DCOM, or Distributed Component Object Model, is a technology in Windows allowing remote communication between programs. WMI, in particular, uses it to communicate. A lot of business oriented server applications use it, as well, to communicate between layers. If you’ve ever spent any time with DCOM you probably have come to understand just how fragile it can be. When it works, it’s like magic, but when it doesn’t it can be a serious hair pulling experience.
One of the more fragile bits of DCOM is its security. There are are four different areas of DCOM each with their own ACLs (Access Control Lists) and a problem in any one of the four can lead to hard to track down problems. To make matters worse, many applications that use DCOM will alter the security settings, potentially breaking DCOM access for other programs on the same computer. Sometimes it’s necessary to just reset DCOM security to its default state, just as it was when Windows was installed.
Centralize your Windows device management
Gain real-time visibility, deploy software, remediate vulnerabilities, schedule reports, automate maintenance tasks, and access remote devices from one easy-to-use platform.
Last week I found a quick way to do this, but it does require editing the registry so the standard warnings and “do not try this at home” apply. However, if you’re stuck fixing a problem down in the guts of DCOM security, editing the registry is the least of your worries.
You can view the DCOM ACLs by running dcomcnfg.exe and navigating to Component Services > Computers > My Computer > Right-click > Properties > COM Security tab.
The ACLs are stored in the registry under the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole, in the following binary values:
DefaultAccessPermission
DefaultLaunchPermission
MachineAccessRestriction
MachineLaunchRestriction
To reset them, all you need to do is to delete these values. If DCOM doesn’t find any ACLs here, then it will use its defaults. Any changes you make will then re-create the values. Of course, you’ll want to back them up before you delete them, or you could just rename them to be safe.