Security Audit Failure 560 caused by Permission settings of MSDTC Service


Built a machine from sysprep and found it has permission issue after setup web application in IIS.


In Http error, it records following items in all times.

2009-04-22 23:04:15 63630 80 HTTP/1.1 POST /testtransactionscope/default.aspx - 1 Connection_Abandoned_By_AppPool XXXPool


In the System Event, we saw that the application pool was recycling with the following message:

Description: A process serving application pool 'XXXPool' suffered a fatal communication error with the World Wide Web Publishing Service. The process id was '1784'. The data field contains the error number.


And in the Application Event, we saw Error Event Id 4689

Description: The run-time environment has detected an inconsistency in its internal state. This indicates a potential instability in the process that could be caused by the custom components running in the COM+ application, the components they make use of, or other factors. CTransactionMarshal::MarshalInterface


Process Name: w3wp.exe

The serious nature of this error has caused the process to terminate.

Error Code = 0x80030009 : Invalid pointer error.

COM+ Services Internals Information:

File: d:\nt\com\complus\src\comsvcs\txprop\txmar.cpp, Line: 198

Comsvcs.dll file version: ENU 2001.12.4720.3959 shp


It seems some permissions problem where the user does not have enough rights to complete the DTC transaction.




We enabled security audit to log audit event in the security log and it turned out that issue may be due to permissions on the Service Control Manager or MSTDC


Event Type:      Failure Audit

Event Source:  Security

Event Category:       (3)

Event ID: 560

Date:                 5/1/2009

Time:                 11:12:35 PM

User:                  S-1-5-21-3806370356-xxxxxxx-27313109-1898

Computer:        XXXX02


Object Open:

         Object Server: SC Manager

         Object Type:    SC_MANAGER OBJECT

         Object Name:  ServicesActive

         Handle ID:        -

         Operation ID:  {0,5738775}

         Process ID:       404

         Image File Name:    C:\WINDOWS\system32\services.exe

         Primary User Name:        xxxxxx$

         Primary Domain:      xxxxx

         Primary Logon ID:    (0x0,0x3E7)

         Client User Name:   mmmm

         Client Domain:         xxxxx

         Client Logon ID:       (0x0,0x577D5E)

         Accesses:         Connect to service controller

                            Query service database lock state


         Privileges:         -

         Restricted Sid Count:       0

         Access Mask:  0x11



Root Cause


Hence, we examined the current permissions granted to the SCM and MSDTC by running below two commands on the machines in the Command Prompt. The command would display the current permissions granted to the SCM and MSDTC. 


sc sdshow scmanager




sc sdshowmsdtc



Check the query permission for MSDTC object, found that the Authenticated Users group doesn't have query permission on the MSDTC service object: (A;;CR;;;AU), see access rights (i.e. CR) and account sid(i.e. AU) meaning in ACE Strings and SID Strings.




To fix the issue, set the proper permission for MSDTC




More Information


Lack of MSDTC  permission will cause various problems, you may refer to another sample fixed by the similar way:


Cannot expand the COM+ list in the Component Services UI due to MSDTC service permission issue




Anik Shen


Skip to main content