AsiaTech: Microsoft APGC Internet Developer Support Team

We focus on various troubleshooting plan and solution on IIS web platform and distributed applications

How to troubleshoot the “Red Arrow” issue in Component Services ( I )

How to troubleshoot the “Red Arrow” issue in Component Services ( I )

  • Comments 2

In distributed environment, when we meet problems to call DCOM components or COM+ application, the first thing is to open the Components Manager to check or reconfigure COM+/DCOM settings.  However,  it is possible that when we open the Component Services, a "Red Arrow" displays on the "My Computer" node:

1

 

 If we try to expand the "My Computer" node, various error messages can pop up.

To resolve such a kind of problem, we can follow below check list and most similar issues can be fixed by one of them:

1.  Ensure the MSDTC service is in started status:

2

2. The Users group has permission to read subkeys under HKEY_CLASSES_ROOT\CLSID. If the Users group has no permission to read the subkeys, the COM+ System Application service may have difficulties to start and cause the same "Red Arrow" problem. To grand the Read permission to Users group, we can follow (should backup HKEY_CLASSES_ROOT\CLSID first):

a. Open Regedt32, locate HKEY_CLASSES_ROOT\CLSID

b. Select the CLSID, click  Security -> Permission in the menu bar

c. In the Security tab, add USERS in the permission list, give it Read permission.

d. Click the Advanced button, select the "Replace permissions entries on all child objects with entries shown here that apply to child objects" option. Click Apply.

3. Everyone has Read permission on C:\Windows\Registration and its sub objects, we can use the command ""cacls" to configure this, refer to (the article is for WIn2003, but the NTFS file permission is required the same as Win2008/Win7):

909444  You may experience various problems after you install the Microsoft Security Bulletin MS05-051 for COM+ and MS DTC

http://support.microsoft.com/default.aspx?scid=kb;EN-US;909444

4. Ensure the COM+ System Application service is in started status:

3

5. The MSDTC service allows Authenticated Users to query service status. To check this, we can run this command in the Command window:

sc sdshow msdtc

If the Authenticated Users group doesn't have query permission on the MSDTC service object, this means most users have no permission to get the MSDTC service status, for example:

(A;;CR;;;AU)

We need to run this command to grant enough permission for the Authenticated user, and then restart DLLHOST.exe (before do this, please backup the output information of "sc sdshow msdtc"):

sc sdset msdtc D:(A;;CCLCSWRPLOCRRC;;;S-1-2-0)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCLCSWRPLORC;;;NS)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

Note: the key part is:  (A;;CCLCSWLOCRRC;;;AU), Other strings is taken from the "sc sdshow msdtc" result. If your envionrment is Domain, should check with AD admin team that if any Group Policy restricted the MSDTC service object access permission. If yes, please ensure the "Authentication User" has "Read" permission on the service status. This requirement (giving Authentication user Read permission on MSDTC service object) is true for WIn2003/2008/7.

For more information about the Description of ACL, please refer to:

914392  Best practices and guidance for writers of service discretionary access control lists

http://support.microsoft.com/default.aspx?scid=kb;EN-US;914392

Note: this permission change is for Service Object ACL, will not affect NTFS file properties.

This configuration point has been elaborated in our previous blogs before, please check:

http://blogs.msdn.com/asiatech/archive/2009/05/22/security-audit-failure-560-caused-by-permission-setting-of-msdtc-service.aspx

http://blogs.msdn.com/asiatech/archive/2009/04/13/cannot-expand-the-com-list-in-the-component-services-ui-error-0x8004e00f-or-0x8004d01b.aspx

6. If above steps don't help, we need to check the Application and System event log. Sometime we will consider rebuilding the COM+ system. This step is somehow risky, if you have many COM+ applications installed before, after rebuilding the COM+ system will require you to reinstall those COM+ applications:

How to clean up a damaged COM+ catalog on Win2003

http://support.microsoft.com/?id=315296

For more details on this rebuild, look at:

How to troubleshoot the "Red Arrow" issue in Component Services (II)
http://blogs.msdn.com/b/asiatech/archive/2011/01/18/how-to-troubleshoot-the-red-arrow-issue-in-component-services-ii.aspx

It's better to consult with your Application team and Microsoft Support before you start this item.

Best Regards,

Freist Li

Leave a Comment
  • Please add 3 and 4 and type the answer here:
  • Post
  • these knowleage is so great, I would like come back very often to learn more :)

  • Much of this does not apply to Windows 7, it seemed when I tried to go through the steps.

    I had to open an MSDN support case to get Component services to work on my newly installed Windows 7. I had the red down arrow and got a lot of errors in the event log indicating that the COM+ database was corrupt or distorted in some way. The event viewer message was:

    The current registration database is corrupt. COM+ catalog has reverted to a previous version of the database.

    Process Name: mmc.exe

    Error Code = 0x80041015 :

    COM+ Services Internals Information:

    File: d:\w7rtm\com\complus\src\comcat\regdb\regdbapi\regdbapi.cpp, Line: 402

    Comsvcs.dll file version:  not loaded

    This is event id 4792, which is described here: technet.microsoft.com/.../dd300287%28WS.10%29.aspx  and obviously also applies to Windows 7, which is not mentioned in the current TechNet article.

    Since I had no previous COM+ packages installed (it didn't work from start - the first time I opened up Component services), the solution was to clear the COM plus database, by registering a new one. I asked a friend of mine, also running Windows 7, to send me his R000000000001.clb file (located in C:\windows\registration) - since he never had installed any COM+ applications it ought to be clean and good, I thought. Then I ran this as a VB script (save as a text file with the extension .vbs and double click it) that was sent to me from Microsoft support:

    Dim objComCatalog

    Set objComCatalog = CreateObject("COMAdmin.COMAdminCatalog")

    objComCatalog.RestoreREGDB "C:\R000000000001.clb"

    MsgBox "Backup Restored!"

    Set objComCatalog = Nothing

    Closing the Component Services window and opening it again, the red down arrow is gone! Solved.

Page 1 of 1 (2 items)