Automated Installation of DCOM and configuration of its launch settings

Question

I have a 3rd party DCOM component that I need to install and configure its launch settings in an automated way within my installer (no user intervention). I'm using regsvr32.exe for .dll registration and using powershell for setting up the launch settings. Here's my registration command line:

regsvr32.exe /n /i:"C:\ProgramData\my3rdparty" "C:\Program Files (x86)\My3rdparty\engine.dll"

and here's my powershell:

$Group = 'IIS_IUSRS'
$SystemInfo = (Get-WmiObject -Class Win32_ComputerSystem)
$ComputerName = "{0}.{1}" -f $SystemInfo.Name, $SystemInfo.Domain
$Domain = $SystemInfo.Name
$ComComponentName = 'My 3rd party DCOM name'


function New-DComLaunchACE( 
    [parameter(mandatory=$true)] $Domain, 
    [parameter(mandatory=$true)] $ComputerName, 
    [parameter(mandatory=$true)] $Group )
{

#Create the Trusteee Object
$Trustee = ([WMIClass] "root\cimv2:Win32_Trustee").CreateInstance()

#Search for the user or group, depending on the -Group switch
$account = [WMI] "root\cimv2:Win32_Group.Name='$Group',Domain='$Domain'" 

#Get the SID for the found account.
$accountSID = [WMI] "root\cimv2:Win32_SID.SID='$($account.sid)'"

#Setup Trusteee object
$Trustee.Domain = $Domain
$Trustee.Name = $Group
$Trustee.SID = $accountSID.BinaryRepresentation

#Create ACE (Access Control List) object.
$ACE = ([WMIClass] "root\cimv2:Win32_ACE").CreateInstance()

# COM Access Mask
#   Execute         =  1,
#   Execute_Local   =  2,
#   Execute_Remote  =  4,
#   Activate_Local  =  8,
#   Activate_Remote = 16 
$ACE.AccessMask = 11 # Execute | Execute_Local | Activate_Local
$ACE.AceFlags = 0
$ACE.AceType = 0 # Access allowed
$ACE.Trustee = $Trustee
$ACE
}

function New-DComConfigurationACE( 
    [parameter(mandatory=$true)] $Domain, 
    [parameter(mandatory=$true)] $ComputerName, 
    [parameter(mandatory=$true)] $Group )
{

#Create the Trusteee Object
$Trustee = ([WMIClass] "root\cimv2:Win32_Trustee").CreateInstance()

#Search for the user or group, depending on the -Group switch
$account = [WMI] "root\cimv2:Win32_Group.Name='$Group',Domain='$Domain'" 

#Get the SID for the found account.
$accountSID = [WMI] "root\cimv2:Win32_SID.SID='$($account.sid)'"

#Setup Trusteee object
$Trustee.Domain = $Domain
$Trustee.Name = $Group
$Trustee.SID = $accountSID.BinaryRepresentation

#Create ACE (Access Control List) object.
$ACE = ([WMIClass] "root\cimv2:Win32_ACE").CreateInstance()

# COM Access Mask
$ACE.AccessMask = 268435456 # Full Control
$ACE.AceFlags = 0
$ACE.AceType = 0 # Access allowed
$ACE.Trustee = $Trustee
$ACE
}

# Configure the DComConfg settings for the component so it can be activated    & launched locally
$dcom = Get-WMIObject Win32_DCOMApplicationSetting -Filter  "Description='$ComComponentName'" -EnableAllPrivileges


if ($dcom -ne $null)
{
write-host "DCOM is registered! Setting up permissions"

$sd = $dcom.GetLaunchSecurityDescriptor().Descriptor
$csd = $dcom.GetConfigurationSecurityDescriptor().Descriptor

#$nsAce = $sd.Dacl | Where {$_.Trustee.Name -eq $Group}

$newAce = New-DComLaunchACE -Domain $Domain -ComputerName $ComputerName -  Group $Group
$sd.Dacl += $newAce

$newAce2 = New-DComConfigurationACE -Domain $Domain -ComputerName   $ComputerName -Group $Group
$csd.Dacl += $newAce2

# Set both the launch and the configuration descriptors ...
$dcom.SetLaunchSecurityDescriptor($sd)
$dcom.SetConfigurationSecurityDescriptor($csd)

}
else
{
Write-Host "DCOM not found."
}

My problem is that the DCOM component is not found by the powershell script even though it is successfully registered.

However, I found out that if I open mmc console with

mmc comexp.msc /32

and navigate to "DCOM Config" folder - I can see my Dcom component there... and if I run my powershell script after that - it works!

screenshot of component services window

It looks like if the system is searching in a cache and not updating the cache when a new DCOM is installed. when opening the mmc console - the system is refreshing the cache and the dcom becomes available. But these are my assumptions.

Is there something I'm doing wrong? How can I make sure that the DCOM is available to powershell script right after it is installed?

Thanks much!

Answer 1

There's some interesting information we've published here it seems being that you are doing 32 bit on a 64 bit system (assuming the 64 bit as all modern systems are): https://msdn.microsoft.com/en-us/library/windows/desktop/ms678426(v=vs.85).aspx

So instead of the below (added just to show there's seemingly an issue related to the resolution you noted) try running it from: C:/windows/syswow64/regsvr32.exe

Dcomcnfg.exe and 64-bit Applications

On x64 operating systems from Windows XP to Windows Server 2008, the 64-bit version of DCOMCNFG.EXE does not correctly configure 32-bit DCOM applications for remote activation. This behavior causes components that are meant to be activated remotely instead being activated locally. This behavior does not occur in Windows 7 and Windows Server 2008 R2 and higher versions. The workaround is to use the 32-bit version of DCOMCNFG. Run the 32-bit version of mmc.exe and load the 32-bit version of the Component Services snap-in by using the following command line.

C:\WINDOWS\SysWOW64>mmc comexp.msc /32

The 32-bit version of Component Services correctly registers 32-bit DCOM applications for remote activation.