BUG: CoRegisterClassObject Fails with CO_E_WRONG_SERVER_IDENTITY

• Microsoft OLE Libraries 4.0 included with: - Microsoft Win32 Software Development Kit (SDK)

SYMPTOMS

The CoRegisterClassObject() API fails with the error "CO_E_WRONG_SERVER_IDENTITY" under the following conditions:

1. If the COM server calling the API is set to run under the "Interactive User" identity.

1. The string for the following named value contains any value other than a single valid executable name for the shell process.

   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Shell=

RESOLUTION

This bug can be avoided by making sure that the shell-named value has only one string representing the valid process .exe name associated with it. The shell-named value contains the string "Explorer.exe" by default. The problem occurs if the shell-named value has been modified and is not a string representing the valid .exe name for a single-shell process. In particular, multiple .exe names (such as "Explorer.exe cmd.exe"), command line switches for a single valid .exe (such as "Explorer.exe /s"), or no valid .exe name (a bogus shell name or a NULL string) will result in this error.

STATUS

Microsoft has confirmed this to be a bug in the Microsoft products listed at the beginning of this article. We are researching this bug and will post new information here in the Microsoft Knowledge Base as it becomes available.

MORE INFORMATION

The implementation of CoRegisterClassObject() checks to see if the the security identity of the process (COM server) that is calling it matches the security identity that the class is registered to run under.When the server is set to run under the "Interactive User" identity, CoRegisterClassObject() must determine dynamically the identity of the current interactive user in order to make the comparison. To do that, the implementation of the API will compare the security identity of the calling process with the security identity of the running process named in the shell-named value to ensure that they match. At the present time, COM assumes that the shell value is a single valid .exe name that has been launched by Winlogon as the interactive user's primary process. When the string for this value contains multiple substrings or no string exists for this value, COM is unable to find a process running as the interactive user and the security comparison will always fail. As a result, the API will incorrectly return the error. (See the References section for a KB article that describes the circumstances under which CoRegisterClassObject() correctly returns the CO_E_WRONG_SERVER_IDENTITY error code.)

One of the reasons why this named value contains substrings is that you need to start the shell process with a command line parameter. For example "Explorer.exe cmd.exe" starts Explorer.exe as the shell and passes cmd.exe as a command line parameter to Explorer.exe, which in turn causes Explorer to spawn cmd.exe. You can work around this requirement by adding cmd.exe to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key in the registry which is more appropriate for this purpose.

REFERENCES

For additional information, please see the following article(s) in the Microsoft Knowledge Base: