Answered by:
windows7 update fails 80070426, MGADiag report
Question
-
I found instructions about downloading and running MGADiag. The report is below. On Wednesday 6/15, I started doing an update. I think there were about 17 updates. after it did some of them, it failed. multiple reboots etc have not helped. I found posts about 80070426, and they mentioned things like Software License Services -- but that does not seem to exist on W7.
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-788W3-H689G-6P6GT
Windows Product Key Hash: yr8OHoeXhbT4dc6MxGYjdAStSPY=
Windows Product ID: 00371-OEM-8992671-00008
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {133F70CE-106D-478E-BE0B-A1F6328D0AEE}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Professional
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.110408-1631
TTS Error:
Validation Diagnostic:
Resolution Status: N/AVista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-604-645_B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3Browser Data-->
Proxy settings: proxy.proxy.lucent.com:8000
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: AllowedFile Scan Data-->
File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80070426
File Mismatch: C:\Windows\system32\wat\watux.exe[7.1.7600.16395], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x80070426
File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7600.16385], Hr = 0x80070426
File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x80070426
File Mismatch: C:\Windows\system32\drivers\spldr.sys[6.1.7127.0], Hr = 0x80070426
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x80070426Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{133F70CE-106D-478E-BE0B-A1F6328D0AEE}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-6P6GT</PKey><PID>00371-OEM-8992671-00008</PID><PIDType>2</PIDType><SID>S-1-5-21-150820050-3310638546-1031788635</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP Compaq 8100 Elite SFF PC</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>786H1 v01.05</Version><SMBIOSVersion major="2" minor="6"/><Date>20100609000000.000000+000</Date></BIOS><HWID>41113607018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>HPQOEM</OEMID><OEMTableID>SLIC-BPC</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>Spsys.log Content: 0x80070002
Licensing Data-->
Software licensing service version: 6.1.7601.17514Name: Windows(R) 7, Professional edition
Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
Activation ID: 50e329f7-a5fa-46b2-85fd-f224e5da7764
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00371-00178-926-700008-02-1033-7600.0000-2052009
Installation ID: 012096535692831173840681899194722295701916732953652420
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: 6P6GT
License Status: Licensed
Remaining Windows rearm count: 3
Trusted time: 6/17/2011 10:49:33 AMWindows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x80072EE2
HealthStatus: 0x0000000000000000
Event Time Stamp: 6:9:2011 17:13
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
HWID Data-->
HWID Hash Current: LgAAAAEAAQABAAEAAAABAAAAAwABAAEAln32pXCcmJHIUJB6pmAiT3KKvkF2Vg==OEM Activation 1.0 Data-->
N/AOEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC COMPAQ IBEXPEAK
FACP COMPAQ IBEXPEAK
HPET COMPAQ IBEXPEAK
MCFG COMPAQ IBEXPEAK
ASF! COMPAQ IBEXPEAK
TCPA COMPAQ IBEXPEAK
SLIC HPQOEM SLIC-BPC
DMAR COMPAQ IBEXPEAKFriday, June 17, 2011 3:02 PM
Answers
-
Hello. I think this is fixed, but it's werid. The short description of what I did is to change Cryptographic Services to log in using "Network Services"; it was set up using the upper radio button: Local System account.
Here's how I got there... take everything I say with a grain of salt, because I'm really just a kid using grownup words I don't understand.
following your suggestion, I went to http://supportservices.microsoft.com/support/services/virus_malware_removal and worked with one agent. after a while, she kicked me on to a higher level expert. Not sure if it's appropriate to drop his id, so I'll leave it out.
At some point, he started to focus on cryptographic services; it was not running. When he tried to start it form the services panel, it failed with error 1079. The error text is roughly "the account specified for this service is different from account specified for other services running in the same process". NOTE: in retrospect, there was a big indication of this issue... I was surprised that when we ran various items such as services.msc, windows warned me the publisher was unknown. Now, I assume it couldn't verify the signature.
After poking around a bit more, the second expert decided there was probably nothing else to do without getting my IT group involved, and we ended that chat session.
I tried to figure out what process it might be that handles crypto services. Then I searched around and came up with another blackviper page: http://www.blackviper.com/wiki/Cryptographic_Services. I noticed that it says the Log On As is is "Network Service". (now that I look at this again, I see there are multiple sections for different windows versions, and at least some of those specify Local System Account. But I was lucky and focused on the Windows 7 section without realizing it.)
So I looked at the properties for other things that are started as network services. then I modified the properties of cryptographic services to log in as Network Services. I just cleared out the password fields. After this, I was able to start crypto.
Following this, I ran microsoft update and picked a single windows patch to install. it worked. I had to reboot. since then, I have done 2 more updates and have now installed everything.
** SO I don't know how this change happened. Maybe it was something pushed by our corporate IT group; I think this is done with "SMS", but again, it's not something I understand.
Finally, I ran MGADiag again. It's healed! I will ask the other guy here who has the same PC to check his crypto service setup. He told me he ran an update recently without problems, so I don't know why his worked.
Finally finally: it's still the case that "sc queryex sppsvc" will show state STOPPED after I've been up for a while. I wasn't running this repeatedly, so I don't know if it was up when I logged in and then went away.
Thanks again for all the suggestions and hand-holding. If there's anything else you want me to examine, or you have suggestions about things I should ask our IT people, please let me know.
Ned
MGADiag output:
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-788W3-H689G-6P6GT
Windows Product Key Hash: yr8OHoeXhbT4dc6MxGYjdAStSPY=
Windows Product ID: 00371-OEM-8992671-00008
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {CAFC6D9A-637C-43C2-AA86-D4FB2D2FE7B8}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Professional
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.110408-1631
TTS Error:
Validation Diagnostic:
Resolution Status: N/AVista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-604-645_B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3Browser Data-->
Proxy settings: proxy.proxy.lucent.com:8000
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: AllowedFile Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{CAFC6D9A-637C-43C2-AA86-D4FB2D2FE7B8}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-6P6GT</PKey><PID>00371-OEM-8992671-00008</PID><PIDType>2</PIDType><SID>S-1-5-21-150820050-3310638546-1031788635</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP Compaq 8100 Elite SFF PC</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>786H1 v01.05</Version><SMBIOSVersion major="2" minor="6"/><Date>20100609000000.000000+000</Date></BIOS><HWID>41113607018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>HPQOEM</OEMID><OEMTableID>SLIC-BPC</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>Spsys.log Content: 0x80070002
Licensing Data-->
Software licensing service version: 6.1.7601.17514Name: Windows(R) 7, Professional edition
Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
Activation ID: 50e329f7-a5fa-46b2-85fd-f224e5da7764
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00371-00178-926-700008-02-1033-7600.0000-2052009
Installation ID: 012096535692831173840681899194722295701916732953652420
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: 6P6GT
License Status: Licensed
Remaining Windows rearm count: 3
Trusted time: 6/21/2011 4:40:11 PMWindows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x80072EE2
HealthStatus: 0x0000000000000000
Event Time Stamp: 6:9:2011 17:13
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
HWID Data-->
HWID Hash Current: LgAAAAEAAQABAAEAAAABAAAAAwABAAEAln32pXCcmJHIUJB6pmAiT3KKvkF2Vg==OEM Activation 1.0 Data-->
N/AOEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC COMPAQ IBEXPEAK
FACP COMPAQ IBEXPEAK
HPET COMPAQ IBEXPEAK
MCFG COMPAQ IBEXPEAK
ASF! COMPAQ IBEXPEAK
TCPA COMPAQ IBEXPEAK
SLIC HPQOEM SLIC-BPC
DMAR COMPAQ IBEXPEAK- Proposed as answer by Noel D PatonModerator Tuesday, June 21, 2011 9:27 PM
- Marked as answer by Darin Smith MS Wednesday, June 22, 2011 6:26 PM
Tuesday, June 21, 2011 9:03 PM -
"Ned Kittlitz" wrote in message news:c68e6ec2-5818-4bef-afe4-fa76cc3b207c...
Hello. I think this is fixed, but it's werid. The short description of what I did is to change Cryptographic Services to log in using "Network Services"; it was set up using the upper radio button: Local System account.
Here's how I got there... take everything I say with a grain of salt, because I'm really just a kid using grownup words I don't understand.
following your suggestion, I went to http://supportservices.microsoft.com/support/services/virus_malware_removal and worked with one agent. after a while, she kicked me on to a higher level expert. Not sure if it's appropriate to drop his id, so I'll leave it out.
At some point, he started to focus on cryptographic services; it was not running. When he tried to start it form the services panel, it failed with error 1079. The error text is roughly "the account specified for this service is different from account specified for other services running in the same process". NOTE: in retrospect, there was a big indication of this issue... I was surprised that when we ran various items such as services.msc, windows warned me the publisher was unknown. Now, I assume it couldn't verify the signature.
After poking around a bit more, the second expert decided there was probably nothing else to do without getting my IT group involved, and we ended that chat session.
I tried to figure out what process it might be that handles crypto services. Then I searched around and came up with another blackviper page: http://www..blackviper.com/wiki/Cryptographic_Services. I noticed that it says the Log On As is is "Network Service". (now that I look at this again, I see there are multiple sections for different windows versions, and at least some of those specify Local System Account. But I was lucky and focused on the Windows 7 section without realizing it.)
So I looked at the properties for other things that are started as network services. then I modified the properties of cryptographic services to log in as Network Services. I just cleared out the password fields. After this, I was able to start crypto.
Following this, I ran microsoft update and picked a single windows patch to install. it worked. I had to reboot. since then, I have done 2 more updates and have now installed everything.
** SO I don't know how this change happened. Maybe it was something pushed by our corporate IT group; I think this is done with "SMS", but again, it's not something I understand.
Finally, I ran MGADiag again. It's healed! I will ask the other guy here who has the same PC to check his crypto service setup. He told me he ran an update recently without problems, so I don't know why his worked.
Finally finally: it's still the case that "sc queryex sppsvc" will show state STOPPED after I've been up for a while. I wasn't running this repeatedly, so I don't know if it was up when I logged in and then went away.
Thanks again for all the suggestions and hand-holding. If there's anything else you want me to examine, or you have suggestions about things I should ask our IT people, please let me know.
Ned
MGADiag output:
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-788W3-H689G-6P6GT
Windows Product Key Hash: yr8OHoeXhbT4dc6MxGYjdAStSPY=
Windows Product ID: 00371-OEM-8992671-00008
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010100.1.0.048
Give that man a banana!Well done and thank you VERY much for coming back to us with this report!
This at least gives us somewhere to start with the process of troubleshooting the other threads in future.Can you do me a favour an run the following commands for me?sc qc cryptsvc
sc queryex cryptsvc
sc qprivs cryptsvc
sc qsidtype cryptsvc
sc sdshow cryptsvc(I can then check it against my default system and see it there's any nasty gotchas that may catch up with either you or others at a later date.)Well done again!
--
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth- Marked as answer by Ned Kittlitz Friday, June 24, 2011 3:17 PM
Tuesday, June 21, 2011 9:26 PMModerator
All replies
-
"Ned Kittlitz" wrote in message news:14f6a323-5f45-4f0f-b2e0-63e69e6359ac...
I found instructions about downloading and running MGADiag. The report is below. On Wednesday 6/15, I started doing an update. I think there were about 17 updates. after it did some of them, it failed. multiple reboots etc have not helped. I found posts about 80070426, and they mentioned things like Software License Services -- but that does not seem to exist on W7.
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-788W3-H689G-6P6GT
Windows Product Key Hash: yr8OHoeXhbT4dc6MxGYjdAStSPY=
Windows Product ID: 00371-OEM-8992671-00008
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010100.1.0.048
File Scan Data-->
File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80070426
File Mismatch: C:\Windows\system32\wat\watux.exe[7.1.7600.16395], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x80070426
File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7600.16385], Hr = 0x80070426
File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x80070426
File Mismatch: C:\Windows\system32\drivers\spldr.sys[6.1.7127.0], Hr = 0x80070426
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x80070426It's the Software Protection Service that you need to look for - SPPSVC :)(Software Licensing Service was the Vista name for much the same thing)You have a HUGE number of disabled services here (which I've never seen before) and I can't believe that your system is actually running with that many disabled, so I suspect that it's either corruption or malware issues.
try a CHKDSK, followed by an SFC, as follows.
Click on the Start button
type in the Search box
CMD.EXE
right-click on the only file that is found
Select Run as Administrator
- the Elevated Command Prompt window should pop up
At the Command prompt, type
CHKDSK C: /R
and hit the Enter key
You will be told that the drive is locked, and the CHKDSK will run at he next boot - hit the Y key, and then reboot. The chkdsk will take a few hours depending on the size of the drive, so be patient!
After the CHKDSK has run, Windows should boot normally (possibly after a second auto-reboot) - then run the SFC
SFC -System File Checker - Instructions
Click on the Start button
type in the Search box
CMD.EXE
right-click on the only file that is found
Select Run as Administrator
- the Elevated Command Prompt window should pop up
At the Command prompt, type
SFC /SCANNOW
and hit the Enter key
Wait for the scan to finish - make a note of any error messages - and then reboot.
run another MGADiag report, and post the results.
--
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed SlothFriday, June 17, 2011 3:20 PMModerator -
Hello. Thank you for the response. The chkdsk tool a little over an hour. For much of it, I saw a file count of 119680. Then in stage 4, it dropped to 119664 (16 fewer). I note that there are 17 error lines in the MCADiag report.
After I ran sfc, it told me to look in the CBS.log file. I've never seen that before. There are a lot of entries over multiple days, although the first entry is probably around the time I first got the problem - June 15 11:33:34. Even looking at just the lines starting today around 13:21, there's a lot of stuff. I'm not sure how to condense it.
After rerunning MCADiag, the data looks similar to me.
As far as malware --- well, there is corporate IT, and they have some administrative control mechanism. They will sometimes install software, control antivius things, etc.. And we're mostly XP, although I recently learned that there is some kind of corporate W7 image. But the PC I have was ordered independently, which of course means that our IT group refuses to support it.
Another thing I notice is that the McAfee antivirus icon in the system tray says it's disabled... and because of that admin control, I can't even try to re-enable it. Yesterday, it was disabled too, and then this morning it was on; so I don't know if there was an administrative action over night.
One other thing ... I've come in to work several times in the past weeks to find the PC has rebooted. I assumed it was power failure, but maybe not. I think that happened earlier this week.
Ned
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-788W3-H689G-6P6GT
Windows Product Key Hash: yr8OHoeXhbT4dc6MxGYjdAStSPY=
Windows Product ID: 00371-OEM-8992671-00008
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {133F70CE-106D-478E-BE0B-A1F6328D0AEE}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Professional
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.110408-1631
TTS Error:
Validation Diagnostic:
Resolution Status: N/AVista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-604-645_B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3Browser Data-->
Proxy settings: proxy.proxy.lucent.com:8000
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: AllowedFile Scan Data-->
File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80070426
File Mismatch: C:\Windows\system32\wat\watux.exe[7.1.7600.16395], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x80070426
File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7600.16385], Hr = 0x80070426
File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x80070426
File Mismatch: C:\Windows\system32\drivers\spldr.sys[6.1.7127.0], Hr = 0x80070426
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x80070426Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{133F70CE-106D-478E-BE0B-A1F6328D0AEE}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-6P6GT</PKey><PID>00371-OEM-8992671-00008</PID><PIDType>2</PIDType><SID>S-1-5-21-150820050-3310638546-1031788635</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP Compaq 8100 Elite SFF PC</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>786H1 v01.05</Version><SMBIOSVersion major="2" minor="6"/><Date>20100609000000.000000+000</Date></BIOS><HWID>41113607018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>HPQOEM</OEMID><OEMTableID>SLIC-BPC</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>Spsys.log Content: 0x80070002
Licensing Data-->
Software licensing service version: 6.1.7601.17514Name: Windows(R) 7, Professional edition
Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
Activation ID: 50e329f7-a5fa-46b2-85fd-f224e5da7764
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00371-00178-926-700008-02-1033-7600.0000-2052009
Installation ID: 012096535692831173840681899194722295701916732953652420
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: 6P6GT
License Status: Licensed
Remaining Windows rearm count: 3
Trusted time: 6/17/2011 1:36:57 PMWindows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x80072EE2
HealthStatus: 0x0000000000000000
Event Time Stamp: 6:9:2011 17:13
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
HWID Data-->
HWID Hash Current: LgAAAAEAAQABAAEAAAABAAAAAwABAAEAln32pXCcmJHIUJB6pmAiT3KKvkF2Vg==OEM Activation 1.0 Data-->
N/AOEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC COMPAQ IBEXPEAK
FACP COMPAQ IBEXPEAK
HPET COMPAQ IBEXPEAK
MCFG COMPAQ IBEXPEAK
ASF! COMPAQ IBEXPEAK
TCPA COMPAQ IBEXPEAK
SLIC HPQOEM SLIC-BPC
DMAR COMPAQ IBEXPEAKFriday, June 17, 2011 5:52 PM -
McAfee icon in system tray recently switched to "enabled". No idea why..
Also, it's an HP-PC, and so it seems there is some other kind of maintenance software installed that might be doing things.
In fact, probably everybody in the world except me is allowed to do something or another on this box.
Friday, June 17, 2011 6:09 PM -
"Ned Kittlitz" wrote in message news:133abd82-bc10-46f0-8336-c52f6d4c8666...
Hello. Thank you for the response. The chkdsk tool a little over an hour. For much of it, I saw a file count of 119680. Then in stage 4, it dropped to 119664 (16 fewer). I note that there are 17 error lines in the MCADiag report.
After I ran sfc, it told me to look in the CBS.log file. I've never seen that before. There are a lot of entries over multiple days, although the first entry is probably around the time I first got the problem - June 15 11:33:34. Even looking at just the lines starting today around 13:21, there's a lot of stuff. I'm not sure how to condense it.
After rerunning MCADiag, the data looks similar to me.
As far as malware --- well, there is corporate IT, and they have some administrative control mechanism. They will sometimes install software, control antivius things, etc.. And we're mostly XP, although I recently learned that there is some kind of corporate W7 image. But the PC I have was ordered independently, which of course means that our IT group refuses to support it.
Another thing I notice is that the McAfee antivirus icon in the system tray says it's disabled... and because of that admin control, I can't even try to re-enable it. Yesterday, it was disabled too, and then this morning it was on; so I don't know if there was an administrative action over night.
One other thing ... I've come in to work several times in the past weeks to find the PC has rebooted. I assumed it was power failure, but maybe not. I think that happened earlier this week.
Ned
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-788W3-H689G-6P6GT
Windows Product Key Hash: yr8OHoeXhbT4dc6MxGYjdAStSPY=
Windows Product ID: 00371-OEM-8992671-00008
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010100.1.0.048
File Scan Data-->
File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80070426
File Mismatch: C:\Windows\system32\wat\watux.exe[7.1.7600.16395], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x80070426
File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7600.16385], Hr = 0x80070426
File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x80070426
File Mismatch: C:\Windows\system32\drivers\spldr.sys[6.1.7127.0], Hr = 0x80070426
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x80070426Name: Windows(R) 7, Professional edition
Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
Activation ID: 50e329f7-a5fa-46b2-85fd-f224e5da7764
Partial Product Key: 6P6GT
License Status: Licensed
Remaining Windows rearm count: 3
Trusted time: 6/17/2011 1:36:57 PMWindows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x80072EE2
OK - nothing has changed in the report so we'll have to do some digging.Please open a Command Prompt window and use the following commands....
sc qc sppsvcsc queryex sppsvc
sc qprivs sppsvc
sc qsidtype sppsvc
sc sdshow sppsvc
copy and paste the results into your response.
This may show us what's wrong with at least one of the files.Don't worry too much about McAfee yet - I take it that it's a corporate version rather than retail?
--
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed SlothFriday, June 17, 2011 7:09 PMModerator -
I appreciate the quick responses. it's 1517 US EDT (1917 UTC), and I must leave work in about 30 minutes. Then I'm not sure if I'll be able to do things via remote desktop from home. so it may be next week before I can proceed.
You didn't mention "run as administrator", so I just did the normal run.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\Users\nkittlit>sc qc sppsvc
[SC] QueryServiceConfig SUCCESSSERVICE_NAME: sppsvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START (DELAYED)
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\system32\sppsvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Software Protection
DEPENDENCIES : RpcSs
SERVICE_START_NAME : NT AUTHORITY\NetworkServiceC:\Users\nkittlit>sc queryex sppsvc
SERVICE_NAME: sppsvc
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 0
FLAGS :C:\Users\nkittlit>sc qprivs sppsvc
[SC] QueryServiceConfig2 SUCCESSSERVICE_NAME: sppsvc
PRIVILEGES : SeAuditPrivilege
: SeChangeNotifyPrivilege
: SeCreateGlobalPrivilege
: SeImpersonatePrivilegeC:\Users\nkittlit>sc qsidtype sppsvc
[SC] QueryServiceConfig2 SUCCESSSERVICE_NAME: sppsvc
SERVICE_SID_TYPE: UNRESTRICTEDC:\Users\nkittlit>sc sdshow sppsvc
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO
CRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;LCRP;;;AU)C:\Users\nkittlit>
Friday, June 17, 2011 7:19 PM -
"Ned Kittlitz" wrote in message news:a756207d-1790-41a4-8d80-44e48656268f...
I appreciate the quick responses. it's 1517 US EDT (1917 UTC), and I must leave work in about 30 minutes. Then I'm not sure if I'll be able to do things via remote desktop from home. so it may be next week before I can proceed.
You didn't mention "run as administrator", so I just did the normal run.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\Users\nkittlit>sc qc sppsvc
[SC] QueryServiceConfig SUCCESSSERVICE_NAME: sppsvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START (DELAYED)
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\system32\sppsvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Software Protection
DEPENDENCIES : RpcSs
SERVICE_START_NAME : NT AUTHORITY\NetworkServiceC:\Users\nkittlit>sc queryex sppsvc
SERVICE_NAME: sppsvc
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 0
FLAGS :C:\Users\nkittlit>sc qprivs sppsvc
[SC] QueryServiceConfig2 SUCCESSSERVICE_NAME: sppsvc
PRIVILEGES : SeAuditPrivilege
: SeChangeNotifyPrivilege
: SeCreateGlobalPrivilege
: SeImpersonatePrivilegeC:\Users\nkittlit>sc qsidtype sppsvc
[SC] QueryServiceConfig2 SUCCESSSERVICE_NAME: sppsvc
SERVICE_SID_TYPE: UNRESTRICTEDC:\Users\nkittlit>sc sdshow sppsvc
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO
CRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;LCRP;;;AU)C:\Users\nkittlit>
It's only when you need to make changes that you need the Admin privileges.Very odd - everything looks pretty normal, except for the fact that the service is indeed switched off.Open an Admin command window - use the following commandnet start sppsvcwhat happens?
--
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed SlothFriday, June 17, 2011 7:27 PMModerator -
BTW - I **really** want to get to the bottom of this one - this set of files often comes up in this forum, although with a different error tag.I reckon this could be a wonderful case to see what the commonality is.
--
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed SlothFriday, June 17, 2011 7:31 PMModerator -
it started successfully. I'm not a windows expert, but I ran services.msc and now I see Software Protection, and it's started. I could swear it wasn't even there before.Friday, June 17, 2011 7:32 PM
-
well, I can poke around and do other experiments if you want... or I could try running windows/microsoft update again.Friday, June 17, 2011 7:34 PM
-
"Ned Kittlitz" wrote in message news:07fcee36-5bb4-427d-a65a-7ed00053c111...well, I can poke around and do other experiments if you want... or I could try running windows/microsoft update again.
Not until after a reboot, you can't! :)please run another MGADiag report before and after the reboot. - post both.
--
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed SlothFriday, June 17, 2011 7:50 PMModerator -
here is the one before the reboot.
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-788W3-H689G-6P6GT
Windows Product Key Hash: yr8OHoeXhbT4dc6MxGYjdAStSPY=
Windows Product ID: 00371-OEM-8992671-00008
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {133F70CE-106D-478E-BE0B-A1F6328D0AEE}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Professional
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.110408-1631
TTS Error:
Validation Diagnostic:
Resolution Status: N/AVista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-604-645_B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3Browser Data-->
Proxy settings: proxy.proxy.lucent.com:8000
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: AllowedFile Scan Data-->
File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80070426
File Mismatch: C:\Windows\system32\wat\watux.exe[7.1.7600.16395], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x80070426
File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7600.16385], Hr = 0x80070426
File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x80070426
File Mismatch: C:\Windows\system32\drivers\spldr.sys[6.1.7127.0], Hr = 0x80070426
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x80070426Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{133F70CE-106D-478E-BE0B-A1F6328D0AEE}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-6P6GT</PKey><PID>00371-OEM-8992671-00008</PID><PIDType>2</PIDType><SID>S-1-5-21-150820050-3310638546-1031788635</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP Compaq 8100 Elite SFF PC</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>786H1 v01.05</Version><SMBIOSVersion major="2" minor="6"/><Date>20100609000000.000000+000</Date></BIOS><HWID>41113607018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>HPQOEM</OEMID><OEMTableID>SLIC-BPC</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>Spsys.log Content: 0x80070002
Licensing Data-->
Software licensing service version: 6.1.7601.17514Name: Windows(R) 7, Professional edition
Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
Activation ID: 50e329f7-a5fa-46b2-85fd-f224e5da7764
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00371-00178-926-700008-02-1033-7600.0000-2052009
Installation ID: 012096535692831173840681899194722295701916732953652420
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: 6P6GT
License Status: Licensed
Remaining Windows rearm count: 3
Trusted time: 6/17/2011 3:52:35 PMWindows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x80072EE2
HealthStatus: 0x0000000000000000
Event Time Stamp: 6:9:2011 17:13
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
HWID Data-->
HWID Hash Current: LgAAAAEAAQABAAEAAAABAAAAAwABAAEAln32pXCcmJHIUJB6pmAiT3KKvkF2Vg==OEM Activation 1.0 Data-->
N/AOEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC COMPAQ IBEXPEAK
FACP COMPAQ IBEXPEAK
HPET COMPAQ IBEXPEAK
MCFG COMPAQ IBEXPEAK
ASF! COMPAQ IBEXPEAK
TCPA COMPAQ IBEXPEAK
SLIC HPQOEM SLIC-BPC
DMAR COMPAQ IBEXPEAKFriday, June 17, 2011 7:56 PM -
after the reboot. from my quick scans, things don't seem to change.
should I attempt the update now? I need to leave work in less than 15 minutes.
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-788W3-H689G-6P6GT
Windows Product Key Hash: yr8OHoeXhbT4dc6MxGYjdAStSPY=
Windows Product ID: 00371-OEM-8992671-00008
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {133F70CE-106D-478E-BE0B-A1F6328D0AEE}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Professional
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.110408-1631
TTS Error:
Validation Diagnostic:
Resolution Status: N/AVista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-604-645_B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3Browser Data-->
Proxy settings: proxy.proxy.lucent.com:8000
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: AllowedFile Scan Data-->
File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80070426
File Mismatch: C:\Windows\system32\wat\watux.exe[7.1.7600.16395], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x80070426
File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7600.16385], Hr = 0x80070426
File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x80070426
File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x80070426
File Mismatch: C:\Windows\system32\drivers\spldr.sys[6.1.7127.0], Hr = 0x80070426
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x80070426
File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x80070426Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{133F70CE-106D-478E-BE0B-A1F6328D0AEE}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-6P6GT</PKey><PID>00371-OEM-8992671-00008</PID><PIDType>2</PIDType><SID>S-1-5-21-150820050-3310638546-1031788635</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP Compaq 8100 Elite SFF PC</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>786H1 v01.05</Version><SMBIOSVersion major="2" minor="6"/><Date>20100609000000.000000+000</Date></BIOS><HWID>41113607018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>HPQOEM</OEMID><OEMTableID>SLIC-BPC</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>Spsys.log Content: 0x80070002
Licensing Data-->
Software licensing service version: 6.1.7601.17514Name: Windows(R) 7, Professional edition
Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
Activation ID: 50e329f7-a5fa-46b2-85fd-f224e5da7764
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00371-00178-926-700008-02-1033-7600.0000-2052009
Installation ID: 012096535692831173840681899194722295701916732953652420
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: 6P6GT
License Status: Licensed
Remaining Windows rearm count: 3
Trusted time: 6/17/2011 4:00:36 PMWindows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x80072EE2
HealthStatus: 0x0000000000000000
Event Time Stamp: 6:9:2011 17:13
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
HWID Data-->
HWID Hash Current: LgAAAAEAAQABAAEAAAABAAAAAwABAAEAln32pXCcmJHIUJB6pmAiT3KKvkF2Vg==OEM Activation 1.0 Data-->
N/AOEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC COMPAQ IBEXPEAK
FACP COMPAQ IBEXPEAK
HPET COMPAQ IBEXPEAK
MCFG COMPAQ IBEXPEAK
ASF! COMPAQ IBEXPEAK
TCPA COMPAQ IBEXPEAK
SLIC HPQOEM SLIC-BPC
DMAR COMPAQ IBEXPEAKFriday, June 17, 2011 8:02 PM -
"Ned Kittlitz" wrote in message news:5ffa2e2c-c7a4-403a-bcae-a097ae307b0e...
here is the one before the reboot.
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-788W3-H689G-6P6GT
Windows Product Key Hash: yr8OHoeXhbT4dc6MxGYjdAStSPY=
Windows Product ID: 00371-OEM-8992671-00008
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010100.1.0.048
File Scan Data-->
<snip>File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x80070426
<snip>
I'll guess that after the reboot, it'll not be running again - if so, then please start it again, wait 10 minutes, and then use theSC QUERYEX SPPSVCcommand again - if it says that it's stopped, we can probably assume that it's the action of some form of malware.
--
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed SlothFriday, June 17, 2011 8:04 PMModerator -
if I'm doing this right.... run services.msc. I see "Software Protection" status is started. startup type is Automatic (delayed start). Logon as network service.
(I can't see any way to copy/paste the actual line from the app)
Since I need to leave soon, I'll try to check on this later and see if it is still running. If so, I'll try the update.
Friday, June 17, 2011 8:08 PM -
by the way, I meant to say that it was already running. I didn't start it.Friday, June 17, 2011 8:09 PM
-
I forgot to ask... is there any way to get a detailed report on the issues found with the files? or to do something like an md5 checksum and compare it with an expected value? since I'm not win-ignorant, maybe it's even looking at other stuff like registry values even though the message just says "file mismatch".Friday, June 17, 2011 8:11 PM
-
sorry, now that I actually READ your instructions, I see that it was stopped. I started it and it seemed OK. So I'll try to check on it later from home.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\Windows\system32>sc queryex sppsvc
SERVICE_NAME: sppsvc
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 0
FLAGS :C:\Windows\system32>net start sppsvc
The Software Protection service is starting.
The Software Protection service was started successfully.C:\Windows\system32>sc queryex sppsvc
SERVICE_NAME: sppsvc
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 2932
FLAGS :C:\Windows\system32>
Friday, June 17, 2011 8:19 PM -
"Ned Kittlitz" wrote in message news:c1b37e86-072f-4c57-b301-6ee94f3d3c13...I forgot to ask... is there any way to get a detailed report on the issues found with the files? or to do something like an md5 checksum and compare it with an expected value? since I'm not win-ignorant, maybe it's even looking at other stuff like registry values even though the message just says "file mismatch".
If only.......the problem with those files is simply that they are not running - and Windows seems to think that they should be :)I'm going to have some fun this weekend and see if I can come up with something to duplicate the errors and solve them.at least I have more information than I did a coupe of hours ago to base some work on.Thanks for sticking with it!
--
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed SlothFriday, June 17, 2011 8:26 PMModerator -
I just got to log in from home. It seems that the service is stopped.
Then I started it again, and just reran the sc queryex command about every minute. it stopped again. I had an initial timestamp, but it scrolled off the window. Still, I think it was less than 10 minutes.
is it likely this is malware? or could there be some other reason it might have stopped on its own?
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\Windows\system32>sc queryex sppsvc
SERVICE_NAME: sppsvc
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 0
FLAGS :C:\Windows\system32>
Friday, June 17, 2011 11:29 PM -
"Ned Kittlitz" wrote in message news:229d36de-ab83-4dad-87df-d62e711451ee...
I just got to log in from home. It seems that the service is stopped.
Then I started it again, and just reran the sc queryex command about every minute. it stopped again. I had an initial timestamp, but it scrolled off the window. Still, I think it was less than 10 minutes.
is it likely this is malware? or could there be some other reason it might have stopped on its own? :
C:\Windows\system32>
Certainly the most likely cause is malware -Since this seems to be something that is time based, I wonder if there are any strange entries in the Task Scheduler?Please see if you can find anything there.Please also install, run, and update Malwarebytes Anti-Malware (free- www.malwarebytes.org) - do NOT activate the Real-time scanner, as it may interfere with a conventional Anti-Virus.Run a full system scan in your usual account, and Quick scans in any other user accounts.Delete everything it finds.Then check the system out with a full McAfee scan as well - check that that is also fully updated first.
--
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed SlothSaturday, June 18, 2011 12:00 AMModerator -
On Friday or Saturday, I thought I saw a web page claiming that sppsvc could automatically stop if it was not used for a while. http://www.blackviper.com/wiki/Software_Protection
Over the weekend, I tried doing a system restore using the backup done just before my June 15 update attempt. All of the "app" type updates are OK (.net, office 2010, silverlight, communicator 2005), but as soon as I try to do anything that is a "microsoft windows" update, I still get that error.
Today, I ran malwarebytes twice -- it didn't find anything. I also ran mcaffee twice. first time the summary in the app sub-window reported some small number of items (less than 20). I tried looking at the log, but nothing was really obvious. I ran it again, and the number was down to 3. I forgot to make a note of the exact text that appears as a status line in the window. when I look at the log, the only obvious thing is 3 items that were not scanned because they are encrypted.
I looked at my installation/update history. Prior to June 15, several Windows items were installed June 1. They were:
http://support.microsoft.com/?kbid=2541014
http://support.microsoft.com/?kbid=2534366
http://support.microsoft.com/?kbid=2533552
2534366 and 2533552 seem to be related to problems installing SP1; since I've been running that for a long time, I assume they didn't really matter to me. 2541014 related to hibernation mode and crash dumps. Previous Windows changes were April 27.
I wonder if it might be worth trying to uninstall these 3 changes.
from:mcaffee log:
6/20/2011 12:59:17 PM Not scanned (The file is encrypted) nkittlit ODS(ned-daily-scan) c:\users\nkittlit\appdata\roaming\microsoft\windows\cookies\low\nkittlit@adbrite[2].txt\00000414.ie
6/20/2011 12:59:20 PM Not scanned (The file is encrypted) nkittlit ODS(ned-daily-scan) c:\users\nkittlit\application data\microsoft\windows\cookies\low\nkittlit@adbrite[2].txt\00000414.ie
6/20/2011 12:59:22 PM Not scanned (The file is encrypted) nkittlit ODS(ned-daily-scan) c:\users\nkittlit\cookies\low\nkittlit@adbrite[2].txt\00000414.ie
Monday, June 20, 2011 6:49 PM -
"Ned Kittlitz" wrote in message news:197f753b-2ad5-427f-9fb4-22f73a1e3cc2...
On Friday or Saturday, I thought I saw a web page claiming that sppsvc could automatically stop if it was not used for a while. http://www.blackviper.com/wiki/Software_Protection
Over the weekend, I tried doing a system restore using the backup done just before my June 15 update attempt. All of the "app" type updates are OK (.net, office 2010, silverlight, communicator 2005), but as soon as I try to do anything that is a "microsoft windows" update, I still get that error.
Today, I ran malwarebytes twice -- it didn't find anything. I also ran mcaffee twice. first time the summary in the app sub-window reported some small number of items (less than 20). I tried looking at the log, but nothing was really obvious. I ran it again, and the number was down to 3. I forgot to make a note of the exact text that appears as a status line in the window. when I look at the log, the only obvious thing is 3 items that were not scanned because they are encrypted.
I looked at my installation/update history. Prior to June 15, several Windows items were installed June 1. They were:
http://support.microsoft.com/?kbid=2541014
http://support.microsoft.com/?kbid=2534366
http://support.microsoft.com/?kbid=2533552
2534366 and 2533552 seem to be related to problems installing SP1; since I've been running that for a long time, I assume they didn't really matter to me. 2541014 related to hibernation mode and crash dumps. Previous Windows changes were April 27.
I wonder if it might be worth trying to uninstall these 3 changes.
from:mcaffee log:
6/20/2011 12:59:17 PM Not scanned (The file is encrypted) nkittlit ODS(ned-daily-scan) c:\users\nkittlit\appdata\roaming\microsoft\windows\cookies\low\nkittlit@adbrite[2].txt\00000414.ie
6/20/2011 12:59:20 PM Not scanned (The file is encrypted) nkittlit ODS(ned-daily-scan) c:\users\nkittlit\application data\microsoft\windows\cookies\low\nkittlit@adbrite[2].txt\00000414.ie
6/20/2011 12:59:22 PM Not scanned (The file is encrypted) nkittlit ODS(ned-daily-scan) c:\users\nkittlit\cookies\low\nkittlit@adbrite[2].txt\00000414.ie
Cookies should not be encrypted - they are supposed to be plain-text files. I would suggest deleting them.However, I don't believe that they are related to your problem with WGA.(BlackViper is also my reference for services <g>) lemme take a look at your link....Ah - I see your confusion.... yes the service will stop, but it switches into a standby state rather than being switched off, and should normally show as running. This is especially the case when an MGADiag report is being run, as it specifically calls on the service to do some of the diagnosis.In your case, the fact that the service shows as being Stopped a couple of minutes after starting it means that something is actively switching it off, and we need to discover what this is.It could well be worth giving the guys on Malware Support a try. - point them at this thread - start here....
--
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth- Proposed as answer by Darin Smith MS Tuesday, June 21, 2011 8:39 PM
Tuesday, June 21, 2011 5:23 AMModerator -
Hello. I think this is fixed, but it's werid. The short description of what I did is to change Cryptographic Services to log in using "Network Services"; it was set up using the upper radio button: Local System account.
Here's how I got there... take everything I say with a grain of salt, because I'm really just a kid using grownup words I don't understand.
following your suggestion, I went to http://supportservices.microsoft.com/support/services/virus_malware_removal and worked with one agent. after a while, she kicked me on to a higher level expert. Not sure if it's appropriate to drop his id, so I'll leave it out.
At some point, he started to focus on cryptographic services; it was not running. When he tried to start it form the services panel, it failed with error 1079. The error text is roughly "the account specified for this service is different from account specified for other services running in the same process". NOTE: in retrospect, there was a big indication of this issue... I was surprised that when we ran various items such as services.msc, windows warned me the publisher was unknown. Now, I assume it couldn't verify the signature.
After poking around a bit more, the second expert decided there was probably nothing else to do without getting my IT group involved, and we ended that chat session.
I tried to figure out what process it might be that handles crypto services. Then I searched around and came up with another blackviper page: http://www.blackviper.com/wiki/Cryptographic_Services. I noticed that it says the Log On As is is "Network Service". (now that I look at this again, I see there are multiple sections for different windows versions, and at least some of those specify Local System Account. But I was lucky and focused on the Windows 7 section without realizing it.)
So I looked at the properties for other things that are started as network services. then I modified the properties of cryptographic services to log in as Network Services. I just cleared out the password fields. After this, I was able to start crypto.
Following this, I ran microsoft update and picked a single windows patch to install. it worked. I had to reboot. since then, I have done 2 more updates and have now installed everything.
** SO I don't know how this change happened. Maybe it was something pushed by our corporate IT group; I think this is done with "SMS", but again, it's not something I understand.
Finally, I ran MGADiag again. It's healed! I will ask the other guy here who has the same PC to check his crypto service setup. He told me he ran an update recently without problems, so I don't know why his worked.
Finally finally: it's still the case that "sc queryex sppsvc" will show state STOPPED after I've been up for a while. I wasn't running this repeatedly, so I don't know if it was up when I logged in and then went away.
Thanks again for all the suggestions and hand-holding. If there's anything else you want me to examine, or you have suggestions about things I should ask our IT people, please let me know.
Ned
MGADiag output:
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-788W3-H689G-6P6GT
Windows Product Key Hash: yr8OHoeXhbT4dc6MxGYjdAStSPY=
Windows Product ID: 00371-OEM-8992671-00008
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {CAFC6D9A-637C-43C2-AA86-D4FB2D2FE7B8}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Professional
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.110408-1631
TTS Error:
Validation Diagnostic:
Resolution Status: N/AVista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-604-645_B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3Browser Data-->
Proxy settings: proxy.proxy.lucent.com:8000
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: AllowedFile Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{CAFC6D9A-637C-43C2-AA86-D4FB2D2FE7B8}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-6P6GT</PKey><PID>00371-OEM-8992671-00008</PID><PIDType>2</PIDType><SID>S-1-5-21-150820050-3310638546-1031788635</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP Compaq 8100 Elite SFF PC</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>786H1 v01.05</Version><SMBIOSVersion major="2" minor="6"/><Date>20100609000000.000000+000</Date></BIOS><HWID>41113607018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>HPQOEM</OEMID><OEMTableID>SLIC-BPC</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>Spsys.log Content: 0x80070002
Licensing Data-->
Software licensing service version: 6.1.7601.17514Name: Windows(R) 7, Professional edition
Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
Activation ID: 50e329f7-a5fa-46b2-85fd-f224e5da7764
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00371-00178-926-700008-02-1033-7600.0000-2052009
Installation ID: 012096535692831173840681899194722295701916732953652420
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: 6P6GT
License Status: Licensed
Remaining Windows rearm count: 3
Trusted time: 6/21/2011 4:40:11 PMWindows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x80072EE2
HealthStatus: 0x0000000000000000
Event Time Stamp: 6:9:2011 17:13
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
HWID Data-->
HWID Hash Current: LgAAAAEAAQABAAEAAAABAAAAAwABAAEAln32pXCcmJHIUJB6pmAiT3KKvkF2Vg==OEM Activation 1.0 Data-->
N/AOEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC COMPAQ IBEXPEAK
FACP COMPAQ IBEXPEAK
HPET COMPAQ IBEXPEAK
MCFG COMPAQ IBEXPEAK
ASF! COMPAQ IBEXPEAK
TCPA COMPAQ IBEXPEAK
SLIC HPQOEM SLIC-BPC
DMAR COMPAQ IBEXPEAK- Proposed as answer by Noel D PatonModerator Tuesday, June 21, 2011 9:27 PM
- Marked as answer by Darin Smith MS Wednesday, June 22, 2011 6:26 PM
Tuesday, June 21, 2011 9:03 PM -
"Ned Kittlitz" wrote in message news:c68e6ec2-5818-4bef-afe4-fa76cc3b207c...
Hello. I think this is fixed, but it's werid. The short description of what I did is to change Cryptographic Services to log in using "Network Services"; it was set up using the upper radio button: Local System account.
Here's how I got there... take everything I say with a grain of salt, because I'm really just a kid using grownup words I don't understand.
following your suggestion, I went to http://supportservices.microsoft.com/support/services/virus_malware_removal and worked with one agent. after a while, she kicked me on to a higher level expert. Not sure if it's appropriate to drop his id, so I'll leave it out.
At some point, he started to focus on cryptographic services; it was not running. When he tried to start it form the services panel, it failed with error 1079. The error text is roughly "the account specified for this service is different from account specified for other services running in the same process". NOTE: in retrospect, there was a big indication of this issue... I was surprised that when we ran various items such as services.msc, windows warned me the publisher was unknown. Now, I assume it couldn't verify the signature.
After poking around a bit more, the second expert decided there was probably nothing else to do without getting my IT group involved, and we ended that chat session.
I tried to figure out what process it might be that handles crypto services. Then I searched around and came up with another blackviper page: http://www..blackviper.com/wiki/Cryptographic_Services. I noticed that it says the Log On As is is "Network Service". (now that I look at this again, I see there are multiple sections for different windows versions, and at least some of those specify Local System Account. But I was lucky and focused on the Windows 7 section without realizing it.)
So I looked at the properties for other things that are started as network services. then I modified the properties of cryptographic services to log in as Network Services. I just cleared out the password fields. After this, I was able to start crypto.
Following this, I ran microsoft update and picked a single windows patch to install. it worked. I had to reboot. since then, I have done 2 more updates and have now installed everything.
** SO I don't know how this change happened. Maybe it was something pushed by our corporate IT group; I think this is done with "SMS", but again, it's not something I understand.
Finally, I ran MGADiag again. It's healed! I will ask the other guy here who has the same PC to check his crypto service setup. He told me he ran an update recently without problems, so I don't know why his worked.
Finally finally: it's still the case that "sc queryex sppsvc" will show state STOPPED after I've been up for a while. I wasn't running this repeatedly, so I don't know if it was up when I logged in and then went away.
Thanks again for all the suggestions and hand-holding. If there's anything else you want me to examine, or you have suggestions about things I should ask our IT people, please let me know.
Ned
MGADiag output:
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-788W3-H689G-6P6GT
Windows Product Key Hash: yr8OHoeXhbT4dc6MxGYjdAStSPY=
Windows Product ID: 00371-OEM-8992671-00008
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010100.1.0.048
Give that man a banana!Well done and thank you VERY much for coming back to us with this report!
This at least gives us somewhere to start with the process of troubleshooting the other threads in future.Can you do me a favour an run the following commands for me?sc qc cryptsvc
sc queryex cryptsvc
sc qprivs cryptsvc
sc qsidtype cryptsvc
sc sdshow cryptsvc(I can then check it against my default system and see it there's any nasty gotchas that may catch up with either you or others at a later date.)Well done again!
--
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth- Marked as answer by Ned Kittlitz Friday, June 24, 2011 3:17 PM
Tuesday, June 21, 2011 9:26 PMModerator -
Just a thought - but I doubt it's something pushed by your IT people, it's more likely that a minor piece of malware got in and did the trick - and was then eaten by the next update of the AV, which failed to properly repair the registry. - you might ask your IT guys to have a look at the logs and see if they can pull the rabbit out of the hat:)
Thanks again
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed SlothTuesday, June 21, 2011 9:32 PMModerator -
What is "AV"?
Since I'm new to the forums, I'm not sure of the conventions. I see two items were "proposed as answers". one of them was your suggestion to contact microsoft malware assistance. The other was my previous update. I suppose in some sense, both of them might be answers, although ignorance prevents me from knowing that my posting really could have wider applicability. Let me know.
Here's the stuff you requested. Thanks again.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\Windows\system32>sc qc cryptsvc
[SC] QueryServiceConfig SUCCESSSERVICE_NAME: cryptsvc
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k NetworkService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Cryptographic Services
DEPENDENCIES : RpcSs
SERVICE_START_NAME : NT AUTHORITY\NetworkServiceC:\Windows\system32>sc queryex cryptsvc
SERVICE_NAME: cryptsvc
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1412
FLAGS :C:\Windows\system32>sc qprivs cryptsvc
[SC] QueryServiceConfig2 SUCCESSSERVICE_NAME: cryptsvc
PRIVILEGES : SeChangeNotifyPrivilege
: SeCreateGlobalPrivilege
: SeImpersonatePrivilegeC:\Windows\system32>sc qsidtype cryptsvc
[SC] QueryServiceConfig2 SUCCESSSERVICE_NAME: cryptsvc
SERVICE_SID_TYPE: UNRESTRICTEDC:\Windows\system32>sc sdshow cryptsvc
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCR
RC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)C:\Windows\system32>
Wednesday, June 22, 2011 2:46 PM -
AV = antivirus.
Colin Barnhorst Windows 7 Ultimate x64 on DIY with 6GB ram.Wednesday, June 22, 2011 2:48 PMAnswerer -
"Ned Kittlitz" wrote in message news:00907f9c-e83e-48b2-8126-2e80485726bb...
What is "AV"?
Since I'm new to the forums, I'm not sure of the conventions. I see two items were "proposed as answers". one of them was your suggestion to contact microsoft malware assistance. The other was my previous update. I suppose in some sense, both of them might be answers, although ignorance prevents me from knowing that my posting really could have wider applicability. Let me know.
Here's the stuff you requested. Thanks again.
Thanks for the update - I see Colin has already told you that AV= Anti-Virus :)There's no need for you to make a choice if you're unsure - and as far as I know you could mark both as answers :)Good luck.
--
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed SlothFriday, June 24, 2011 1:35 PMModerator
