Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Friday, June 15, 2012

Dcom -event error 10010

The server {73E709EA-5D93-4B2E-BBB0-99B7938DA9E4} did not register with DCOM 
within the required timeout. 
El servidor {73E709EA-5D93-4B2E-BBB0-99B7938DA9E4} no se registró con DCOM dentro del tiempo de espera requerido. DCOM-error-attempting-run-system-information-utility-rep
DCOM Error 10010 - Very Slow Login, Very Slow Desktop

There is usually no problem, but some machines have developed a symptom that appears randomly; it can happen 1 week after installation, it can appear 1 month after installation.
  The logon process takes a lot of time (sometimes around 10 minutes), before the desktop fully appears. Using the Start Menu or the Taskbar (same is to say, explorer.exe) also is full of delay. Clicking on any item only triggers the action 2 or 3 minutes after.
  Yet, if you click anything from the desktop, it promply executes. In fact, I can open a command prompt, and do all the commands I need, and open event viewer, task manager, etc, without any problem. It seems to be connected to the explorer.exe process.
  In the Event Viewer, the explanation seems to be showing as DCOM access timeouts. All the machines with these problems show Event ID 10010, with the following descriptions:
  • The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.
  • The server {5CEC0E13-CF22-414C-8D67-D44B06420FC1} did not register with DCOM within the required timeout.
  • The server {BA126AE5-2166-11D1-B1D0-00805FC1270E} did not register with DCOM within the required timeout.
  The first Class is WMI, the second Class is SavInfo (likely Symantec), and the third is Network Connection Manager Class.
  When the computer is in this state, restarting, uninstalling Symantec Endpoint Protection (even manually, since sometimes the Add/Remove Program console is also non-responsive), doesn't seem to work. The only option was to format and reinstall.
  There's a solution here that seems to remedy this problem, but i can't figure out what is the problem. My only pointer is that I installed Symantec Endpoint Protection on these machines. But on the other hand, I have this AV installed on many machines, all of them working smoothly.

DCOM Error 10010 - Very Slow Login, Very Slow Desktop

We have come across this specific issue on Windows 2003 (post service pack 1) and Windows XP (post service pack 2) where the machine experiences slow performance and we observe many DCOM 10010 ERRORS in the event logs. If you are running in to this issue, you may see some of the symptoms/errors listed below.
  • Doing anything takes forever. You click Start button and it responds to you after a minute (or may be more than that). Switching windows in the Taskbar takes very long.
  • If you have IIS installed on the server, the IIS related services may not start or may hang while starting. Typically these errors appear when you try to start them.
    • Trying to start the IISADMIN service throws an error - Windows Could not start the IIS Admin Service on Local Computer. For more information, review the system Event log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code –2147221164(0x80040154) or The IIS Admin Service service terminated with service-specific error 2147746132 (0x80040154).
    • If IISADMIN service is started, trying to start the World Wide Web Publishing Service hangs and the service goes into the Starting state and after some time it may throw the error - The World Wide Web Publishing Service service terminated with service-specific error 2148007941 (0x80080005)
  • While expanding COM+ Applications inside component services, you may get the below error
    • An error occurred while processing the last operation.
    • Error code 8000FFF - Catastrophic failure
  • You observe many DCOM Errors 10010 in the event viewer (like this)
    • The server {BA126AD1-2166-11D1-B1D0-00805FC1270E} did not register with DCOM within the required timeout
    • The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout
The interesting thing to note here is that most of the components which are failing or performing slowly are the basic system components only. The GUID {BA126AD1-2166-11D1-B1D0-00805FC1270E}  is the CLISID (class id) for Network Connection Manager Class and the GUID {8BC3F05E-D86B-11D0-A075-00C04FB68820} is the CLSID for WMI. The one big common thing between all these symptoms is that all the programs which exhibit the above symptoms are dependent on DCOM.
If you end up with the symptoms/errors listed above, one quick thing to check would be the permissions on the HKCR\CLSID registry key. By default this is how the permission on that key should look like.
If you are running into this issue, you will see that the USERS group is not listed in the ACL list for this registry key. You might see an account with the name RESTRICTED listed out there. To fix the problem, you can configure the ACLS on the HKCR\CLSID key in the default way. For Windows 2003, this is how the default permissions on the HKCR\CLSID should look like.
  1. Administrators – FULL CONTROL
  2. Power Users – READ
  4. Users – READ
After making the registry change, you have to reboot the machine so that the programs can access the registry during the startup and hence function properly.
At this point, we haven't got a chance to determine the root cause of this problem. In other words, we don't know what particular action ends up removing the USERS group from the HKCR\CLSID registry key and we need your help in determining root cause. If you are able to reproduce this issue at your end, we will like to know the steps you took to reproduce this issue to figure out what CAUSES this and try to avoid it from occurring in the first place. Please feel free to post your comments at the end of this blog to let us know if you have a successful repro of this situation.
PLEASE NOTE : The permissions on the HKCR\CLSID may not be the only cause of the errors. The errors that are listed above are very generic errors and can come in a lot of situations. The purpose of this article is to eliminate one basic cause which we come across a lot of times. If fixing the permissions on the HKCR\CLSID and then rebooting the machine, doesn't fix the issue for you, we recommend you run the Process Monitor tool and look for any kind of registry level or file level access denied’s which are happening on the server.  Otherwise check out the following list of KB articles which may point more specifically to the issue that you are facing.


DCOM error when attempting to run system information
"WMI Diagnosis Utility" 
Systems that have changed the default Access Control List permissions on the 
%windir%\registration directory may experience various problems after you 
install the Microsoft Security Bulletin MS05-051 for COM+ and MS DTC
Also you can download the DiagWMI from here and some good solutions on the 

Windows XP and Windows Vista

Click Start, Run and type CMD.EXE
Note: In Windows Vista, you need to open an elevated Command Prompt window. To do so, click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
Type this command and press Enter:
net stop winmgmt
Using Windows Explorer, rename the folder %windir%\System32\Wbem\Repository. (For example, %windir%\System32\Wbem\Repository_bad). %windir% represents the path to the Windows directory, which is typically C:\Windows.
Switch to Command Prompt window, and type the following and press ENTER after each line:
net start winmgmt
Courtesy: The above is excerpted from Microsoft Technet article WMI Isn't Working!
© 2007 Microsoft Corporation. All rights reserved.

For Windows XP Service Pack 2

Click Start, Run and type the following command:
rundll32 wbemupgd, UpgradeRepository
This command is used to detect and repair a corrupted WMI Repository. The results are stored in the setup.log (%windir%\system32\wbem\logs\setup.log) file.

For Windows Vista

Open an elevated Command Prompt window. To do so, click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
Type the following command:
winmgmt  /salvagerepository
The above command Performs a consistency check on the WMI repository, and if an inconsistency is detected, rebuilds the repository. The content of the inconsistent repository is merged into the rebuilt repository, if it can be read.

For Windows Server 2003

Use the following command to detect and repair a corrupted WMI Repository:
rundll32 wbemupgd, RepairWMISetup

Re-registering the WMI components (Ref WMI FAQ)

The .DLL and .EXE files used by WMI are located in %windir%\system32\wbem. You might need to re-register all the .DLL and .EXE files in this directory. If you are running a 64-bit system you might also need to check for .DLLs and .EXE files in %windir%\sysWOW64\wbem.
To re-register the WMI components, run the following commands at the command prompt:
  • cd /d %windir%\system32\wbem
  • for %i in (*.dll) do RegSvr32 -s %i
  • for %i in (*.exe) do %i /RegServer

Note that none of the above two methods restore the missing files related to Windows Management Instrumentation (WMI). So, below is a comprehensive repair procedure that restores all the missing WMI modules. In case of missing WMI modules, you may use the following method.

Comprehensive rebuild method

Important note:  If you've installed a Service Pack, you need to insert your Windows XP CD with Service Pack integration (called as the Slipstreamed Windows XP CD). If you don't have one, you may point to the%Windir%\ServicePackFiles\i386 folder for a recent version of the system files required during WMI repair. Or you may create a slipstreamed Windows XP CD and insert it when prompted.
Click Start, Run and type the following command, and press ENTER:
rundll32.exe setupapi,InstallHinfSection WBEM 132 %windir%\inf\wbemoc.inf
Insert your Windows XP CD into the drive when prompted. Repair process should take few minutes to complete. Then restart Windows for the changes to take effect.
Got the WMI Diagnosis Utility, ran it, took about an hour, got several  messages like 
Default trustee 'NT AUTHORITY\SELF' has been REMOVED! 
DCOM security for 'My Computer' (Access Permissions/Edit Default): 
ERROR: Default trustee 'NT AUTHORITY\SELF' has been REMOVED! 
Ran DCOMCNFG.EXE as instructed but can't find the above reference. i.e. 
nothing called access, permissions or authority. 
Microsoft WBEM Usecured Apartment 
Microsoft WMI Provider Subsystem Host 
both had security set to custom, so I set it to default 
ran msinfor32.exe and got. 
Can't collect information Windows management files may be moved or missing. 
so I changed back to custom but I still get the same message that it can't find the files. It seems like I should be altering permissions somewhere.
Follow these steps to be able to collect information for msinfo32. 
Try to Open Control Panel >> Administrative Tools >> Component Services 
Then once in Component Services double click on the left hand side on 
Component Services>click on + Computers> + My Computer> + DCOM Config 
Look for Microsoft WMI Provider Subsystem Host>Right Click and go to 
Properties>Security Tab>then to the 1st Edit button at the top of the 
window>INTERACTIVE, NETWORK SERVICE, AND SYSTEM all need to be set to allow 
instead of deny. 
After you do this click OK >> To Apply and then exit of component services 
and Reboot.
The problem was related to NIC card, and after replacing this NIC hasn't caused any crash . 
So my suggestion is replace the nics with Intel and get away from the broadcom nics.
An average response from HP Support said: "Your firmware maintenance version is much too old. Please install HP Firmware Maintenance CD v8.50 and see if this works".
MS Partner Support were great and responded saying: "This issue is being caused by your server using a network card driver that utilizes TDI"
MS Partner Support referenced the following blog article and MS KB article:
Installing the hotfix from the following MS KB resolved the issue for me:
When software that uses Transport Driver Interface (TDI) drivers, such as some antivirus software, is installed on a Windows Server 2008 system or on Windows Vista Service Pack 1 (SP1) system, the handle count of the system process keeps increasing. This problem occurs if the Windows Server 2008 system or the Windows Vista Service Pack 1 (SP1) system is running on a computer that has multiple processors. If this issue occurs for some time, the computer begins to run out of system resources. Therefore, any new Ancillary Function Driver for WinSock (AFD) connection to this computer fails.
Additionally, the following problems may occur if the computer is a domain controller:
  • User authentication fails.
  • Sysvol replication fails.
  • Events 404 and 408 appear in the DNS server log.
  • One of the following Netlogon events occurs:
    • Netlogon event 5775
    • Netlogon event 5792
    • Netlogon event 5792
    • Netlogon event 5719
For example, the following is a sample event when Netlogon event 5775 occurs:
Log Name: System
Event ID: 5775
Level: Error
Keywords: Classic
The dynamic deletion of the DNS record '. 600 IN SRV 0 100 389 .' failed on the following DNS server:
DNS server IP address: 
Returned Response Code (RCODE): 5
Returned Status Code: 10055
To prevent remote computers from connecting unnecessarily to the domain controller, delete the record manually or troubleshoot the failure to dynamically delete the record. To learn more about debugging DNS, see Help and Support Center.
Error Value: An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full.

No comments: