Description

Unable to start a DCOM Server: param3. The error.

Message #

Unable to start a DCOM Server: %3. The error:
"%2"
Happened while starting this command:
%1

Fields #

Description

Unable to start a DCOM Server: param3 as param4/param5. The error.

Message #

Unable to start a DCOM Server: %3 as %4/%5. The error:
"%2"
Happened while starting this command:
%1

Fields #

Fields #

Fields #

Description

DCOM got error "param1" and was unable to logon param2\param3 in order to run the server.

Message #

DCOM got error "%1" and was unable to logon %2\%3 in order to run the server:
%4

Fields #

Description

DCOM got error "param1" attempting to start the service param2 with arguments "param3" in order to run the server.

Message #

DCOM got error "%1" attempting to start the service %2 with arguments "%3" in order to run the server:
%4

Fields #

Description

DCOM got error "param1" attempting to start the service param2 with arguments "param3" in order to run the server.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DistributedCOM",
    "guid": "{1B562E86-B7AA-4131-BADC-B6F3A001407E}",
    "event_source_name": "DCOM",
    "event_id": 10005,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 9259400833873739776,
    "time_created": "2019-04-27T21:04:43.704329Z",
    "event_record_id": 9256,
    "correlation": {},
    "execution": {
      "process_id": 756,
      "thread_id": 4404
    },
    "channel": "System",
    "computer": "DESKTOP-JR78RLP",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "param1": "1068",
    "param2": "netprofm",
    "param3": "Unavailable",
    "param4": "{A47979D2-C419-11D9-A5B4-001185AD2B89}"
  }
}

References #

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Description

DCOM got error "param1" from the computer param2 when attempting to activate the server.

Message #

DCOM got error "%1" from the computer %2 when attempting to activate the server:
%3

Fields #

Fields #

Description

DCOM got error "param1" from the computer param2 when attempting to the server.

Message #

DCOM got error "%1" from the computer %2 when attempting to the server:
%3 with file %4.

Fields #

Fields #

Description

The server param1 did not register with DCOM within the required timeout.

Message #

The server %1 did not register with DCOM within the required timeout.

Fields #

Description

The server did not register with DCOM within the required timeout.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DistributedCOM",
    "guid": "{1B562E86-B7AA-4131-BADC-B6F3A001407E}",
    "event_source_name": "DCOM",
    "event_id": 10010,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 9259400833873739776,
    "time_created": "2023-10-25T22:55:19.214417+00:00",
    "event_record_id": 1460,
    "correlation": {
      "ActivityID": "D5BBEBF4-0795-0001-900E-BCD59507DA01"
    },
    "execution": {
      "process_id": 508,
      "thread_id": 560
    },
    "channel": "System",
    "computer": "WinDevEval",
    "security": {
      "user_id": "S-1-5-21-2533829718-189860685-2477588761-500"
    }
  },
  "event_data": {
    "param1": "{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}"
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Fields #

Fields #

Message #

The activation for CLSID %1 failed because remote activations for COM+ are disabled. To enable this functionality use Server Manager to install the COM+ Network Access feature in the Application Server role.

Fields #

Description

The machine wide limit settings do not grant param1 param2 permission for the COM Server application with CLSID.

Message #

The machine wide limit settings do not grant %1 %2 permission for the COM Server application with CLSID 
%3
 and APPID 
%4
 to the user %5\%6 SID (%7) from address %8 running in the application container %9 SID (%10). This security permission can be modified using the Component Services administrative tool.

Fields #

Description

The param1 permission settings do not grant param2 param3 permission for the COM Server application with CLSID.

Message #

The %1 permission settings do not grant %2 %3 permission for the COM Server application with CLSID 
%4
 and APPID 
%5
 to the user %6\%7 SID (%8) from address %9 running in the application container %10 SID (%11). This security permission can be modified using the Component Services administrative tool.

Fields #

Description

The permission settings do not grant permission for the COM Server application with CLSID.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DistributedCOM",
    "guid": "{1B562E86-B7AA-4131-BADC-B6F3A001407E}",
    "event_source_name": "DCOM",
    "event_id": 10016,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9259400833873739776,
    "time_created": "2023-11-05T23:54:13.816805+00:00",
    "event_record_id": 2034,
    "correlation": {
      "ActivityID": "E4DB489E-1037-0003-B8CC-E0E43710DA01"
    },
    "execution": {
      "process_id": 8,
      "thread_id": 10920
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
    }
  },
  "event_data": {
    "param1": "application-specific",
    "param2": "Local",
    "param3": "Activation",
    "param4": "{2593F8B9-4EAF-457C-B68A-50F6B8EA6B54}",
    "param5": "{15C20B67-12E7-4BB6-92BB-7AFF07997402}",
    "param6": "WINDEV2310EVAL",
    "param7": "User",
    "param8": "S-1-5-21-1992711665-1655669231-58201500-1000",
    "param9": "LocalHost (Using LRPC)",
    "param10": "Unavailable",
    "param11": "Unavailable"
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

The param1 permission settings do not grant param2 access permission to the COM Server application param3 with APPID.

Message #

The %1 permission settings do not grant %2 access permission to the COM Server application %3 with APPID 
%4
 to the user %5\%6 SID (%7) from address %8 running in the application container %9 SID (%10). This security permission can be modified using the Component Services administrative tool.

Fields #

Description

The application-specific permission settings do not grant param1 access permission to the COM Server application param2 with APPID.

Message #

The application-specific permission settings do not grant %1 access permission to the COM Server application %2 with APPID 
%3
 to the user %4\%5 SID (%6) from address %7 running in the application container %8 SID (%9). The application set this security permission programmatically; to modify this security permission contact the application vendor.

Fields #

Description

The machine wide limit settings do not grant param1 access permission to the COM Server application param2 with APPID.

Message #

The machine wide limit settings do not grant %1 access permission to the COM Server application %2 with APPID 
%3
 to the user %4\%5 SID (%6) from address %7 running in the application container %8 SID (%9). This security permission can be modified using the Component Services administrative tool.

Fields #

Message #

The machine wide %1 %2 security descriptor is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.

Fields #

Description

The launch and activation security descriptor for the COM Server application with APPID.

Message #

The launch and activation security descriptor for the COM Server application with APPID 
%1
 is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.

Fields #

Description

The param1 access security descriptor for the COM Server application param2 with APPID.

Message #

The %1 access security descriptor for the COM Server application %2 with APPID 
%3
 is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.

Fields #

Description

The application-specific access security descriptor for the COM Server application param1 with APPID.

Message #

The application-specific access security descriptor for the COM Server application %1 with APPID 
%2
 is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed.  The application set this security permission programmatically; to modify this security permission contact the application vendor.

Fields #

Message #

The machine wide group policy %1 Limits security descriptor is invalid. The security descriptor is defined as an invalid Security Descriptor Definitions Language (SDDL) string. The requested action was therefore not performed. Please contact your administrator to get the security descriptor corrected in the Group Policy settings.

Fields #

Fields #

Message #

The machine wide limit settings do not grant %1 %2 permission for COM Server applications to the user %3\%4 SID (%5) from address %6 running in the application container %7 SID (%8). This security permission can be modified using the Component Services administrative tool.

Fields #

Description

DCOM was unable to communicate with the computer param1 using any of the configured protocols; requested by PID param2 (param3), while activating CLSID param4.

Message #

DCOM was unable to communicate with the computer %1 using any of the configured protocols; requested by PID %2 (%3), while activating CLSID %4.

Fields #

Description

DCOM was unable to communicate with the computer using any of the configured protocols; requested by PID (), while activating CLSID .

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DistributedCOM",
    "guid": "{1B562E86-B7AA-4131-BADC-B6F3A001407E}",
    "event_source_name": "DCOM",
    "event_id": 10028,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 9259400833873739776,
    "time_created": "2026-03-13T23:06:00.558843+00:00",
    "event_record_id": 12279,
    "correlation": {
      "ActivityID": "2A8C090C-ABB5-42FC-ABDE-C1146B129851"
    },
    "execution": {
      "process_id": 1212,
      "thread_id": 6732
    },
    "channel": "System",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "param1": "DC1",
    "param2": "    287c",
    "param3": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
    "param4": "{8BC3F05E-D86B-11D0-A075-00C04FB68820}",
    "Binary": "3C5265636F726423313A20436F6D70757465723D286E756C6C293B5069643D313231323B332F31332F323032362032333A363A303A3535383B5374617475733D313732323B47656E636F6D703D323B4465746C6F633D313731303B466C6167733D303B506172616D733D313B7B506172616D23303A307D3E3C5265636F726423323A20436F6D70757465723D286E756C6C293B5069643D313231323B332F31332F323032362032333A363A303A3535383B5374617475733D313732323B47656E636F6D703D31383B4465746C6F633D313434323B466C6167733D303B506172616D733D313B7B506172616D23303A4443317D3E3C5265636F726423333A20436F6D70757465723D286E756C6C293B5069643D313231323B332F31332F323032362032333A363A303A3535383B5374617475733D313732323B47656E636F6D703D31383B4465746C6F633D3332323B466C6167733D303B506172616D733D303B3E3C5265636F726423343A20436F6D70757465723D286E756C6C293B5069643D313231323B332F31332F323032362032333A363A303A3535383B5374617475733D31313030313B47656E636F6D703D31383B4465746C6F633D3332303B466C6167733D303B506172616D733D313B7B506172616D23303A4443317D3E"
  },
  "message": ""
}

Description

The activation of the CLSID param1 timed out waiting for the service param2 to stop.

Message #

The activation of the CLSID %1 timed out waiting for the service %2 to stop.

Fields #

Description

Unable to start a COM Server for debugging: param3. The error.

Message #

Unable to start a COM Server for debugging: %3. The error:
"%2"
Happened while starting this command:
%1

Fields #

Description

An unmarshaling policy check was performed when unmarshaling a custom marshaled object and the class param1 was rejected.

Message #

An unmarshaling policy check was performed when unmarshaling a custom marshaled object and the class %1 was rejected

Fields #

Description

An unmarshaling policy check was performed when unmarshaling a custom inproc handler and the class param1 was rejected.

Message #

An unmarshaling policy check was performed when unmarshaling a custom inproc handler and the class %1 was rejected

Fields #

Description

An unmarshaling policy check was performed when unmarshaling a COM+ envoy context property and the class param1 was rejected.

Message #

An unmarshaling policy check was performed when unmarshaling a COM+ envoy context property and the class %1 was rejected

Fields #

Description

An unmarshaling policy check was performed due to CLSCTX_NO_CUSTOM_MARSHAL and the class param1 was rejected.

Message #

An unmarshaling policy check was performed due to CLSCTX_NO_CUSTOM_MARSHAL and the class %1 was rejected

Fields #

Description

The COM standard marshaler was unable to fix a mismatch between the IID ProvidedIid provided by the server and the IID RequestedIid requested by the client, with handler CLSID HandlerClsid. The error code was HRESULT.

Message #

The COM standard marshaler was unable to fix a mismatch between the IID %1 provided by the server and the IID %2 requested by the client, with handler CLSID %3. The error code was %4.

Fields #

Message #

The server-side authentication level policy does not allow the user %1\%2 SID (%3) from address %4 to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.

Fields #

Message #

Application %1 with PID %2 is requesting to activate CLSID %3 on computer %4 with explicitly set authentication level at %5. The lowest activation authentication level required by DCOM is 5(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY). To raise the activation authentication level, please contact the application vendor.

Fields #

Message #

Application %1 with PID %2 is requesting to activate CLSID %3 on computer %4 with default activation authentication level at %5. The lowest activation authentication level required by DCOM is 5(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY). To raise the activation authentication level, please contact the application vendor.

Fields #

Description

The COM sub system is suppressing duplicate event log entries for a duration of seconds. The suppression timeout can be controlled by a REG_DWORD value named under the following registry key: HKLM\.

Message #

The COM sub system is suppressing duplicate event log entries for a duration of %1 seconds.  The suppression timeout can be controlled by a REG_DWORD value named %2 under the following registry key: HKLM\%3.

Fields #

Description

Unable to start a DCOM Server: {param3}. The error:'{param2}'Happened while starting this command:{param1}.

Message #

Unable to start a DCOM Server: {param3}. The error:'{param2}'Happened while starting this command:{param1}

Fields #

Description

Unable to start a DCOM Server: {param3} as {param4}/{param5}. The error:'{param2}'Happened while starting this command:{param1}.

Message #

Unable to start a DCOM Server: {param3} as {param4}/{param5}. The error:'{param2}'Happened while starting this command:{param1}

Fields #

Description

Access denied attempting to launch a DCOM Server. The server is.

Message #

Access denied attempting to launch a DCOM Server. The server is:
%1
The user is %2/%3, SID=%4.

Fields #

Description

Access denied attempting to launch a DCOM Server using DefaultLaunchPermssion. The server is.

Message #

Access denied attempting to launch a DCOM Server using DefaultLaunchPermssion. The server is:
%1
The user is %2/%3, SID=%4.

Fields #

Description

DCOM got error '{param1}' and was unable to logon {param2}\{param3} in order to run the server:{param4}.

Message #

DCOM got error '{param1}' and was unable to logon {param2}\{param3} in order to run the server:{param4}

Fields #

Description

DCOM got error '{param1}' attempting to start the service {param2} with arguments '{param3}' in order to run the server:{param4}.

Message #

DCOM got error '{param1}' attempting to start the service {param2} with arguments '{param3}' in order to run the server:{param4}

Fields #

Description

DCOM got error '{param1}' from the computer {param2} when attempting to activate the server:{param3}.

Message #

DCOM got error '{param1}' from the computer {param2} when attempting to activate the server:{param3}

Fields #

Description

DCOM got error "param1" when attempting to activate the server.

Message #

DCOM got error "%1" when attempting to activate the server:
%2

Fields #

Description

DCOM got error '{param1}' from the computer {param2} when attempting to the server:{param3} with file {param4}.

Message #

DCOM got error '{param1}' from the computer {param2} when attempting to the server:{param3} with file {param4}.

Fields #

Description

DCOM was unable to communicate with the computer param1 using any of the configured protocols.

Message #

DCOM was unable to communicate with the computer %1 using any of the configured protocols.

Fields #

Description

The server {param1} did not register with DCOM within the required timeout.

Message #

The server {param1} did not register with DCOM within the required timeout.

Fields #

Description

The server param1 could not be contacted to establish the connection to the client.

Message #

The server %1 could not be contacted to establish the connection to the client

Fields #

Description

There is an assertion failure in DCOM. Context follows: ContextFollows param2 param3.

Message #

There is an assertion failure in DCOM.  Context follows: %1 %2 %3

Fields #

Message #

The activation for CLSID {param1} failed because remote activations for COM+ are disabled. To enable this functionality use Server Manager to install the COM+ Network Access feature in the Application Server role.

Fields #

Message #

The machine wide limit settings do not grant {param1} {param2} permission for the COM Server application with CLSID {param3} and APPID {param4} to the user {param5}\{param6} SID ({param7}) from address {param8}. This security permission can be modified using the Component Services administrative tool.

Fields #

Message #

The {param1} permission settings do not grant {param2} {param3} permission for the COM Server application with CLSID {param4} and APPID {param5} to the user {param6}\{param7} SID ({param8}) from address {param9}. This security permission can be modified using the Component Services administrative tool.

Fields #

Message #

The {param1} permission settings do not grant {param2} access permission to the COM Server application {param3} with APPID {param4} to the user {param5}\{param6} SID ({param7}) from address {param8}. This security permission can be modified using the Component Services administrative tool.

Fields #

Message #

The application-specific permission settings do not grant {param1} access permission to the COM Server application {param2} with APPID {param3} to the user {param4}\{param5} SID ({param6}) from address {param7}. The application set this security permission programmatically; to modify this security permission contact the application vendor.

Fields #

Message #

The machine wide limit settings do not grant {param1} access permission to the COM Server application {param2} with APPID {param3} to the user {param4}\{param5} SID ({param6}) from address {param7}. This security permission can be modified using the Component Services administrative tool.

Fields #

Message #

The machine wide {param1} {param2} security descriptor is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.

Fields #

Message #

The launch and activation security descriptor for the COM Server application with APPID {param1} is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.

Fields #

Message #

The {param1} access security descriptor for the COM Server application {param2} with APPID %3 is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.

Fields #

Message #

The application-specific access security descriptor for the COM Server application {param1} with APPID %2 is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed.  The application set this security permission programmatically; to modify this security permission contact the application vendor.

Fields #

Message #

The machine wide group policy {param1} Limits security descriptor is invalid. The security descriptor is defined as an invalid Security Descriptor Definitions Language (SDDL) string. The requested action was therefore not performed. Please contact your administrator to get the security descriptor corrected in the Group Policy settings.

Fields #

Message #

The machine wide limit settings do not grant {param1} {param2} permission for COM Server applications to the user {param3}\{param4} SID ({param5}) from address {param6}. This security permission can be modified using the Component Services administrative tool.

Fields #

Description

DCOM started the service {param1} with arguments '{param2}' in order to run the server:{param3}.

Message #

DCOM  started the service {param1} with arguments '{param2}' in order to run the server:{param3}

Fields #

Message #

The COM standard marshaler was unable to fix a mismatch between the IID {ProvidedIid} provided by the server and the IID {RequestedIid} requested by the client; with handler CLSID {HandlerClsid}. The error code was {HRESULT}.

Fields #