none
Win 7 KMS failure on select laptops RRS feed

  • Question

  • We have a random amount of laptops that for some reason refuse to stay activated on our KMS. Some never activate and some just drop off. We have confirmed that the KMS is getting the requests but we are not sure why the request is not activating on the client.

    Here is the dump:

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 50
    Cached Online Validation Code: N/A, hr = 0xc004f012
    Windows Product Key: *****-*****-2VJC9-XBBR8-HVTHH
    Windows Product Key Hash: k/l/EMDQdwK9OvdCkPtHG1YdosE=
    Windows Product ID: 00392-918-5000002-85741
    Windows Product ID Type: 1
    Windows License Type: KMS Client
    Windows OS version: 6.1.7601.2.00010100.1.0.004
    ID: {64607E89-0F3A-4FEA-A112-86E39D8AFE8C}(1)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Enterprise
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.130828-1532
    TTS Error: T:20140114122017268-
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings:
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Internet Explorer\IEXPLORE.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\WINDOWS\system32\wat\watadminsvc.exe[Hr = 0x80070003]
    File Mismatch: C:\WINDOWS\system32\wat\npwatweb.dll[Hr = 0x80070003]
    File Mismatch: C:\WINDOWS\system32\wat\watux.exe[Hr = 0x80070003]
    File Mismatch: C:\WINDOWS\system32\wat\watweb.dll[Hr = 0x80070003]

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{64607E89-0F3A-4FEA-A112-86E39D8AFE8C}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.004</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-HVTHH</PKey><PID>00392-918-5000002-85741</PID><PIDType>1</PIDType><SID>S-1-5-21-3934021588-226487601-3069067626</SID><SYSTEM><Manufacturer>LENOVO</Manufacturer><Model>2522W3X</Model></SYSTEM><BIOS><Manufacturer>LENOVO</Manufacturer><Version>6IET77WW (1.37 )</Version><SMBIOSVersion major="2" minor="6"/><Date>20110509000000.000000+000</Date></BIOS><HWID>34E03507018400FC</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>LENOVO</OEMID><OEMTableID>TP-6I   </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  

    Spsys.log Content: U1BMRwEAAAAAAQAACAAAAL8qAAAAAAAAYWECAAAAAAAiItIa5vzOAROJf9ybj7SsIEe8hMh9DOGiYTbSMsGhCrawcUL27pgIyJ4nymkAK4OhP8Em3ktOPPVJKxlfJdDkL8d8uy2F+S0zkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAx4dZsxs/sxaQSZh6DCEuBH1O30wknqp6VEkDc+pvVAHB0/UdxUVyujALeWNXuEivQzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgME4l/3JuPtKwgR7yEyH0M4Yo24VFVWaGw7pvsE8BtnCQScsoiEte2ccs7JVwS1II0ZOORqzdqcz8m3XDucHV3ADOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDBOJf9ybj7SsIEe8hMh9DOH7EyR0iNvEjCdYtfxK9iNDLovk+qPeaqg0NWI8tKvWFGTjkas3anM/Jt1w7nB1dwAzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAx4dZsxs/sxaQSZh6DCEuBH6DH+6bv5bdZH/jcb5K+Nq+7AntwlpnJKNCiITirg3WEzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgM

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, Enterprise edition
    Description: Windows Operating System - Windows(R) 7, VOLUME_KMSCLIENT channel
    Activation ID: ae2ee509-1b34-41c0-acb7-6d4650168915
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 00392-00170-918-500000-03-1033-7601.0000-0152014
    Installation ID: 014962636293733553959514764232701071933511170793450653
    Partial Product Key: HVTHH
    License Status: Notification
    Notification Reason: 0xC004F056.
    Remaining Windows rearm count: 5
    Trusted time: 1/16/2014 7:17:58 AM
    Please use slmgr.vbs /ato to activate and update KMS client information in order to update values.

    Windows Activation Technologies-->
    HrOffline: 0x00000000
    HrOnline: N/A
    HealthStatus: 0x0000000000000000
    Event Time Stamp: N/A
    ActiveX: Not Registered - 0x80040154
    Admin Service: Not Registered - 0x80040154
    HealthStatus Bitmask Output:


    HWID Data-->
    HWID Hash Current: NAAAAAEAAwABAAEAAAABAAAABAABAAEA6GFqvz1yiIIe3nSuqLsQ4gbuSE9Iflb+7BVcXQ==

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20001
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
      ACPI Table Name    OEMID Value    OEMTableID Value
      APIC            LENOVO        TP-6I   
      FACP            LENOVO        TP-6I   
      HPET            LENOVO        TP-6I   
      BOOT            LENOVO        TP-6I   
      MCFG            LENOVO        TP-6I   
      SSDT            LENOVO        TP-6I   
      ECDT            LENOVO        TP-6I   
      ASF!            LENOVO        TP-6I   
      SLIC            LENOVO        TP-6I   
      SSDT            LENOVO        TP-6I   
      TCPA            PTL         CRESTLN
      SSDT            LENOVO        TP-6I   
      SSDT            LENOVO        TP-6I   
      SSDT            LENOVO        TP-6I   

    Thank you in advance!

    Thursday, January 16, 2014 1:40 PM

Answers

  • That appears to be a fairly old version? (2012 version, at least) - RU4 was released in Oct 2013.

    It may be that it's hooking into the system at the wrong places, considering the updates that have gone on since.

    Do you have to option to upgrade/date to the latest?

    If so, I'd create a new master image with the new one rather than attempt to uninstall the old and update the image that way.


    Noel Paton | Nil Carborundum Illegitemi
    CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    • Marked as answer by PodGoDon Wednesday, January 29, 2014 6:57 PM
    Monday, January 27, 2014 5:39 PM
    Moderator

All replies

  • TTS Error: T:20140114122017268-

    You have a Trusted Store Tamper - often the result of over-zealous cleanup software/routines or malware.

    You need to work out what happened to the system during the 3-4 days prior to the timestamp above, and see if you can work out whether it's a software install, user action, or malware causing the problem - then you can either re-educate the users, modify/replace the software, or remove the malware.


    Noel Paton | Nil Carborundum Illegitemi
    CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Thursday, January 16, 2014 5:10 PM
    Moderator
  • Thanks for the quick response. Is there someway we could find out which file is causing the problem?
    Thursday, January 16, 2014 6:54 PM
  • Check the Reliability History - Click the Start button, type reliability and select the 'View reliability history' option - see what it has to say about that date, and check back to see if there are similar events earlier - when you find the first, see what the last software installs/updates were prior, and investigate them.

    Noel Paton | Nil Carborundum Illegitemi
    CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Thursday, January 16, 2014 9:52 PM
    Moderator
  • Thanks again - I'll try this and report back.
    Friday, January 17, 2014 1:07 PM
  • Good luck! - these can be difficult to isolate if it's not malware :(

    Noel Paton | Nil Carborundum Illegitemi
    CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Friday, January 17, 2014 1:33 PM
    Moderator
  • OK so here is what we found... If we follow these procedures we can activate 80% of the "Not Genuine" laptops:

    1. Stopped softwareProtection service
    2. Deleted content of C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform folder
    3. Ran cscript slmgr.vbs /rilc
    4. Rebooted twice
    5. Ran cscript slmgr.vbs /ato

    Here is the before DIAG:

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 50
    Cached Online Validation Code: N/A, hr = 0xc004f012
    Windows Product Key: *****-*****-2VJC9-XBBR8-HVTHH
    Windows Product Key Hash: k/l/EMDQdwK9OvdCkPtHG1YdosE=
    Windows Product ID: 00392-918-5000002-85741
    Windows Product ID Type: 1
    Windows License Type: KMS Client
    Windows OS version: 6.1.7601.2.00010100.1.0.004
    ID: {0E53EAFC-325D-4FFC-A361-9BE3CA050AEA}(1)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Enterprise
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.130828-1532
    TTS Error: T:20140121160728676-
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings:
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Internet Explorer\IEXPLORE.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\WINDOWS\system32\wat\watadminsvc.exe[Hr = 0x80070003]
    File Mismatch: C:\WINDOWS\system32\wat\npwatweb.dll[Hr = 0x80070003]
    File Mismatch: C:\WINDOWS\system32\wat\watux.exe[Hr = 0x80070003]
    File Mismatch: C:\WINDOWS\system32\wat\watweb.dll[Hr = 0x80070003]

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{0E53EAFC-325D-4FFC-A361-9BE3CA050AEA}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.004</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-HVTHH</PKey><PID>00392-918-5000002-85741</PID><PIDType>1</PIDType><SID>S-1-5-21-221155014-2938626188-12158226</SID><SYSTEM><Manufacturer>LENOVO</Manufacturer><Model>4180BW8</Model></SYSTEM><BIOS><Manufacturer>LENOVO</Manufacturer><Version>83ET59WW (1.29 )</Version><SMBIOSVersion major="2" minor="6"/><Date>20110601000000.000000+000</Date></BIOS><HWID>8EDD3C07018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>LENOVO</OEMID><OEMTableID>TP-83   </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  

    Spsys.log Content: U1BMRwEAAAAAAQAACAAAALkwAAAAAAAAYWECAID4//+F86PhbxTPAROJf9ybj7SsIEe8hMh9DOHCg1tndQSLfdOJrxGMmXEGuoNvdSZI3MTYgfHcx5YeVQQP7Mqz0Iofa3PBmBu7DhgzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwTiX/cm4+0rCBHvITIfQzhEMoG9DoJH8oArUeHX9i04nQKlrhQMpo3zqEqiMD2RpYED+zKs9CKH2tzwZgbuw4YM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgME4l/3JuPtKwgR7yEyH0M4XaMrkMXOBeISh9VnhqeO9/GC29QTCcyY4g5weo+QYuLBA/syrPQih9rc8GYG7sOGDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDBOJf9ybj7SsIEe8hMh9DOGIfoD1XBrDcio15YC6I+4x3yjPtYjrSRZT8tiDVbhDugQP7Mqz0Iofa3PBmBu7DhgzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwTiX/cm4+0rCBHvITIfQzhqs+FdY+9N5VqK2kXcYG0ViJXAmQk93CtIndIgDtjbLbDdMb6Fr1BBvW2+w0uyt/LM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgME4l/3JuPtKwgR7yEyH0M4U8Wwf3iloSZmtY6AMblNZlDtGMYRANg2EXTiz6b1UE6BA/syrPQih9rc8GYG7sOGDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDHh1mzGz+zFpBJmHoMIS4EeWTJQDIdQQPjtRlVoziwdeHQwFe74ZzhCl0HRMVRSB+TOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAw=

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514
    Error: product key not found.

    Windows Activation Technologies-->
    HrOffline: 0x00000000
    HrOnline: N/A
    HealthStatus: 0x0000000000000000
    Event Time Stamp: N/A
    ActiveX: Not Registered - 0x80040154
    Admin Service: Not Registered - 0x80040154
    HealthStatus Bitmask Output:


    HWID Data-->
    HWID Hash Current: MgAAAAEAAwABAAEAAAABAAAAAwABAAEA6GHeXQPOopYorW7BjlQEAtaqBIRQeHDgLnM=

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20001
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
      ACPI Table Name    OEMID Value    OEMTableID Value
      APIC            LENOVO        TP-83   
      FACP            LENOVO        TP-83   
      HPET            LENOVO        TP-83   
      MCFG            LENOVO        TP-83   
      SLIC            LENOVO        TP-83   
      SSDT            LENOVO        TP-SSDT2
      SSDT            LENOVO        TP-SSDT2
      SSDT            LENOVO        TP-SSDT2
      ECDT            LENOVO        TP-83   
      ASF!            LENOVO        TP-83   
      TCPA            PTL        LENOVO
      SSDT            LENOVO        TP-SSDT2
      SSDT            LENOVO        TP-SSDT2
      UEFI            LENOVO        TP-83   
      UEFI            LENOVO        TP-83   
      UEFI            LENOVO        TP-83   

    ======================================================================================

    Here is the after:

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0
    Cached Online Validation Code: N/A, hr = 0xc004f012
    Windows Product Key: *****-*****-2VJC9-XBBR8-HVTHH
    Windows Product Key Hash: k/l/EMDQdwK9OvdCkPtHG1YdosE=
    Windows Product ID: 00392-918-5000002-85741
    Windows Product ID Type: 1
    Windows License Type: KMS Client
    Windows OS version: 6.1.7601.2.00010100.1.0.004
    ID: {0E53EAFC-325D-4FFC-A361-9BE3CA050AEA}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Enterprise
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.130828-1532
    TTS Error: T:20140121160728676-
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings:
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Internet Explorer\IEXPLORE.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\WINDOWS\system32\wat\watadminsvc.exe[Hr = 0x80070003]
    File Mismatch: C:\WINDOWS\system32\wat\npwatweb.dll[Hr = 0x80070003]
    File Mismatch: C:\WINDOWS\system32\wat\watux.exe[Hr = 0x80070003]
    File Mismatch: C:\WINDOWS\system32\wat\watweb.dll[Hr = 0x80070003]

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{0E53EAFC-325D-4FFC-A361-9BE3CA050AEA}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.004</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-HVTHH</PKey><PID>00392-918-5000002-85741</PID><PIDType>1</PIDType><SID>S-1-5-21-221155014-2938626188-12158226</SID><SYSTEM><Manufacturer>LENOVO</Manufacturer><Model>4180BW8</Model></SYSTEM><BIOS><Manufacturer>LENOVO</Manufacturer><Version>83ET59WW (1.29 )</Version><SMBIOSVersion major="2" minor="6"/><Date>20110601000000.000000+000</Date></BIOS><HWID>8EDD3C07018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>LENOVO</OEMID><OEMTableID>TP-83   </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  

    Spsys.log Content: U1BMRwEAAAAAAQAACAAAALkwAAAAAAAAYWECAID4//+F86PhbxTPAROJf9ybj7SsIEe8hMh9DOHCg1tndQSLfdOJrxGMmXEGuoNvdSZI3MTYgfHcx5YeVQQP7Mqz0Iofa3PBmBu7DhgzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwTiX/cm4+0rCBHvITIfQzhEMoG9DoJH8oArUeHX9i04nQKlrhQMpo3zqEqiMD2RpYED+zKs9CKH2tzwZgbuw4YM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgME4l/3JuPtKwgR7yEyH0M4XaMrkMXOBeISh9VnhqeO9/GC29QTCcyY4g5weo+QYuLBA/syrPQih9rc8GYG7sOGDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDBOJf9ybj7SsIEe8hMh9DOGIfoD1XBrDcio15YC6I+4x3yjPtYjrSRZT8tiDVbhDugQP7Mqz0Iofa3PBmBu7DhgzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwTiX/cm4+0rCBHvITIfQzhqs+FdY+9N5VqK2kXcYG0ViJXAmQk93CtIndIgDtjbLbDdMb6Fr1BBvW2+w0uyt/LM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgME4l/3JuPtKwgR7yEyH0M4U8Wwf3iloSZmtY6AMblNZlDtGMYRANg2EXTiz6b1UE6BA/syrPQih9rc8GYG7sOGDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDHh1mzGz+zFpBJmHoMIS4EeWTJQDIdQQPjtRlVoziwdeHQwFe74ZzhCl0HRMVRSB+TOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAw=

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, Enterprise edition
    Description: Windows Operating System - Windows(R) 7, VOLUME_KMSCLIENT channel
    Activation ID: ae2ee509-1b34-41c0-acb7-6d4650168915
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 00392-00170-918-500000-03-1033-7601.0000-0232014
    Installation ID: 015792789923381685253931183240206504315864726671749853
    Partial Product Key: HVTHH
    License Status: Licensed
    Volume activation expiration: 259200 minute(s) (180 day(s))
    Remaining Windows rearm count: 1
    Trusted time: 1/23/2014 8:10:10 AM

    Key Management Service client information
        Client Machine ID (CMID): c17b935b-0a3f-4cea-92a4-4f695395b250
        KMS machine name from DNS: vsnhq1coap01kms.corporate.amfam.com:1688
        KMS machine extended PID: 55041-00168-313-023593-03-1033-3790.0000-3382009
        Activation interval: 120 minutes
        Renewal interval: 10080 minutes
        KMS host caching is enabled

    Windows Activation Technologies-->
    HrOffline: 0x00000000
    HrOnline: N/A
    HealthStatus: 0x0000000000000000
    Event Time Stamp: N/A
    ActiveX: Not Registered - 0x80040154
    Admin Service: Not Registered - 0x80040154
    HealthStatus Bitmask Output:


    HWID Data-->
    HWID Hash Current: MgAAAAEAAwABAAEAAAABAAAAAwABAAEA6GHeXQPOopYorW7BjlQEAtaqBIRQeBAtLnM=

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20001
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
      ACPI Table Name    OEMID Value    OEMTableID Value
      APIC            LENOVO        TP-83   
      FACP            LENOVO        TP-83   
      HPET            LENOVO        TP-83   
      MCFG            LENOVO        TP-83   
      SLIC            LENOVO        TP-83   
      SSDT            LENOVO        TP-SSDT2
      SSDT            LENOVO        TP-SSDT2
      SSDT            LENOVO        TP-SSDT2
      ECDT            LENOVO        TP-83   
      ASF!            LENOVO        TP-83   
      TCPA            PTL        LENOVO
      SSDT            LENOVO        TP-SSDT2
      SSDT            LENOVO        TP-SSDT2
      UEFI            LENOVO        TP-83   
      UEFI            LENOVO        TP-83   
      UEFI            LENOVO        TP-83   

    ===================================================================

    So my questions is - Are we on the right path?

    Thursday, January 23, 2014 2:27 PM
  • TTS Error: T:20140121160728676-

    The timestamp on this machine is different :) - but the error is at least of the same ilk.

    Certainly, that approach is a potential one - but what worries me is that it appears to avoid actually defining the source of the problem, which means that it may be a temporary fix at best.

    I'd be very interested to see a report from one or two of the machines that still fail after this procedure.


    Noel Paton | Nil Carborundum Illegitemi
    CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Thursday, January 23, 2014 7:38 PM
    Moderator
  • It sure would be nice if MS would flag the files it thinks were tampered with... I guess we will let you know in 180 days ;0) Thanks for all your help!!! IOU a beer.

    Don

    Thursday, January 23, 2014 7:43 PM
  • c/o https://www.facebook.com/groups/322740914470274/permalink/561109860633377/ :D

    more seriously, though - you're really are not the only one!.

    I've read something approaching 30K MGADiag reports - of which less than 300 at a guess have had TS Tampers. They appear to becoming more frequent with the ageing of Win7 :( I would have expected them to become less common, as devs adjusted to the needs of 7, but the reverse seems to be the case - which is why I always tend to lean towards the malware as a cause.


    Noel Paton | Nil Carborundum Illegitemi
    CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Thursday, January 23, 2014 7:59 PM
    Moderator
  • So get this... We reboot the offending machine (one of the 20% that won't activate) and MGADIAG TST date/time stamp changes :-/  with every reboot it changes. So being the resourceful guys over here, we run PROCMON and compare the timestamp to whats going on. No Joy - nothing is really hopping at that time, but earlier in the boot we see update services trying to update. Any thoughts? The MGA reports from above (from the one that activated) were run today but the timestamp is from the 21st.
    Thursday, January 23, 2014 9:09 PM
  • You said the reports were run today but have a timestamp of the 21st.  Is the date/time accurate and being saved between power cycles?  Power off, wait 10 minutes then power back on and confirm that the system clock/calendar is still correct.  If not, the CMOS battery may be dead.

    Please do not read this sentence. Please ignore the previous sentence.

    Thursday, January 23, 2014 9:41 PM
  • Nothing so simple, I'm afraid, Kamin :)

    The timestamp of the latst report is

    Trusted time: 1/23/2014 8:10:10 AM

    the TTS timestamp may or may not change - if it does change it means that the guilty app/malware/whatever is still present and active.

    If it doesn't change, then it means that you have a chance of a reset working.


    Noel Paton | Nil Carborundum Illegitemi
    CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Thursday, January 23, 2014 10:13 PM
    Moderator
  • Looks like the guilty app is Symantec. The date kept changing until we turned off Symantec. Once we turned it off the TTS date stayed constant and the laptop registered with the KMS.
    Monday, January 27, 2014 1:14 PM
  • Somehow, that doesn't surprise me at all!

    Which incarnation of Symantec are you using?


    Noel Paton | Nil Carborundum Illegitemi
    CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Monday, January 27, 2014 5:04 PM
    Moderator
  • SEP 12.1.1000.157 RU1
    Monday, January 27, 2014 5:08 PM
  • That appears to be a fairly old version? (2012 version, at least) - RU4 was released in Oct 2013.

    It may be that it's hooking into the system at the wrong places, considering the updates that have gone on since.

    Do you have to option to upgrade/date to the latest?

    If so, I'd create a new master image with the new one rather than attempt to uninstall the old and update the image that way.


    Noel Paton | Nil Carborundum Illegitemi
    CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    • Marked as answer by PodGoDon Wednesday, January 29, 2014 6:57 PM
    Monday, January 27, 2014 5:39 PM
    Moderator
  • I'll have to check with the security group.
    Tuesday, January 28, 2014 8:23 PM