Remove From My Forums

Doubts about signed files in Diag report

Question
1

Sign in to vote

Hi,

First of all, thank you for creating this forum, I bet it is really tiresome to have us asking about the same issue over and over, speccialy when theres is only a handful of you doing all the work!

This is the issue I am facing (I will post the Full report in a reply so the explanation doesn´t get too cluttered):

In doing an audit on our sistems I found two of them had a wrong Licence key in use. I contacted the repair guy and he said that these systems had to be rebuilt a while ago because they where damaged in an accident, and in the hurry he probably used the wrong disc image to restore.
As we do have our legitimate VL keys and we are within our purchased amount he pointed me to an official Microsoft tool to change the keys, which I did.

Everything seem to be ok, the MGA Diagnoostic utility is fine and even the online validation doesnt give any errors. But there are two details that caught my eye:

1) The code for WgaTray and WgaLogon is different than for the other items.

2) On some XP computers there is a "genuine" logo in the System Properties window and sometimes a manufacturer´s logo... Should I have this on these custom built systems?

Our Director is considering an external audit (something including the computers but beyond that, dont know what really) and we´d like to have a perfect score.

Thanks in advance.

Friday, June 15, 2012 4:01 PM

Answers

0

Sign in to vote
"Madd-Ops" wrote in message news:75ec2b09-ab02-404c-b2fd-5267bceb4b44...

Hi,

thank you for the reply.

The Validation link redirects me to a page where I can download additional software such as IE 9 or MSE.

I also visited http://www.microsoft.com/genuine/diag/ where some checks take place and everything is marked as Correct:

Sitio de diagnóstico del software original de Microsoft

Correcto Active scripting permitido
Correcto Mostrar imágenes habilitado
Correcto Hora y fecha del equipo correctas
Correcto Cookies habilitadas
Correcto Control ActiveX habilitado
Correcto Control ActiveX de validación de Windows cargado
Correcto Control ActiveX de validación de Office cargado
Correcto Control ActiveX de autoayuda de validación cargado
Correcto Autoayuda de validación: Comprobación de corrupción de Data.dat
Correcto Autoayuda de validación: Comprobación de criptografía
Correcto Autoayuda de validación: Comprobación de activación de productos

After that there are two blue buttons to validate Windows or Office (which was never installed in this system). Proceeding to the Windows button redirects me the url you provided and from there I am redirected again to the 'Download software' page.

During the Diagnostics process some activeX was updated and that reflects in the new MGADiagnostics report below.

Would you say, as far as you can tell, that this system doesn´t need to be reinstalled?. I would really like to avoid unnecesary downtime on this one.

Regards.

New report:

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-T3Q2G-CPGJF-XQ87D
Windows Product Key Hash: B0zgP1MeWZTNoJgDt3O5TQ9MQBU=
Windows Product ID: 55274-642-3428452-23277
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.3.0.pro

LegitcheckControl ActiveX: Registered, 1.9.42.0

That means that you passed validation :)

I see the 0x800b0100 errors are still present....

Please check the version and exact filesize of the following files

C:\Windows\System32\WgaTray.exe

C:\Windows\System32\WgaLogon.dll

The error would tend to indicate that there is a problem with the digital signature expected.

This could mean that you still have an earlier version, or it could mean that at some stage, the machine has had a hack installed to bypass activation, or had a virus which attacked these files.

You could try replacing both files with copies from another machine (you'd be best doing that in Safe Mode/Command Prompt)

Or you could run SFC /SCANNOW - you'd need to have the source/CD handy

Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
- Marked as answer by Darin Smith MS Monday, June 25, 2012 6:39 PM
Monday, June 18, 2012 9:41 AM

Moderator
0

Sign in to vote
Hello Madd-Ops,

One other thing that may be affecting the situation is that this computer has a proxy set.

Normally, computers that show up here with a proxy set fall into two categories: (a) the computer is part of a larger organization's network and the network is architected with proxy use as a deliberate step; or (b) the computer had or has a malware infection and the malware established the proxy for its own purposes.

I would expect (a) in your case rather than (b).

In the early days of WGA we used to recommend that for troubleshooting purposes, one thing to try would be to access the internet and thusly MS's servers for activation/validation runs without the proxy in place.

Try without the proxy and see what happens.
- Marked as answer by Darin Smith MS Monday, June 25, 2012 6:39 PM
Thursday, June 21, 2012 10:23 AM

All replies

0

Sign in to vote
Edit:

FWIW, we´re running XP Sp3 and the licences where bought through MS as "Vista Licences downgradable to XP" (excuse me is the wording is inaccurate).

-

Here is the full report:

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-T3Q2G-CPGJF-XQ87D
Windows Product Key Hash: B0zgP1MeWZTNoJgDt3O5TQ9MQBU=
Windows Product ID: 55274-642-3428452-23277
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.3.0.pro
ID: {184283B2-918B-46E1-BD18-02B7E57821E6}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.9.1
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-8009_E2AD56EA-766-2efd_E2AD56EA-148-80004005_16E0B333-89-80004005
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: Yes
Version: 1.7.36.0
WgaTray.exe Signed By: N/A, hr = 0x800b0100
WgaLogon.dll Signed By: N/A, hr = 0x800b0100

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-543-80070002_025D1FF3-230-1

Browser Data-->
Proxy settings: 192.168.0.1:8181
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Archivos de programa\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{184283B2-918B-46E1-BD18-02B7E57821E6}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-XQ87D</PKey><PID>55274-642-3428452-23277</PID><PIDType>1</PIDType><SID>S-1-5-21-327269391-808351840-1539869618</SID><SYSTEM><Manufacturer>Unknow</Manufacturer><Model>Unknow</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>6.00 PG</Version><SMBIOSVersion major="2" minor="4"/><Date>20071023000000.000000+000</Date></BIOS><HWID>076939BF01848076</HWID><UserLCID>0C0A</UserLCID><SystemLCID>0C0A</SystemLCID><TimeZone>Hora estándar de Argentina(GMT-03:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.7.36.0"/><File Name="WgaLogon.dll" Version="1.7.36.0"/></GANotification></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1AEB7:Elitegroup Computer Systems Co Ltd
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A
- Edited by Madd-Ops Friday, June 15, 2012 4:10 PM
Friday, June 15, 2012 4:03 PM
0

Sign in to vote

"Madd-Ops" wrote in message news:5a8baf1c-ced4-4ad6-a978-ca8c2415bdfe...

Edit:

FWIW, we´re running XP Sp3 and the licences where bought through MS as "Vista Licences downgradable to XP" (excuse me is the wording is inaccurate).

-

Here is the full report:

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-T3Q2G-CPGJF-XQ87D
Windows Product Key Hash: B0zgP1MeWZTNoJgDt3O5TQ9MQBU=
Windows Product ID: 55274-642-3428452-23277
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.3.0.pro

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: Yes
Version: 1.7.36.0
WgaTray.exe Signed By: N/A, hr = 0x800b0100
WgaLogon.dll Signed By: N/A, hr = 0x800b0100

Other data-->
SYSTEM><Manufacturer>Unknow</Manufacturer><Model>Unknow</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>6.00 PG</Version><SMBIOSVersion major="2" minor="4"/><Date>20071023000000.000000+000</Date></BIOS

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1AEB7:Elitegroup Computer Systems Co Ltd
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

As you say, the install here seems genuine.

The discrepancies between systems may be for a number of reasons

1) - when last validated (if at all) - the report shown would seem to be from a system validated some time ago.

2) - source of image used for install - one done using a Volume disk will have other bits in it besides those required for Volume activation, and may have manufacturer-specific data which shows up in the system the current XP version is 1.9.40.0 cf your displayed version of 1.7.36.0

To an extent, that could explain the 0x800b0100 errors - this may be indicating that the certificate on those files has expired.

Please attempt validation *on this machine* at www.microsoft.com/genuine/validate and see what happens - then run another MGADiag report and post the results.

Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

Friday, June 15, 2012 5:03 PM

Moderator
0

Sign in to vote

Hi,

thank you for the reply.

The Validation link redirects me to a page where I can download additional software such as IE 9 or MSE.

I also visited http://www.microsoft.com/genuine/diag/ where some checks take place and everything is marked as Correct:

Sitio de diagnóstico del software original de Microsoft

Correcto Active scripting permitido
Correcto Mostrar imágenes habilitado
Correcto Hora y fecha del equipo correctas
Correcto Cookies habilitadas
Correcto Control ActiveX habilitado
Correcto Control ActiveX de validación de Windows cargado
Correcto Control ActiveX de validación de Office cargado
Correcto Control ActiveX de autoayuda de validación cargado
Correcto Autoayuda de validación: Comprobación de corrupción de Data.dat
Correcto Autoayuda de validación: Comprobación de criptografía
Correcto Autoayuda de validación: Comprobación de activación de productos

After that there are two blue buttons to validate Windows or Office (which was never installed in this system). Proceeding to the Windows button redirects me the url you provided and from there I am redirected again to the 'Download software' page.

During the Diagnostics process some activeX was updated and that reflects in the new MGADiagnostics report below.

Would you say, as far as you can tell, that this system doesn´t need to be reinstalled?. I would really like to avoid unnecesary downtime on this one.

Regards.

New report:

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-T3Q2G-CPGJF-XQ87D
Windows Product Key Hash: B0zgP1MeWZTNoJgDt3O5TQ9MQBU=
Windows Product ID: 55274-642-3428452-23277
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.3.0.pro
ID: {184283B2-918B-46E1-BD18-02B7E57821E6}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.42.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: Yes
Version: 1.7.36.0
WgaTray.exe Signed By: N/A, hr = 0x800b0100
WgaLogon.dll Signed By: N/A, hr = 0x800b0100

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: Registered, 2.0.48.0
Signed By: Microsoft
Office Diagnostics: B4D0AA8B-543-80070002_025D1FF3-230-1

Browser Data-->
Proxy settings: 192.168.0.1:8181
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Archivos de programa\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{184283B2-918B-46E1-BD18-02B7E57821E6}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-XQ87D</PKey><PID>55274-642-3428452-23277</PID><PIDType>1</PIDType><SID>S-1-5-21-327269391-808351840-1539869618</SID><SYSTEM><Manufacturer>Unknow</Manufacturer><Model>Unknow</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>6.00 PG</Version><SMBIOSVersion major="2" minor="4"/><Date>20071023000000.000000+000</Date></BIOS><HWID>076939BF01848076</HWID><UserLCID>0C0A</UserLCID><SystemLCID>0C0A</SystemLCID><TimeZone>Hora estándar de Argentina(GMT-03:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.7.36.0"/><File Name="WgaLogon.dll" Version="1.7.36.0"/></GANotification></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1AEB7:Elitegroup Computer Systems Co Ltd
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A

Sunday, June 17, 2012 11:59 PM
0

Sign in to vote
"Madd-Ops" wrote in message news:75ec2b09-ab02-404c-b2fd-5267bceb4b44...

Hi,

thank you for the reply.

The Validation link redirects me to a page where I can download additional software such as IE 9 or MSE.

I also visited http://www.microsoft.com/genuine/diag/ where some checks take place and everything is marked as Correct:

Sitio de diagnóstico del software original de Microsoft

Correcto Active scripting permitido
Correcto Mostrar imágenes habilitado
Correcto Hora y fecha del equipo correctas
Correcto Cookies habilitadas
Correcto Control ActiveX habilitado
Correcto Control ActiveX de validación de Windows cargado
Correcto Control ActiveX de validación de Office cargado
Correcto Control ActiveX de autoayuda de validación cargado
Correcto Autoayuda de validación: Comprobación de corrupción de Data.dat
Correcto Autoayuda de validación: Comprobación de criptografía
Correcto Autoayuda de validación: Comprobación de activación de productos

After that there are two blue buttons to validate Windows or Office (which was never installed in this system). Proceeding to the Windows button redirects me the url you provided and from there I am redirected again to the 'Download software' page.

During the Diagnostics process some activeX was updated and that reflects in the new MGADiagnostics report below.

Would you say, as far as you can tell, that this system doesn´t need to be reinstalled?. I would really like to avoid unnecesary downtime on this one.

Regards.

New report:

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-T3Q2G-CPGJF-XQ87D
Windows Product Key Hash: B0zgP1MeWZTNoJgDt3O5TQ9MQBU=
Windows Product ID: 55274-642-3428452-23277
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.3.0.pro

LegitcheckControl ActiveX: Registered, 1.9.42.0

That means that you passed validation :)

I see the 0x800b0100 errors are still present....

Please check the version and exact filesize of the following files

C:\Windows\System32\WgaTray.exe

C:\Windows\System32\WgaLogon.dll

The error would tend to indicate that there is a problem with the digital signature expected.

This could mean that you still have an earlier version, or it could mean that at some stage, the machine has had a hack installed to bypass activation, or had a virus which attacked these files.

You could try replacing both files with copies from another machine (you'd be best doing that in Safe Mode/Command Prompt)

Or you could run SFC /SCANNOW - you'd need to have the source/CD handy

Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
- Marked as answer by Darin Smith MS Monday, June 25, 2012 6:39 PM
Monday, June 18, 2012 9:41 AM

Moderator
0

Sign in to vote
Hello Madd-Ops,

One other thing that may be affecting the situation is that this computer has a proxy set.

Normally, computers that show up here with a proxy set fall into two categories: (a) the computer is part of a larger organization's network and the network is architected with proxy use as a deliberate step; or (b) the computer had or has a malware infection and the malware established the proxy for its own purposes.

I would expect (a) in your case rather than (b).

In the early days of WGA we used to recommend that for troubleshooting purposes, one thing to try would be to access the internet and thusly MS's servers for activation/validation runs without the proxy in place.

Try without the proxy and see what happens.
- Marked as answer by Darin Smith MS Monday, June 25, 2012 6:39 PM
Thursday, June 21, 2012 10:23 AM
0

Sign in to vote

Well spotted, Dan - I missed that one! (I so rarely see proxies any more that I forget to check, I suspect)

Thanks for the assist
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

Thursday, June 21, 2012 10:51 AM

Moderator
0

Sign in to vote
No further reply from the Original Poster.

It is assumed that the issue is resolved and was resolved by one of the Answer posts above.

Darin MS
- Edited by Darin Smith MS Monday, June 25, 2012 6:40 PM
Monday, June 25, 2012 6:39 PM

Answered by:

Doubts about signed files in Diag report

Question

Answers

All replies