Answered by:
Windows 7 not genuine Error

Question
-
Hi,
I'm having suddenly problems with Windows 7, saying that it's not genuine. Additionally, Office package says also that it can't "verify the licence of this product".
It's a Dell Latitude 6320 Laptop, and was received from Dell with this Windows 7 installation. No major hardware or software changes were made recently.
Windows activation is not available, if I run "slui.exe 4" I get error code 0x80070005.
I have also been running CHKDSK and SFC, and no errors where detected.
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->Validation Code: 50
Cached Online Validation Code: N/A, hr = 0x80070005
Windows Product Key: *****-*****-M3DJT-4J3WC-733WD
Windows Product Key Hash: xo+ajVSpae7/4VoZjS7m6JL0f3A=
Windows Product ID: 00371-OEM-8992671-00524
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {3CD53F07-831F-4FF0-8E0E-6B881BAB52AC}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Professional
Architecture: 0x00000000
Build lab: 7601.win7sp1_gdr.120830-0333
TTS Error:
Validation Diagnostic:
Resolution Status: N/AVista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-604-645_B4D0AA8B-604-645_B4D0AA8B-604-645_B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3Browser Data-->
Proxy settings: ftp=192.168.0.210:81;gopher=;http=192.168.0.210:80;https=192.168.0.210:81;socks=192.168.0.210:1080
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: AllowedFile Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{3CD53F07-831F-4FF0-8E0E-6B881BAB52AC}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-733WD</PKey><PID>00371-OEM-8992671-00524</PID><PIDType>2</PIDType><SID>S-1-5-21-47747328-3537192400-3719232431</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Latitude E6320</Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A18</Version><SMBIOSVersion major="2" minor="6"/><Date>20130628000000.000000+000</Date></BIOS><HWID>D5CB3907018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>W. Europe Standard Time(GMT+01:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL </OEMID><OEMTableID>CBX3 </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>Spsys.log Content: 0x80070002
Licensing Data-->
On a computer running Microsoft Windows non-core edition, run 'slui.exe 0x2a 0x46' to display the error text.
Error: 0x46Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x00000000
HealthStatus: 0x0000000000000000
Event Time Stamp: 11:19:2013 12:34
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
HWID Data-->
HWID Hash Current: NgAAAAEAAAABAAEAAgADAAAABAABAAEA6GHcKnvZHKxoQ9azrL4s4ia0J5TAHw6L6AOSvi5zOEM Activation 1.0 Data-->
N/AOEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC DELL CBX3
FACP DELL CBX3
HPET A M I PCHHPET
BOOT DELL CBX3
MCFG DELL SNDYBRDG
TCPA
SSDT DELLTP TPM
SSDT DELLTP TPM
SSDT DELLTP TPM
DMAR INTEL SNB
SLIC DELL CBX3Tuesday, November 26, 2013 1:31 PM
Answers
-
It's possible - and would be the next thing to try after this.
Please attempt a System Restore back to before the 22/11/13 - with luck this will replace the file and correct registry entries associated with it.
If that fails, then rename the file to NTUSER.OLD and reboot - Windows should sort itself out a new copy :)
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. - Proposed as answer by Noel D PatonModerator Tuesday, December 3, 2013 12:03 PM
- Marked as answer by Wolfgang V Tuesday, December 3, 2013 12:52 PM
Monday, December 2, 2013 4:27 PMModerator
All replies
-
Open an Elevated Command Prompt, and run the following commands
sc sdshow plugplay
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18" /S
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19" /S
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20" /SCopy and paste the results to your reply
Here are some instructions to make life easier :)
1) To open an Elevated Command Prompt Window (the ECP window), click on Start, All Programs, Accessories – then right-click on Command Prompt, and select Run as Administrator. Accept the UAC prompt.
2) To run the commands easier, highlight the block of commands, and right-click on the highlight – select Copy. In the CP Window, click on the black/white icon at top left – select Paste. The commands will run but may not complete the last command, so hit the Enter Key once.
3) To copy the results... click on the Black/White icon in the top left, and select Edit... 'Select All', and hit the Enter key - then use Ctrl+V or r-click+Paste to paste it into your response.
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. Tuesday, November 26, 2013 6:14 PMModerator -
Thanks Noel!
This is the result of the query:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\Users\wolfgang.voit>sc sdshow plugplay
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCR
RC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)C:\Users\wolfgang.voit> REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\ProfileList\S-1-5-18" /SHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-
5-18
Flags REG_DWORD 0xc
State REG_DWORD 0x0
RefCount REG_DWORD 0x1
Sid REG_BINARY 010100000000000512000000
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprof
ile
C:\Users\wolfgang.voit> REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\ProfileList\S-1-5-19" /SHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-
5-19
ProfileImagePath REG_EXPAND_SZ C:\Windows\ServiceProfiles\LocalServiceFlags REG_DWORD 0x0
State REG_DWORD 0x0
C:\Users\wolfgang.voit> REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\ProfileList\S-1-5-20" /SHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-
5-20
ProfileImagePath REG_EXPAND_SZ C:\Windows\ServiceProfiles\NetworkServi
ce
Flags REG_DWORD 0x0
State REG_DWORD 0x0I have a few more profiles in the profile list, that should be the query for the one that I'm using:
C:\Users\wolfgang.voit>REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\ProfileList\S-1-5-21-15498824-2062722521-1763149965-2295" /SHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-
5-21-15498824-2062722521-1763149965-2295
ProfileImagePath REG_EXPAND_SZ C:\Users\wolfgang.voit
Flags REG_DWORD 0x0
State REG_DWORD 0x100
Sid REG_BINARY 010500000000000515000000487EEC00D9A5F27A8D881769F708000
0
Guid REG_SZ {6233de99-97e9-4bef-a88d-4bf90a3780b1}
ProfileLoadTimeLow REG_DWORD 0x0
ProfileLoadTimeHigh REG_DWORD 0x0
RefCount REG_DWORD 0x1
RunLogonScriptSync REG_DWORD 0x0
NextLogonCacheable REG_DWORD 0x0
Tuesday, November 26, 2013 7:50 PM -
Those results are all normal.
That eliminates the 'usual' causes (missing service profiles, or bad service permissions)
Please run the following command from an Elevated Command Prompt window(1)
Copy and paste set of commands below into the window – once completed, hit the Enter Key to ensure that the last command has run (2)
REG QUERY HKU
REG QUERY HKU\S-1-5-20
REG QUERY HKU\S-1-5-20\Environment
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"
Copy the whole output to your response(3)
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. Tuesday, November 26, 2013 8:54 PMModerator -
Here is the result of these commands:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\Users\wolfgang.voit>REG QUERY HKU
HKEY_USERS\.DEFAULT
HKEY_USERS\S-1-5-19
HKEY_USERS\S-1-5-21-15498824-2062722521-1763149965-2295
HKEY_USERS\S-1-5-21-15498824-2062722521-1763149965-2295_Classes
HKEY_USERS\S-1-5-18C:\Users\wolfgang.voit>
C:\Users\wolfgang.voit>REG QUERY HKU\S-1-5-20
ERROR: The system was unable to find the specified registry key or value.C:\Users\wolfgang.voit>
C:\Users\wolfgang.voit>REG QUERY HKU\S-1-5-20\Environment
ERROR: The system was unable to find the specified registry key or value.C:\Users\wolfgang.voit>
C:\Users\wolfgang.voit>REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVers
ion\ProfileList"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
ProfilesDirectory REG_EXPAND_SZ %SystemDrive%\Users
Default REG_EXPAND_SZ %SystemDrive%\Users\Default
Public REG_EXPAND_SZ %SystemDrive%\Users\Public
ProgramData REG_EXPAND_SZ %SystemDrive%\ProgramDataHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-
5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-
5-19
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-
5-20
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-
5-21-15498824-2062722521-1763149965-2295
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-
5-21-15498824-2062722521-1763149965-4636
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-
5-21-1993962763-436374069-839522115-1234
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-
5-21-1993962763-436374069-839522115-2111
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-
5-21-47747328-3537192400-3719232431-500C:\Users\wolfgang.voit>
Tuesday, November 26, 2013 9:27 PM -
That explains it then -- the NetworkService profile isn't being loaded.
Now we have to work out why.
Please run the following commands and post the results.
DIR C:\Windows\ServiceProfiles\NetworkService
ATTRIB C:\Windows\ServiceProfiles\NetworkService
ICACLS C:\Windows\ServiceProfiles\NetworkService
ICACLS C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
ATTRIB C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. Tuesday, November 26, 2013 9:56 PMModerator -
I got following results:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\Users\wolfgang.voit>DIR C:\Windows\ServiceProfiles\NetworkService
Volume in drive C is OS
Volume Serial Number is E2F8-306ADirectory of C:\Windows\ServiceProfiles\NetworkService
03/16/2012 10:37 AM <DIR> .
03/16/2012 10:37 AM <DIR> ..
07/14/2009 05:34 AM <DIR> Desktop
07/14/2009 05:34 AM <DIR> Documents
07/14/2009 05:34 AM <DIR> Downloads
07/14/2009 05:34 AM <DIR> Favorites
07/14/2009 05:34 AM <DIR> Links
07/14/2009 05:34 AM <DIR> Music
07/14/2009 05:34 AM <DIR> Pictures
07/14/2009 05:34 AM <DIR> Saved Games
07/14/2009 05:34 AM <DIR> Videos
0 File(s) 0 bytes
11 Dir(s) 2,044,395,520 bytes freeC:\Users\wolfgang.voit>
C:\Users\wolfgang.voit>ATTRIB C:\Windows\ServiceProfiles\NetworkService
C:\Windows\ServiceProfiles\NetworkServiceC:\Users\wolfgang.voit>
C:\Users\wolfgang.voit>ICACLS C:\Windows\ServiceProfiles\NetworkService
C:\Windows\ServiceProfiles\NetworkService NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
NT AUTHORITY\NETWORK SERVICE:(OI)(CI)(
F)Successfully processed 1 files; Failed processing 0 files
C:\Users\wolfgang.voit>
C:\Users\wolfgang.voit>ICACLS C:\Windows\ServiceProfiles\NetworkService\NTUSER.D
AT
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(
F)
NT AUTHORITY\NETWORK SERVIC
E:(I)(F)Successfully processed 1 files; Failed processing 0 files
C:\Users\wolfgang.voit>
C:\Users\wolfgang.voit>ATTRIB C:\Windows\ServiceProfiles\NetworkService\NTUSER.D
AT
A SH I C:\Windows\ServiceProfiles\NetworkService\NTUSER.DATC:\Users\wolfgang.voit>
Tuesday, November 26, 2013 10:30 PM -
I'm not sure whether the NTUSER.DAT file should have the System Attribute - my main system doesn't, but my VM does :)
Please run the following command - which should allow us to see the date and size of the files
DIR C:\Windows\ServiceProfiles\NetworkService /AH
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. Tuesday, November 26, 2013 11:00 PMModerator -
I get following response: (BTW, I don't know if it could be related, but 11/22/2013 might have been the date when the problems started...)
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\Users\wolfgang.voit>DIR C:\Windows\ServiceProfiles\NetworkService /AH
Volume in drive C is OS
Volume Serial Number is E2F8-306ADirectory of C:\Windows\ServiceProfiles\NetworkService
04/03/2011 04:47 AM <DIR> AppData
11/22/2013 06:12 PM 262,144 NTUSER.DAT
07/14/2009 08:18 AM 1,024 NTUSER.DAT.LOG
11/22/2013 06:12 PM 226,304 NTUSER.DAT.LOG1
07/14/2009 05:34 AM 0 NTUSER.DAT.LOG2
09/08/2011 09:24 AM 65,536 NTUSER.DAT{24dda9dc-d9f0-11e0-a24a-806e6f
6e6963}.TM.blf
09/08/2011 09:24 AM 524,288 NTUSER.DAT{24dda9dc-d9f0-11e0-a24a-806e6f
6e6963}.TMContainer00000000000000000001.regtrans-ms
09/08/2011 09:24 AM 524,288 NTUSER.DAT{24dda9dc-d9f0-11e0-a24a-806e6f
6e6963}.TMContainer00000000000000000002.regtrans-ms
07/14/2009 05:47 AM 65,536 NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0b
cd1824}.TM.blf
07/14/2009 05:47 AM 524,288 NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0b
cd1824}.TMContainer00000000000000000001.regtrans-ms
07/14/2009 05:47 AM 524,288 NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0b
cd1824}.TMContainer00000000000000000002.regtrans-ms
03/15/2012 03:26 PM 65,536 NTUSER.DAT{6d41bd1f-6e96-11e1-a492-1c659d
f79ae6}.TM.blf
03/15/2012 03:26 PM 524,288 NTUSER.DAT{6d41bd1f-6e96-11e1-a492-1c659d
f79ae6}.TMContainer00000000000000000001.regtrans-ms
03/15/2012 03:26 PM 524,288 NTUSER.DAT{6d41bd1f-6e96-11e1-a492-1c659d
f79ae6}.TMContainer00000000000000000002.regtrans-ms
03/16/2012 06:05 PM 65,536 NTUSER.DAT{c1f140a4-6f47-11e1-b9db-1c659d
f79ae6}.TM.blf
03/16/2012 06:05 PM 524,288 NTUSER.DAT{c1f140a4-6f47-11e1-b9db-1c659d
f79ae6}.TMContainer00000000000000000001.regtrans-ms
03/16/2012 06:05 PM 524,288 NTUSER.DAT{c1f140a4-6f47-11e1-b9db-1c659d
f79ae6}.TMContainer00000000000000000002.regtrans-ms
16 File(s) 4,945,920 bytes
1 Dir(s) 2,037,395,456 bytes freeC:\Users\wolfgang.voit>
Tuesday, November 26, 2013 11:36 PM -
So the file is present, but for whatever reason, is not being loaded into the registry. Its permissions are apparently correct, and it's not marked as 'read-only'. The proper registry entries are there for it to be loaded.
It's a long time since I saw a similar error, and if I remember right that was in Vista - I'll have to trawl through my records and see if I can find the relevant threads.
Back later - shout if you don't hear from me by Friday!
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. Wednesday, November 27, 2013 7:45 AMModerator -
Thanks a lot for you help so far, Noel!
I have already started to back up all my data, in case the only way is to re-install Windows... But of course it would be nice if you can find some solution to it, would save me a lot of work and trouble :)
Wednesday, November 27, 2013 7:09 PM -
Finally found it :) - it was in the Vista forum, but a lot further back than I thought - Feb 2012.
Please open an Elevated Command Prompt, and run the following commands.
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist
reg load HKU\Test "C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT"reg query hku\test\environment
reg unload HKU\Test
with any luck, that'll isolate the problem.
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. Friday, November 29, 2013 9:00 PMModerator -
JUst for grins - here's the thread I was referring to... http://social.microsoft.com/Forums/pl-PL/b4c34d7a-ae6d-4c68-9410-441f2d002964/error-0x80070426
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. Friday, November 29, 2013 9:01 PMModerator -
Sorry for the late reply, I had been ill during the weekend...
This is the response on the commands:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\>REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist
\REGISTRY\MACHINE\HARDWARE REG_SZ
\REGISTRY\MACHINE\BCD00000000 REG_SZ \Device\HarddiskVolume2\Boot\BCD
\REGISTRY\MACHINE\SYSTEM REG_SZ \Device\HarddiskVolume3\Windows\System
32\config\SYSTEM
\REGISTRY\MACHINE\SOFTWARE REG_SZ \Device\HarddiskVolume3\Windows\Syst
em32\config\SOFTWARE
\REGISTRY\USER\.DEFAULT REG_SZ \Device\HarddiskVolume3\Windows\System3
2\config\DEFAULT
\REGISTRY\MACHINE\SECURITY REG_SZ \Device\HarddiskVolume3\Windows\Syst
em32\config\SECURITY
\REGISTRY\MACHINE\SAM REG_SZ \Device\HarddiskVolume3\Windows\System32\
config\SAM
\REGISTRY\USER\S-1-5-19 REG_SZ \Device\HarddiskVolume3\Windows\Service
Profiles\LocalService\NTUSER.DAT
\Registry\User\S-1-5-21-15498824-2062722521-1763149965-2295 REG_SZ \De
vice\HarddiskVolume3\Users\wolfgang.voit\NTUSER.DAT
\Registry\User\S-1-5-21-15498824-2062722521-1763149965-2295_Classes REG_S
Z \Device\HarddiskVolume3\Users\wolfgang.voit\AppData\Local\Microsoft\Windows
\UsrClass.dat
C:\>
C:\>
C:\>reg load HKU\Test "C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT"
ERROR: The system has attempted to load or restore a file into the registry, but
the specified file is not in a registry file format.C:\>
C:\>reg query hku\test\environment
ERROR: The system was unable to find the specified registry key or value.C:\>
C:\>reg unload HKU\Test
ERROR: The parameter is incorrect.C:\>
I also had a look at the "NTUSER.DAT" in C:\Windows\ServiceProfiles\NetworkService, and the time stamp is still "11/22/2013 06:12 PM" (which possibly might be the time when everything started). So it seems that it is somehow corrupted, as it doesn't update, do I see this right?
What whould you recommend as the next step (I was browsing through the old post, but I'm not sure if I read everything that was relevant)? Should I rename the NTUSER.DAT and see if it's re-constructed during startup, or should I copy it right away from the Default profile?
- Edited by Wolfgang V Monday, December 2, 2013 11:22 AM
Monday, December 2, 2013 11:21 AM -
We've found the cause of the problem at least - the entry for the service is missing from the hivelist key.
Whether the file is in the proper format or not remains to be seen :)
I've uploaded a file - NWShivelist.zip - to my SkyDrive at Noel's SkyDrive
Please download and save it to your desktop.
Right-click on the saved file and select Extract all...
Save it to the default location
This should create a file NWShivelist.reg
right-click on the file, and select Merge
Accept the warnings, - you should then get a 'Success' message.
Close all windows, and reboot twice.
Run another MGADiag report, and post the results.
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. - Edited by Noel D PatonModerator Monday, December 2, 2013 12:22 PM correct filename typo
Monday, December 2, 2013 11:54 AMModerator -
Nope, I don't think it changed anything...
It seems that the entry in the hivelist key disappeared again after rebooting. But I realized also that you added it with "HarddiskVolume2"; shouldn't it be "HarddiskVolume3" in my case?
In any case, this is the latest MGADiag report:
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->Validation Code: 50
Cached Online Validation Code: N/A, hr = 0x80070005
Windows Product Key: *****-*****-M3DJT-4J3WC-733WD
Windows Product Key Hash: xo+ajVSpae7/4VoZjS7m6JL0f3A=
Windows Product ID: 00371-OEM-8992671-00524
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {3CD53F07-831F-4FF0-8E0E-6B881BAB52AC}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.42.0
Signed By: Microsoft
Product Name: Windows 7 Professional
Architecture: 0x00000000
Build lab: 7601.win7sp1_gdr.120830-0333
TTS Error:
Validation Diagnostic:
Resolution Status: N/AVista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-604-645_B4D0AA8B-604-645_B4D0AA8B-604-645_B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3Browser Data-->
Proxy settings: ftp=192.168.0.210:81;gopher=;http=192.168.0.210:80;https=192.168.0.210:81;socks=192.168.0.210:1080
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: AllowedFile Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{3CD53F07-831F-4FF0-8E0E-6B881BAB52AC}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-733WD</PKey><PID>00371-OEM-8992671-00524</PID><PIDType>2</PIDType><SID>S-1-5-21-47747328-3537192400-3719232431</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Latitude E6320</Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A18</Version><SMBIOSVersion major="2" minor="6"/><Date>20130628000000.000000+000</Date></BIOS><HWID>D5CB3907018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>W. Europe Standard Time(GMT+01:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL </OEMID><OEMTableID>CBX3 </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>Spsys.log Content: 0x80070002
Licensing Data-->
On a computer running Microsoft Windows non-core edition, run 'slui.exe 0x2a 0x46' to display the error text.
Error: 0x46Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x00000000
HealthStatus: 0x0000000000000000
Event Time Stamp: 11:19:2013 12:34
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
HWID Data-->
HWID Hash Current: NgAAAAEAAAABAAEAAgADAAAABAABAAEA6GHcKnvZHKxoQ9azrL4s4ia0J5TAHw6L6AOSvi5zOEM Activation 1.0 Data-->
N/AOEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC DELL CBX3
FACP DELL CBX3
HPET A M I PCHHPET
BOOT DELL CBX3
MCFG DELL SNDYBRDG
TCPA
SSDT DELLTP TPM
SSDT DELLTP TPM
SSDT DELLTP TPM
DMAR INTEL SNB
SLIC DELL CBX3Monday, December 2, 2013 12:59 PM -
Ooops!
well spotted :)
Yes - I've modified the .reg file to correct this and re-uploaded it as MWShivelist2.zip
Same procedure, please - it should over-write the old one.
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. Monday, December 2, 2013 1:42 PMModerator -
I've tried the modified file now, but it seems that it didn't change anything. The entry is missing again after rebooting the system, and still the same error messages.
Could it be that the missing entry in the hivelist key is rather a symptom than the cause? Should I try to delete/rename the NTUSER.DAT in the ServiceProfiles>NetworkService, or copy it from the Default profile, in case it might be corrupted?
Monday, December 2, 2013 3:10 PM -
It's possible - and would be the next thing to try after this.
Please attempt a System Restore back to before the 22/11/13 - with luck this will replace the file and correct registry entries associated with it.
If that fails, then rename the file to NTUSER.OLD and reboot - Windows should sort itself out a new copy :)
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. - Proposed as answer by Noel D PatonModerator Tuesday, December 3, 2013 12:03 PM
- Marked as answer by Wolfgang V Tuesday, December 3, 2013 12:52 PM
Monday, December 2, 2013 4:27 PMModerator -
Yeah, success! :-) everything seems to be fixed now!
Obviously the NTUSER.DAT was really corrupted in some way. What I did was renaming the current NTUSER.DAT in C:\Windows\ServiceProfiles\NetworkService to NTUSER.COPY (I did that actually in the Windows Explorer, after un-hiding the protected system files in Tools > Folder Options). After rebooting, Windows created a new copy of NTUSER.DAT, as you said, and the “Windows not genuine” message was gone.
I saw that the previously missing HKEY_USERS\S-1-5-20 key appeared now, and also the corresponding key in the hivelist was there. However, after the initial reboot I found out that there was still an error when starting Office programs, which was a further symptom that I had since the problems started. So I added (as described in the old post) the missing Network Service to the HKEY_USERS\S-1-5-20 key as a user with Full Control, using Permissions in Regedit. And finally, after an additional reboot everything seems to be working as it should.
Just out of curiosity: Was the error when starting Office programs really connected to the missing “Network Service” user in the S-1-5-20 key, or would that have fixed itself after a second reboot? Is it important to have Network Service having full control over that key?
Thanks a lot, Noel, for your help in identifying and fixing the problems! I was really afraid I would have to go through the hassle of re-installing the whole system…
Tuesday, December 3, 2013 9:33 AM -
Here is also the latest MGADiag report of the current system, when everything appears to be fine to me:
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-M3DJT-4J3WC-733WD
Windows Product Key Hash: xo+ajVSpae7/4VoZjS7m6JL0f3A=
Windows Product ID: 00371-OEM-8992671-00524
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {3CD53F07-831F-4FF0-8E0E-6B881BAB52AC}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.42.0
Signed By: Microsoft
Product Name: Windows 7 Professional
Architecture: 0x00000000
Build lab: 7601.win7sp1_gdr.120830-0333
TTS Error:
Validation Diagnostic:
Resolution Status: N/AVista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-604-645_B4D0AA8B-604-645_B4D0AA8B-604-645_B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3Browser Data-->
Proxy settings: ftp=192.168.0.210:81;gopher=;http=192.168.0.210:80;https=192.168.0.210:81;socks=192.168.0.210:1080
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: AllowedFile Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{3CD53F07-831F-4FF0-8E0E-6B881BAB52AC}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-733WD</PKey><PID>00371-OEM-8992671-00524</PID><PIDType>2</PIDType><SID>S-1-5-21-47747328-3537192400-3719232431</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Latitude E6320</Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A18</Version><SMBIOSVersion major="2" minor="6"/><Date>20130628000000.000000+000</Date></BIOS><HWID>D5CB3907018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>W. Europe Standard Time(GMT+01:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL </OEMID><OEMTableID>CBX3 </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>Spsys.log Content: 0x80070002
Licensing Data-->
Software licensing service version: 6.1.7601.17514Name: Windows(R) 7, Professional edition
Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
Activation ID: 50e329f7-a5fa-46b2-85fd-f224e5da7764
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00371-00178-926-700524-02-1033-7600.0000-0922011
Installation ID: 008136990973353750929012191295423154242720747632328103
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: 733WD
License Status: Licensed
Remaining Windows rearm count: 4
Trusted time: 12/3/2013 10:33:59 AMWindows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x00000000
HealthStatus: 0x0000000000000000
Event Time Stamp: 11:19:2013 12:34
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
HWID Data-->
HWID Hash Current: NgAAAAEAAAABAAEAAgADAAAABAABAAEA6GHcKnvZHKxoQ9azrL4s4ia0J5TAHw6L6AOSvi5zOEM Activation 1.0 Data-->
N/AOEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC DELL CBX3
FACP DELL CBX3
HPET A M I PCHHPET
BOOT DELL CBX3
MCFG DELL SNDYBRDG
TCPA
SSDT DELLTP TPM
SSDT DELLTP TPM
SSDT DELLTP TPM
DMAR INTEL SNB
SLIC DELL CBX3Tuesday, December 3, 2013 9:39 AM -
Hmmm - I never noticed the rather odd Proxies you have set up, before (although they've been there all the time)
Proxy settings: ftp=192.168.0.210:81;gopher=;http=192.168.0.210:80;https=192.168.0.210:81;socks=192.168.0.210:1080
Other than that, the new report looks fine.
Permissions on the HKU\S-1-5-20 key should include Network Service - Full and Read
- otherwise the service can't configure itself as required :)
This may impact on later Office releases, since they use different activation/validation mechanisms to earlier versions.
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. Tuesday, December 3, 2013 12:02 PMModerator -
I think the proxy settings are ok, they are only used when I'm logging into a certain network here, otherwise I'm manually disabling the proxy server anyway.
By the way, I've never tried to do a System Restore, as there were only some very recent restore points listed (after 22/11/13), and then only the restore point of the original configuration in 2011. Strange though, I thought I've had seen that it was generating restore points earlier...
But anyway, really good that it worked out with renaming & re-generating the NTUSER.DAT file :-)
Thanks again for your help!
Tuesday, December 3, 2013 12:52 PM -
You're welcome - good luck!
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. Wednesday, December 4, 2013 4:29 PMModerator