winXP sp3 DCOM errors in event log, group policy

Posted on 2009-02-14
Last Modified: 2013-11-25
have spent probably two days googling around to find a remedy for this.

after recovering from a (virus-related?) crash where my start menu and minimized application tabs had disappeared, my system now has something askew - maybe has to do with group policy security settings.

most everything in the machine works at least in a single-user environment, but there's repeated and sometimes frequent DCOM errors in the log, and some .net apps don't run despite re-installation of the .net components.

Unable to start a DCOM Server: {73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}. The error:
"Access is denied. "
Happened while starting this command:
C:\Windows\SYSTEM32\WBEM\wmiprvse.exe -Embedding

when i try to access Local Security Policy i get an error message:
"The Group Policy security settings that apply to this machine could not be determined.
The error returned when trying to retrieve these settings from the local security policy database (%windir%\security\database\secedit.sdb) was: The parameter is incorrect.

to my understanding the file permissions on the drive are all as they should be. the permission on C:\Windows\SYSTEM32\WBEM\wmiprvse.exe are ticked for access but grayed out, and remain so even if i try to take ownership & manipulate them.

this problem started at sp2, i repair-installed once, and when that didn't fix the problem i decided to try if sp3 would cure the problem. it didn't.

clean install is not an option - there's way too many applications / tweaks on the system.
Question by:zdoe
    LVL 24

    Assisted Solution

    Try following this.. it will rest permissions back that malware can corrupt..

    Method 1: Reset the registry and the file permissions
    Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
    322756  ( ) How to back up and restore the registry in Windows
    To reset the registry and file permissions, follow these steps:
    Download and then install the Subinacl.exe file. To do this, visit the following Microsoft Web site: (
    Start Notepad.
    Copy and then paste the following text into Notepad.
    cd /d "%ProgramFiles%\Windows Resource Kits\Tools"
    subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f
    subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f
    subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f
    subinacl /subdirectories %SystemDrive% /grant=administrators=f /grant=system=f
    subinacl /subdirectories %windir%\*.* /grant=administrators=f /grant=system=f
    secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

    Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure. However, they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.
    Save this Notepad file as Reset.cmd.
    Double-click the Reset.cmd file to run the script.

    Note This script file may take a long time to run. You must run this script as an administrator.
    LVL 1

    Author Comment

    have now ran the script. symptoms appear to be as before.

    some of the script lines produce error messages, for example:
    subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f
    done ~200000 modified ~200000 failed 23 syntax errors 0

    and there's no
    -file in the system, so that line gives a "file not found" error. i looked for it also on an sp3 install disk and didn't find one. assuming that it would help, do you think you could attach it to this thread?
    LVL 24

    Expert Comment

    Need to make sure you are truly malware free.. also run the script in safe mode after running malwarebytes.

    Download Hijackthis:

    Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.
    Paste the log in the "Code Snippet" or "Attach File" window.

    then download and install and for its logfile do the same as the Hijackthis.

    Download Malwarebytes' Anti-Malware to your desktop, check for the tool's Updates before running a scan.
    If you can't access the above link then use this link:
    LVL 1

    Author Comment

    i'm 98% that the system is now clean. have run symantec antivirus, adaware & spybot search & destroy. but who knows?

    attached please find the hijackthis log. (that i had without downloading)

    btw - what i forgot to mention was that your script from earlier DID improve things - now the permissions for wmiprvse.exe are no longer grayed out.
    LVL 24

    Expert Comment

    Def install and run the malwarebytes.. it picks up a lot more stuff then Adaware..
    LVL 24

    Expert Comment

    Yeah I would say it looks like you have some issues..

    O20 - Winlogon Notify: iiffgge - C:\WINDOWS\SYSTEM32\iiffgge.dll
    O20 - Winlogon Notify: mljgh - C:\WINDOWS\system32\mljgh.dll
    O20 - Winlogon Notify: oleacc32 - C:\WINDOWS\SYSTEM32\oleacc32.dll

    Please download ComboFix by sUBs:

    You must download it to and run it from your Desktop
    Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    Double click combofix.exe & follow the prompts.
    When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
    Re-enable all the programs that were disabled during the running of ComboFix..

    Do not mouse-click combofix's window while it is running. That may cause it to stall.
    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    LVL 1

    Author Comment

    the entries:


    are hidden-read-only-system directories, NOT files. i've created those to keep files named as such out of the system after some long-ago problem. for some reason hijackthis picks those up.
    LVL 24

    Expert Comment

    I'll take your word for it.. but I still think you shold run Combofix and MBAM.
    LVL 1

    Author Comment

    i ran combofix somewhere along my travels with this problem. just downloaded MBAM, but have to run out for a meeting now. will post its log a bit later.
    LVL 1

    Author Comment

    so have now ran MBAM. it found a bunch of things, but most of them seem to be false positives - the files it claimed to have found at start menu were non-existent. maybe it's just humoring us.

    it, and symantec corp av while MBAM was scanning, did find a few things that are dubious:

    but killing these did not remove the symptoms.
    LVL 1

    Author Comment

    the problem persists.

    another pointer - before this problem appeared, erunt -registry backups would copy four "other open user profiles" as a part of the backup. now, only two.

    what does the WMI service actually DO?

    btw - combofix gets flagged as a virus by one of the scanners i use. is there a rogue version out there?
    LVL 24

    Expert Comment

    No combofix uses some processes like pskill from and a lot of scanners tag that as bad because it can kill processes.

    This from your MBAM log:
    C:\Windows\SYSTEM32\a.exe (Trojan.Agent) -> Not selected for removal.
    C:\Windows\SYSTEM32\sav.cpl (Rogue.SystemAntivirus2008) -> Not selected for removal.
    C:\Windows\SYSTEM\msiexec.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
    C:\services.exe (Trojan.Agent) -> Not selected for removal.

    Those are not false positives, it looks like you have a rootkit installed.  Did you ever run combofix?  If not redownload it and run it.
    LVL 1

    Author Comment


    are all empty, hidden directories that i've created on some earlier rounds to avert troubles stemming from similarly named files. thus, yes, they are false positives - and not getting flagged by symantec corp antivirus that looks a bit deeper into matters.

    msiexec.exe does exist in my system. i suppose it's the MSI installer program: manufacturer microsoft, file version 3.1.4001.5512 - seems very consistent /w the real winXP sp3 files.
    LVL 24

    Expert Comment

    Well.. it removed the msiexec.

    At this point I have no further help to offer.  I would recommend deleting the question for a points refund as there is no useful information in here.  As long as you do strange things like the a, sav.cpl, etc. it is hard to figure out your problem.  Symantec can be set to ignore those files but you take the risk of rouge software just overwriting those.  Good luck.
    LVL 1

    Author Comment

    probably the system file restorer has put msiexec back on.

    i don't have ignore on those files - they don't get flagged i suspect because the av checks what's behind the name.

    i've seen a few instances - not on this machine but elsewhere, where my "dummy directory" approach helped kill threats that no scanner could remove.

    the answer is somewhere in group policy / security -related matters - if only i knew where!

    would there be a way to remove / reinstall the WMI service?
    LVL 1

    Author Comment

    how about - an instruction snippet from somewhere on the net:
    1. Start / Run / dcomcnfg / OK.
    2. Expand the Component Services tree.
    3. Expand the Computers tree under Component Services.
    4. Right-click on My Computer and choose Properties.
    5. On the Default Properties tab, change the Default Authentication Level to
    6. Select the Default COM Security tab.
    7. Press Edit Default under Default Access Permissions
    8. Press Add.
    9. Enter "Administrators" in the box and click OK.
    10. Set the Access Permission to "Allow" for Administrators.
    10. Press OK, OK, and OK.
    11. Shutdown and restart your computer.

    BUT there is NO "Default COM Security" tab on my computer

    playing around with this, the DCOM error message recurring on the event log has now changed:
    The server {73E709EA-5D93-4B2E-BBB0-99B7938DA9E4} did not register with DCOM within the required timeout.

    and there's a new one:
    The Distributed Transaction Coordinator service failed to start due to the following error:
    The service did not respond to the start or control request in a timely fashion.
    LVL 1

    Accepted Solution

    DCOM errors are gone - though there's now a bunch of other errors now on the event log.

    i'm not completely positive that this is what did it, but suspect so:

    Posts: n/a
    Re: Windows Server 2003 Standard - DCOM Problems
    For those of you who are interested, I finally resolved this issue. It
    apears as some MS patch changed the permissions on the following
    registry key:


    In order to resolve the problem, the following permissions were added

    Registry Key: HKEY_CLASSES_ROOT\CLSID (and all child keys and values)

    Permissions Added:

    Authenticated users: Read access
    Network Service: full control


    now - i may soon start another thread to loose the current event log errors...

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    countEvens challenge 2 47
    either24  challenge 19 73
    noX challenge 17 54
    Windows print sharing 1 35
    Windows Script Host (WSH) has been part of Windows since Windows NT4. Windows Script Host provides architecture for building dynamic scripts that consist of a core object model, scripting hosts, and scripting engines. The key components of Window…
    The purpose of this article is to demonstrate how we can use conditional statements using Python.
    The viewer will learn how to pass data into a function in C++. This is one step further in using functions. Instead of only printing text onto the console, the function will be able to perform calculations with argumentents given by the user.
    The viewer will be introduced to the technique of using vectors in C++. The video will cover how to define a vector, store values in the vector and retrieve data from the values stored in the vector.

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now