How To supress EventID 10016 from Server through XML query

Question

Hi Team,
Microsoft published article to ignore alert 10016 or change permission on registry, DCOM through PowerShell. Microsoft not recommending to change permission so I will suppress the event from Event viewer. (https://learn.microsoft.com/en-us/troubleshoot/windows-client/application-management/event-10016-logged-when-accessing-dcom#workaround)
Now, I am login one server Open Event Viewer > Custom Views > Create Custom Views >
click on XML and paste below query there ( I have changed the value as per instruction but still not able to suppress the event from server.

param1 application-specific
param2 Local
param3 Activation
param4 {D63B10C5-BB46-4990-A94F-E40B9D520160}
param5 {9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
param6 USAAPP011
param7 SolarwindSC
param8 S-1-5-21-24129734311-1542330202-33436134825-1190
param9 LocalHost (Using LRPC)

i am not getting any error but unable to suppress the event from Event viewer .

<QueryList>
<Query Id="0" Path="System">
<Select Path="System">*</Select>
<Suppress Path="System">
*[System[(EventID=10016)]]
and
*[EventData[
(
Data[@DeezNutz ='param4'] and Data='{D63B10C5-BB46-4990-A94F-E40B9D520160}' and
Data[@DeezNutz ='param5'] and Data='{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}' and
Data[@DeezNutz ='param4'] and Data='S-1-5-21-24129734311-1542330202-33436134825-1190'
)
]]
</Suppress>
</Query>
</QueryList>

Can expert help me to resolve the issue or share your input how you suppress event ID 10016 for specific one SID.

Answer 1

Hi,

From your post:

Param8 corresponds to the security context SID instead of param4. Change the yellow marked param4 to Param8 and then see if it can works.

Best Regards,
Candy

--------------------------------------------------------------

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.