Weekend Reading – February 19, 2016

Fedora 21 on a Macbook Air

freedom-infiniti-fedoraAfter going around and around trying to get usb boot media working with my Macbook Air, I finally came across a gem that did the trick. I had an EFI partitioned disk and regardless of using Unetbootin, Yumi, and Lili, I was only able to boot just to receive this error:

error: file ‘/isolinux/vmlinuz0’ not found.
error: you need to load the kernel first.

The fix was to clean up my usb disk and then use Rawrite32. I found these instructions on the fedora project wiki under Windows Quick Start.

First, I had to blow away every partition on my usb device. Note: Take care to list disk and select the correct disk before running clean.

C:\> diskpart
DISKPART> list disk
DISKPART> select disk 1
DISKPART> clean
DISKPART> exit

Once completed, download and install Rawrite32. When you launch Rawrite32, select Open. You’ll have to hit the drop down to show all files so you can select the ISO. Under target, you should see your USB device to write to.  Hit Write to disk… and you should be ready to boot once it does it’s thing.

 

 

Powershell: Get File Details and Owner Information in a GUI

Filter option example for out-gridview
Filter option example for out-gridview

A quick and dirty script to grab file details recursively including the owner info. A colleague was scouring the web looking for an app to do this. He also wanted to ability to quickly filter the results based on the last write time. This is a perfect use case for Out-GridView.

$path = "C:\Chocolatey"
$allfiles = @()

foreach ($item in (Get-ChildItem -Recurse -Path $path)) {
    $acl = Get-Acl -Path $item.FullName
    $allfiles += New-Object PSobject -Property @{
        LastWrite = $item.LastWriteTime
        Path = $item.FullName
        FileName = $item.Name
        Folder = $item.Directory
        Owner = $acl.Owner
    }
}

$allfiles | Out-GridView

 

Update Lync Notes With Twitter Status

Tired of seeing What’s happening now? in the Lync client. Sick of seeing the same old status update because you or your colleagues never pulled down that holiday message or #GoHawks update? Well, I was sick of it. I wanted a quick and dirty way to automate updating the Lync status message (aka ProfileNote).

After hours of scouring the internet and messing with multiple twitter libraries and outdated twitter code, I ran across this gem by Github: MyTwitter.psm1. While it was meant to post to twitter, a bit of hacking and this was born. Coupled with some other Lync Client work I’ve done, I had a workable solution.

This of course, wouldn’t be complete with a working example. All you need is to create the Oauth tokens on twitter, setup a scheduled task, and you’ll be auto updating Lync with everyone’s favorite infosec professional, Infosec Taylor Swift (@SwiftOnSecurity).

Steps:

  1. Go to https://apps.twitter.com/app/new and fill in the basic required information.
  2. Once created, click on the “Keys and Access Tokens” menu item
  3. At the bottom under “Token Actions”, select “Create my access token”
  4. Copy the tokens into the script.

Note:

  • The secret tokens are sensitive. Be like Taylor and protect your secrets.
  • Your app permissions only need to be read-only. Be like Taylor and follow the principle of least privilege.
#requires –Version 3.0
<#
.SYNOPSIS 
Sets Lync 2013 Client's PersonalNote field with latest tweet from your favorite twitter personality:
@SwiftOnSecurity

.DESCRIPTION
Tired of What's happening today? Find out with the Set-LyncNoteWithTwitter.ps1 script. It sets the 
Lync 2013 Client's personal note to match the latest tweet from your favorite twitter personality. 
Authentication and authorization are handled throughTwitter's Oauth implementation. Everything else is 
via their REST API. The Lync COM is used to update the Lync client.

The secret tokens are sensitive. Be like Taylor and protect your secrets.
Your app permissions only need to be read-only. Be like Taylor and follow the principle of least privilege. 

****Requires Lync 2013 SDK.**** The SDK install requires Visual Studio 2010 SP1. To avoid installing 
Visual Studio, download the SDK, use 7-zip to extract the files from the install, and install the MSI 
relevant to your Lync Client build (x86/x64).

.INPUTS
None. You cannot pipe objects to Set-LyncNoteWithTwitter.ps1.

.OUTPUTS
None. Set-LyncNoteWithTwitter.ps1 does not generate any output.

.NOTES
Author Name:   Andrew Healey (@healeyio)
Creation Date: 2015-02-02
Version Date:  2015-02-02

.LINK
Author:          https://www.healey.io/blog/update-lync-notes-with-twitter-status/
Lync 2013 SDK:   http://www.microsoft.com/en-us/download/details.aspx?id=36824
Some code referenced from:
   MyTwitter:    https://github.com/MyTwitter/MyTwitter

.EXAMPLE
PS C:\PS> .\Set-LyncNoteWithTwitter.ps1

#>


## Parameters
[string]$Consumer_Key =        'abcdefghijklmnopqrstuvwxyz'
[string]$Consumer_Secret =     'abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz'
[string]$Access_Token =        'abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz'
[string]$Access_Token_Secret = 'abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrst'
[string]$screen_name =         'SwiftOnSecurity'
[int]   $count =                1
[string]$exclude_replies =     'true'
[string]$include_rts =         'false'
[string]$HttpEndPoint =        'https://api.twitter.com/1.1/statuses/user_timeline.json'

[Reflection.Assembly]::LoadWithPartialName("System.Security") | Out-Null
[Reflection.Assembly]::LoadWithPartialName("System.Net") | Out-Null

## Generate a random 32-byte string. Strip out '=' per twitter req's
$OauthNonce = [System.Convert]::ToBase64String(([System.Text.Encoding]::ASCII.GetBytes("$([System.DateTime]::Now.Ticks.ToString())12345"))).Replace('=', 'g')
Write-Verbose "Generated Oauth none string '$OauthNonce'"
			
## Find the total seconds since 1/1/1970 (epoch time)
$EpochTimeNow = [System.DateTime]::UtcNow - [System.DateTime]::ParseExact("01/01/1970", "dd/MM/yyyy", $null)
Write-Verbose "Generated epoch time '$EpochTimeNow'"
$OauthTimestamp = [System.Convert]::ToInt64($EpochTimeNow.TotalSeconds).ToString();
Write-Verbose "Generated Oauth timestamp '$OauthTimestamp'"
			
## Build the signature
$SignatureBase = "$([System.Uri]::EscapeDataString($HttpEndPoint))&"
$SignatureParams = @{
	'oauth_consumer_key' =     $Consumer_Key;
	'oauth_nonce' =            $OauthNonce;
	'oauth_signature_method' = 'HMAC-SHA1';
	'oauth_timestamp' =        $OauthTimestamp;
	'oauth_token' =            $Access_Token;
	'oauth_version' =          '1.0';
}

## Add Signature Params
$SignatureParams.screen_name =     $screen_name
$SignatureParams.exclude_replies = $exclude_replies
$SignatureParams.include_rts =     $include_rts
$SignatureParams.count =           $count
			
## Create a string called $SignatureBase that joins all URL encoded 'Key=Value' elements with a &
## Remove the URL encoded & at the end and prepend the necessary 'POST&' verb to the front
$SignatureParams.GetEnumerator() | sort name | foreach { 
    Write-Verbose "Adding '$([System.Uri]::EscapeDataString(`"$($_.Key)=$($_.Value)&`"))' to signature string"
    $SignatureBase += [System.Uri]::EscapeDataString("$($_.Key)=$($_.Value)&".Replace(',','%2C').Replace('!','%21'))
}
$SignatureBase = $SignatureBase.TrimEnd('%26')
$SignatureBase = 'GET&' + $SignatureBase
Write-Verbose "Base signature generated '$SignatureBase'"
			
## Create the hashed string from the base signature
$SignatureKey = [System.Uri]::EscapeDataString($Consumer_Secret) + "&" + [System.Uri]::EscapeDataString($Access_Token_Secret);
			
$hmacsha1 = new-object System.Security.Cryptography.HMACSHA1;
$hmacsha1.Key = [System.Text.Encoding]::ASCII.GetBytes($SignatureKey);
$OauthSignature = [System.Convert]::ToBase64String($hmacsha1.ComputeHash([System.Text.Encoding]::ASCII.GetBytes($SignatureBase)));
Write-Verbose "Using signature '$OauthSignature'"
			
## Build the authorization headers using most of the signature headers elements.  This is joining all of the 'Key=Value' elements again
## and only URL encoding the Values this time while including non-URL encoded double quotes around each value
$AuthorizationParams = $SignatureParams
$AuthorizationParams.Add('oauth_signature', $OauthSignature)
			
## Remove any REST API call-specific params from the authorization params
$AuthorizationParams.Remove('exclude_replies')
$AuthorizationParams.Remove('include_rts')
$AuthorizationParams.Remove('screen_name')
$AuthorizationParams.Remove('count')
			
$AuthorizationString = 'OAuth '
$AuthorizationParams.GetEnumerator() | sort name | foreach { $AuthorizationString += $_.Key + '="' + [System.Uri]::EscapeDataString($_.Value) + '",' }
$AuthorizationString = $AuthorizationString.TrimEnd(',')
Write-Verbose "Using authorization string '$AuthorizationString'"

## Build URI Body
$URIBody = "?count=$count&exclude_replies=$exclude_replies&include_rts=$include_rts&screen_name=$screen_name"
Write-Verbose "Using GET URI: $($HttpEndPoint + $Body)"
$tweet = Invoke-RestMethod -URI $($HttpEndPoint + $URIBody) -Method Get -Headers @{ 'Authorization' = $AuthorizationString } -ContentType "application/x-www-form-urlencoded"

## Verify lync 2013 object model dll is either in script directory or SDK is installed
$lyncSDKPath = "Microsoft Office\Office15\LyncSDK\Assemblies\Desktop\Microsoft.Lync.Model.dll"
$lyncSDKError = "Lync 2013 SDK is required. Download here and install: http://www.microsoft.com/en-us/download/details.aspx?id=36824"

if (-not (Get-Module -Name Microsoft.Lync.Model)) {
    if (Test-Path (Join-Path -Path ${env:ProgramFiles(x86)} -ChildPath $lyncSDKPath)) {
        $lyncPath = Join-Path -Path ${env:ProgramFiles(x86)} -ChildPath $lyncSDKPath
    }
    elseif (Test-Path (Join-Path -Path ${env:ProgramFiles} -ChildPath $lyncSDKPath)) {
        $lyncPath = Join-Path -Path ${env:ProgramFiles} -ChildPath $lyncSDKPath
    }
    else {
        $fileError = New-Object System.io.FileNotFoundException("SDK Not Found: $lyncSDKError")
        throw $fileError
    } # End SDK/DLL check
    try {
        Import-Module -Name $lyncPath -ErrorAction Stop
    }
    catch {
        $fileError = New-Object System.io.FileNotFoundException ("Import-Module Error: $lyncSDKError")
        throw $fileError
    } # End object model import
} # End dll check

## Check if Lync is signed in, otherwise, nothing to do
$Client = [Microsoft.Lync.Model.LyncClient]::GetClient()
if ($Client.State -eq "SignedIn") {
    ## Set PersonalNote in Lync
    $LyncInfo = New-Object 'System.Collections.Generic.Dictionary[Microsoft.Lync.Model.PublishableContactInformationType, object]'
    $LyncInfo.Add([Microsoft.Lync.Model.PublishableContactInformationType]::PersonalNote, "@$($screen_name): $($tweet.text)")
    $Self = $Client.Self
    $Publish = $Self.BeginPublishContactInformation($LyncInfo, $null, $null)
    $Self.EndPublishContactInformation($Publish)
}
else {
    Write-Warning "Lync must be signed in."
} # End client sign-in check

 

Using NuGet with Powershell 5.0

I had a project requiring the Newtonsoft.Json libraries (NuGetGitHub). I also wanted to play around a bit with OneGet as I hadn’t had a need to yet.

Powershell 5 (5.0.9926.2 as of this writing) makes this easy. Here’s about all that’s needed to get this running and access the entire NuGet.org package repository.

Register-PackageSource -Name NuGet -ProviderName Chocolatey -Location https://nuget.org/api/v2/
Get-PackageProvider -Name NuGet -ForceBootstrap
Find-Package -ProviderName NuGet -Name Newtonsoft.Json | Install-Package

 

Windows 10 Enterprise Build 9926 Tweaks

A couple tweaks I found necessary for the new 9926 build of Windows 10.

1. Windows Update failed with error 0x80070057 preventing the install of update KB3034229. The Fix:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX]
"IsConvergedUpdateStackEnabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings]
"UxOption"=dword:00000000

2. Only two size options for the updated start menu. Regular or maximized. This fix allows resizing of start menu to a custom size. However, it reverts the start menu back to the pre-9926 build style. Wish there was a compromise. I ended up just setting this to 1 and living with the lack of resize options.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"EnableXamlStartMenu"=dword:00000000

 

Update Lync Client Location with IP GeoLocation

Use IP geolocation data to keep you Lync client location up to date.
Use IP geolocation data to keep you Lync client location up to date.

I regularly bounce around on different networks and vpn connections. I got tired of manually setting the location in Lync and found myself just ignoring it altogether. After doing some poking around, I decided to throw a powershell script together to just do the dirty work for me.

The script uses Telize for geoip data and DNSOMatic Telize for the external IP. The script requires the Microsoft.Lync.Model.dll from the Lync 2013 SDK (15.0.4603.1000 as of this post). You can find the Lync Client 2013 SDK here.

You can then add an event trigger to fire off the script when you connect to a network: On an event; On event – Log: Microsoft-Windows-NetworkProfile/Operational, Source: Microsoft-Windows-NetworkProfile, Event ID: 10000

Note: I adjusted my personal version to detect when I’m on my company’s network so it won’t interfere with Lync setting to location for our office. Always test and understand the ramifications if using in a production environment.

Gist on Github: Update-LyncLocation.ps1

#requires –Version 3.0
<#
.SYNOPSIS 
Updates Lync 2013 Client's location information with geolocation data based on internet ip address.

.DESCRIPTION
The Update-LyncLocation.ps1 script updates the Lync 2013 Client's location information. It uses the 
Telize web service to determine your external ip address and then queries Telize to collect publicly 
available geolocation information to determine your location. That data is then parsed into usable 
information and published to the Lync client.

****Requires Lync 2013 SDK.**** The SDK install requires Visual Studio 2010 SP1. To avoid installing 
Visual Studio, download the SDK, use 7-zip to extract the files from the install, and install the MSI 
relevant to your Lync Client build (x86/x64).

.INPUTS
None. You cannot pipe objects to Update-LyncLocation.ps1.

.OUTPUTS
None. Update-LyncLocation.ps1 does not generate any output.

.NOTES
Author Name:   Andrew Healey (@healeyio)
Creation Date: 2015-01-04
Version Date:  2015-01-26

.LINK
Author: https://www.healey.io/blog/update-lync-client-location-with-geolocation
Lync 2013 SDK: http://www.microsoft.com/en-us/download/details.aspx?id=36824
IP Geolocation Web Service: http://www.telize.com/

.EXAMPLE
PS C:\PS> .\Update-LyncLocation.ps1

#>


# Verify lync 2013 object model dll is either in script directory or SDK is installed
$lyncSDKPath = "Microsoft Office\Office15\LyncSDK\Assemblies\Desktop\Microsoft.Lync.Model.dll"
$lyncSDKError = "Lync 2013 SDK is required. Download here and install: http://www.microsoft.com/en-us/download/details.aspx?id=36824"

if (-not (Get-Module -Name Microsoft.Lync.Model)) {
    if (Test-Path (Join-Path -Path ${env:ProgramFiles(x86)} -ChildPath $lyncSDKPath)) {
        $lyncPath = Join-Path -Path ${env:ProgramFiles(x86)} -ChildPath $lyncSDKPath
    }
    elseif (Test-Path (Join-Path -Path ${env:ProgramFiles} -ChildPath $lyncSDKPath)) {
        $lyncPath = Join-Path -Path ${env:ProgramFiles} -ChildPath $lyncSDKPath
    }
    else {
        $fileError = New-Object System.io.FileNotFoundException("SDK Not Found: $lyncSDKError")
        throw $fileError
    } # End SDK/DLL check
    try {
        Import-Module -Name $lyncPath -ErrorAction Stop
    }
    catch {
        $fileError = New-Object System.io.FileNotFoundException ("Import-Module Error: $lyncSDKError")
        throw $fileError
    } # End object model import
} # End dll check

# Check if Lync is signed in, otherwise, nothing to do
$Client = [Microsoft.Lync.Model.LyncClient]::GetClient()
if ($Client.State -eq "SignedIn") {
    # Get external ip address
    $WanIP = (Invoke-WebRequest -Uri "http://ip4.telize.com/" -UseBasicParsing).Content
    # Get geolocation data
    $data = Invoke-WebRequest -Uri "http://www.telize.com/geoip/$WanIP" -UseBasicParsing | ConvertFrom-Json
    $data
    ### Format the location from returned geolocation ###
    ###    More Info Here: http://www.telize.com/     ###
    # Deal with oddities like anonymous proxies
    if (($data.continent_code -eq "--") -or ($data.continent_code -eq $null)) {$location = "$($data.isp)"}
    # If the city and state are not null, make it City, State
    elseif (($data.region_code -ne $null) -and ($data.city -ne $null)) {$location = "$($data.city), $($data.region_code)"}
    # If the city is null but state/region has a value, make it Region, Country
    elseif (($data.region -ne $null) -and ($data.city -eq $null)) {$location = "$($data.region), $($data.country_code3)"}
    # Else, just output the Country
    else {$location = "$($data.country)"}

    # Update location in Lync
    $LyncInfo = New-Object 'System.Collections.Generic.Dictionary[Microsoft.Lync.Model.PublishableContactInformationType, object]'
    $LyncInfo.Add([Microsoft.Lync.Model.PublishableContactInformationType]::LocationName, $location)
    $Self = $Client.Self
    $Publish = $Self.BeginPublishContactInformation($LyncInfo, $null, $null)
    $Self.EndPublishContactInformation($Publish)
}
else {
    Write-Warning "Lync must be signed in."
} # End client sign-in check

 

Virtualbox on Windows 8 Host – Poweshell Code to Fix Resume from Standby Network Issue

I’ve always been a big fan of Virtualbox.  It has some of the best tools for converting images between different hypervisors and is a leader in its support for different configurations.  Virtualbox is a great option for testing out new or different OS’s and configurations.  I don’t have to run a crippled hypervisor on my system or run some trialware just to try the latest bits.

Microsoft made a lot of changes to the Windows 8 network stack.  One of the more obvious is the speed in which network connections resume from sleep or standby.  Unfortunately, since running Virtualbox on the Dev Preview and on the Final Release, a bug in the Virtualbox Bridged Adapter breaks network connectivity.  Below are a few ways to work around this issue.  You can find more at the bugtraq I submitted to Oracle here: https://www.virtualbox.org/ticket/10317.

Option 1: Disable Virtualbox Bridged Adapter

For me, NAT adapters had too many draw backs to my testing and use.  But, this is how I have been running until I got off my laurels and automated the disable/enable routine outlined in option 3.

  1. In Windows, go to: Control PanelNetwork and InternetNetwork Connections
  2. Right click the affected/in-use network adapter and select properties
  3. In the items list, uncheck the VirtualBox Bridged Network Adapter
  4. Hit OK and you should be all set

Option 2: Disable/Re-Enable Adapters After Resuming

Doing this manually is extremely laborious and usually ends up with you giving up on bridged adapters.  Either select option 1 or 3.  But, it may save you if you just installed Virtualbox and haven’t had the chance to implement option 1 or 3.

  1. In Windows, go to: Control PanelNetwork and InternetNetwork Connections
  2. Right click the affected/in-use network adapter and select disable
  3. Right click the affected/in-use network adapter and select enable

Option 3: Automate Option 2

The following steps will create a task that will automatically disable and reenable you network adapters upon resume.  This will slow down reconnects but will allow the use of the VirtualBox Bridged Network Adapter.

  1. Create and save a script with the following command:
    1. gwmi Win32_NetworkAdapter -EnableAllPrivileges | ? { $_.PhysicalAdapter -and $_.NetEnabled } | % { $_.Disable(); $_.Enable() }
  2. Open the Event Log and go the the System Event Log
  3. Look/Search/Filter for Event ID 1, Source Power-Troubleshooter
  4. Right click on Event and select “Attach Task to this Event”
  5. In the Action section, under Program/script, enter: powershell.exe
  6. In the Arguments section, enter: c:scriptsvirtualbox-hack.ps1
    1. Make sure the path and name matches what you named your script in step 1
  7. On the finish screen, check the box “Open the Properties diaglog…” and press OK
  8. On the General tab of the task properties, select:
    1. “Run whether user is logged in or not”
    2. “Run with highest privilges”
  9. Select OK. It should prompt you for credentials. Enter the credentials and you are done.

The New Outlook.com and the Microsoft Account PaymentHub

Outlook.com Logo

While checking my RSS feeds for the night, I ran across this article describing the new Outlook.com.  As an avid user of “Live for Domains“, I was interested to see where Microsoft was going after announcing the renaming of the “Windows Live” moniker back in May.

Outlook.com

It turns out, the UI is refreshing and seems to be a new front-end for what was Hotmail and Live Mail.  It is a refreshing, minimalistic UI with a lot of white space.   Users of the preview releases of Windows 8 will notice many UI and usability similarities.  I was expecting to get a ‘preview like’ experience but that has not been the case.  I have several domains I use and have linked together.  The authentication worked like a charm and I was able to jump around my three different accounts in Outlook.com without it reverting to the old Hotmail interface (send-as working as well).

 

Outlook.com - Service Ribbon

Then I went to check out the Contacts/People interface and the Calendar.  The Calendar never loaded in Chrome so I had to revert to IE.  The Contacts/People interface had the opposite problem; it loads in Chrome just fine but not IE 10.  The Contacts/People interface matches the new UI but the Calendar has yet to be upgraded.  I

‘m sure MS will sort out these issues fairly quickly as they have already surpassed 1 million usersin the new UI.Try it now.  All it takes is a visit to Outlook.com.

Microsoft Account and PaymentHub

This is just speculation but I can see this really fitting into subscription services for Microsoft Office, Xbox games, additional e-mail and SkyDrive storage, advanced features in future releases of WebApps and more.Some people have been reporting running in the new “Microsoft Account” when logging in but this hasn’t been my experience.  However, after the switch, I went into the Outlook.com options/settings and saw a new billing tab.  I also noticed I was now at https://account.live.com/.  The link redirected to https://commerce.microsoft.com/PaymentHub/.  It appears this will handle subscriptions down the road and also function on a point system similar to Xbox Live and Bing Rewards.  It also identifies my account as a ‘US – Personal Account’ leading me to believe they may be using the same billing system used with the preview release of Office365.

Screenshots

What’s Next

With the release of Windows 8, Server 2012, Exchange 2013, Surface Tablets, Office365 Next, Sharepoint 2013, Office 2013, advancements w/ Azure IaaS and more, it is an exciting time for Microsoft.

 

SBS 2011: DistrubutedCOM Error 10016

Pay no attention to the DCOM behind the curtain!
On your SBS 2011 server, do you find a lot of DCOM errors in your System Event Log? These are relatively common on SBS boxes. Microsoft’s guidance is that these can be safely ignored. However, when an error is reported, I expect it to be something that should be investigated. If it can be ignored, it shouldn’t be reporting it as an error. Fortunately, there is a fix for these.

Each event listed below is has the same alert level of “Error” and the same Event ID “10016”. The fixes are all mostly the same with a few differences. Below, I outline each specific error I saw on a specific SBS 2011 box and highlight the differences in fixing each different error. The key differences are the different user account account missing the rights and the different CLSID and APPID. If you find other DCOM errors that this fix works on, let me know and I’ll add it to the list.
Event Information:

Log Name: System
Source: Microsoft-Windows-DistributedCOM
Event ID: 10016
Level: Error
User: NETWORK SERVICE

CLSID 90DCAB7F-347C-4BFC-B543-540326305FBE

Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {90DCAB7F-347C-4BFC-B543-540326305FBE} and APPID {FA3FC5CF-0304-4CAC-99F0-032AC2B15D1E} to the user NT AUTHORITYNETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

To Fix This Error:

  1. Open regedit and select “HKEY_CLASSES_ROOT”
  2. Go the Edit menu and select “Find…” (Ctrl+F)
  3. Enter the APPID in the search dialog and press find: FA3FC5CF-0304-4CAC-99F0-032AC2B15D1E
  4. Right click on the key and select permissions
  5. Click the Advanced Button and select the Owner tab
  6. Take ownership of the object, check the “Replace Owner on Subcontainers” and Objects check-box, and press OK
  7. Grant “Administrators” Full Control and press OK
  8. Note the default value of the found registry key. Should be: “File Server Resource Management Service”. Close the registry editor.
  9. Launch the Component Services MMC: Start → Run → comexp.msc (make sure to run as administrator if using UAC)
  10. Expand: Component Services → Computers → My Computer → DCOM Config
  11. Find “File Server Resource Management Service”, right click it and select properties
  12. Select the Security Tab and press the “Edit…” button in the “Launch and Activation Permissions” group box
  13. Select the “Network Service” account, check the “Local Activation” right and press OK.
  14. Click OK and close the Windows. The DCOM error should be resolved.

CLSID 61738644-F196-11D0-9953-00C04FD919C1


Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {61738644-F196-11D0-9953-00C04FD919C1} and APPID {61738644-F196-11D0-9953-00C04FD919C1} to the user DOMAINNAMEspfarm SID (S-1-5-21-123456789-123456789-123456789-1157) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

To Fix This Error:
Follow the same steps as shown above except:

  • Step 3: 61738644-F196-11D0-9953-00C04FD919C1
  • Step 8 and 11: IIS WAMREG admin Service
  • Step 13: SharePoint Farm Account

CLSID 000C101C-0000-0000-C000-000000000046


Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {000C101C-0000-0000-C000-000000000046} and APPID {000C101C-0000-0000-C000-000000000046} to the user DOMAINNAMEspfarm SID (S-1-5-21-123456789-123456789-123456789-1157) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

To Fix This Error:
Follow the same steps as shown above except:

  • Step 3: 000C101C-0000-0000-C000-000000000046
  • Step 4: Instead of searching, navigate to: HKEY_CLASSES_ROOTWow6432NodeAppID{000C101C-0000-0000-C000-000000000046}
  • Step 8: (Value Not Set)
  • Step 11: The DCOM Application ID will be named by its CLSID/APPID instead of short name: {000C101C-0000-0000-C000-000000000046}
  • Step 13: If “SharePoint Farm Account” is not listed, add DOMAINNAMEspfarm and then add the rights.