Skip to content

How to perform a quick DCOM security reset

smiling man
Adam Ruth|Updated November 23, 2020
DCOM-security-reset
DCOM-security-reset
Sections
    No Data

    DCOM, or Distributed Component Object Model, is a technology in Windows allowing remote communication between programs. WMI, in particular, uses it to communicate. A lot of business oriented server applications use it, as well, to communicate between layers. If you’ve ever spent any time with DCOM you probably have come to understand just how fragile it can be. When it works, it’s like magic, but when it doesn’t it can be a serious hair pulling experience.

    One of the more fragile bits of DCOM is its security. There are are four different areas of DCOM each with their own ACLs (Access Control Lists) and a problem in any one of the four can lead to hard to track down problems. To make matters worse, many applications that use DCOM will alter the security settings, potentially breaking DCOM access for other programs on the same computer. Sometimes it’s necessary to just reset DCOM security to its default state, just as it was when Windows was installed.

    ConnectIcon CTA

    Centralize your Windows device management

    Gain real-time visibility, deploy software, remediate vulnerabilities, schedule reports, automate maintenance tasks, and access remote devices from one easy-to-use platform.

    Last week I found a quick way to do this, but it does require editing the registry so the standard warnings and “do not try this at home” apply. However, if you’re stuck fixing a problem down in the guts of DCOM security, editing the registry is the least of your worries.

    You can view the DCOM ACLs by running dcomcnfg.exe and navigating to Component Services > Computers > My Computer > Right-click > Properties > COM Security tab.

    The ACLs are stored in the registry under the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole, in the following binary values:

    • DefaultAccessPermission

    • DefaultLaunchPermission

    • MachineAccessRestriction

    • MachineLaunchRestriction

    To reset them, all you need to do is to delete these values. If DCOM doesn’t find any ACLs here, then it will use its defaults. Any changes you make will then re-create the values. Of course, you’ll want to back them up before you delete them, or you could just rename them to be safe. 

    smiling man
    Adam Ruth

    Adam is a co-founders of PDQ.

    Related articles