FileReader Fails to start, FileReader Logs shows below error logged each time we restart 'Symantec Detection Server Service'.

File: Email_Prevent_3\logs\debug\ContentExtractionHost_FileReader.log
Date: 10/22/2023 11:23:47 PM
Level: ERROR
Source: main @ CEHostProcess.cpp (143)
PID: 580
Thread: 7252
Message: Interprocess exception caught while creating server shared memory with error message - boost::interprocess::intermodule_singleton initialization failed, Exception thrown from : ServerShmChannelImpl.cpp(128)

DLP 15.8 +

Windows Server.

Local Activation permission for WMI are missing. This could happen due to server hardening or Windows patching.

Check event viewer look for event ID: 10016

Event should look similar to below:

The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{8BC3F05E-D86B-11D0-A075-00C04FB68820}
and APPID
{8BC3F05E-D86B-11D0-A075-00C04FB68820}
to the user <Server_Name>\protect SID (S-1-5-21-XXXXXXXXX-XXXXXXXXX-XXXXXXX-XXXX) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820} in the above error is for WMI for which protect user does not have local activation permission.

1. Go to Administrative tools
2. Open component services
3. Click Computer, click my computer, then click DCOM
4. Look for the Windows Management and Instrumentation service that appears on the event viewer.
5. Right click on it then click properties.
6. Click the security tab > Launch and Activation Permissions Protect User was added however Local launch and and activate permissions were missing, we provided Local Launch, Local Activation and Remote Activation permissions to protect user.
7. Restart 'SymantecDetectionServerService'. 

Check if event ID: 10016 is still getting logged on event viewer.

Also check KB 161702