing Event Viewer queries, see Advanced XML filtering in the Windows Event Viewer.

You can also work around this issue by modifying the permissions on DCOM components to prevent this error from being logged. However, we do not recommend this method because these errors do not adversely affect functionality and modifying the permissions can have unintended side effects.