An unauthorized change was made to Windows

All replies

• 

  

  0

  Sign in to vote

  Hello Kate,
  
  

  In order to receive the best support, we request all users to initially run the Microsoft Genuine Advantage Diagnostic Tool.  This will try and identify the individual issue you may be experiencing.  Please provide a brief synopsis describing your customer scenario, including any dialogue, error messages, or codes. These can be found in the lower left hand corner of most Genuine Advantage Web pages when an error is encountered.

  By clicking the link below, you will download the Microsoft Genuine Advantage Diagnostic Tool.  Then click the Run button. Then click the Run button again. Then click the Continue button to perform the diagnostic. The Windows tab should show, click the Copy button to paste your report to the clipboard.  Then paste the report into a New Post on this Forum by adding a post in it and pressing Ctrl V (to paste the text). Clicking the OK button will clear the Diagnostic window. Here is the download link:

  http://go.microsoft.com/fwlink/?linkid=52012

  Step 2: Tell us about the Certificate of Authenticity (COA) for your copy of Windows.

  1. What edition/version of Windows Vista is titled?

  ·         Home Basic

  ·         Home Premium 

  ·         Business

  ·         Ultimate

  2. Does it read "OEM Software" or "OEM Product" in black lettering?

  3. Or, does it have the computer manufacturer's name in black lettering?

  4. Please provide the customer scenario you are experiencing.

  5. DO NOT post the Product Key.

  Not sure what to look for, see this page to reference your COA:

  http://www.microsoft.com/resources/howtotell/en/coa.mspx

  NOTE: The data collected with the Microsoft Genuine Advantage Diagnostic Tool does NOT contain any information that can personally identify you. The information can be fully reviewed, by you, before being posted.

  Thank you for your participation here on the Windows Genuine Advantage (WGA) program forums. We look forward to working with you.
  
  
  
  Thank you,
  
  Stephen Holm, MS
  WGA Forum Manager

  ---

  Stephen Holm

  Tuesday, September 30, 2008 5:46 PM
• 

  

  0

  Sign in to vote

  Hi Stephen,
  
  Thanks for the new download link, it worked, I presume the tool I'd previously been using was an old one.
  
  I'm on a Toshiba Satellite Laptop which I bought just over a year ago, and which came with Windows Vista (Home Premuim) installed. A couple of hours ago I got an error message saying:
  
  
  An unauthorized change was made to windows. You will no longer receive notifications... [etc.]
  
  Error code was: 0xC004D401. The security processor reported a system file mistatch error.
  
  
  
  If it helps, a few weeks ago I was installing some updates and got a message saying one of them had failes, and since then whenever I start windows I get a message saying that Windiws Update is looking for a file which doesn't exist (in my temp folder). I've completed all the update installs recommended since, but the problem is stil there. Having had a look at some of your other replies, I'm worried this may suggest an on disk error.
  
  
  
  Anyway, here's the MGA output:
  
  

  Diagnostic Report (1.7.0095.0):
  -----------------------------------------
  WGA Data-->
  Validation Status: Invalid License
  Validation Code: 50
  Online Validation Code: 0xc004d401
  Cached Validation Code: N/A, hr = 0xc004d401
  Windows Product Key: *****-*****-JQMWD-2QJRJ-RJ34F
  Windows Product Key Hash: R8gPTEFMoOygFewoq/uOoWMpz68=
  Windows Product ID: 89578-OEM-7332157-00237
  Windows Product ID Type: 2
  Windows License Type: OEM SLP
  Windows OS version: 6.0.6001.2.00010300.1.0.003
  CSVLK Server: N/A
  CSVLK PID: N/A
  ID: {A4A56552-EA49-465D-8DBF-11CD91D6F1BA}(3)
  Is Admin: Yes
  TestCab: 0x0
  WGA Version: Registered, 1.7.69.2
  Signed By: Microsoft
  Product Name: Windows Vista (TM) Home Premium
  Architecture: 0x00000000
  Build lab: 6001.vistasp1_gdr.080425-1930
  TTS Error: M:20080930181355512-
  Validation Diagnostic:
  Resolution Status: N/A

  WgaER Data-->
  ThreatID(s): N/A, hr = 0x80070002
  Version: 6.0.6002.16398

  WGA Notifications Data-->
  Cached Result: N/A, hr = 0x80070002
  File Exists: No
  Version: N/A, hr = 0x80070002
  WgaTray.exe Signed By: N/A, hr = 0x80070002
  WgaLogon.dll Signed By: N/A, hr = 0x80070002

  OGA Notifications Data-->
  Cached Result: N/A, hr = 0x80070002
  Version: N/A, hr = 0x80070002
  WGATray.exe Signed By: N/A, hr = 0x80070002
  OGAAddin.dll Signed By: N/A, hr = 0x80070002

  OGA Data-->
  Office Status: 108 Invalid VLK
  Microsoft Office Enterprise 2007 - 108 Invalid VLK
  OGA Version: N/A, 0x80070002
  Signed By: N/A, hr = 0x80070002
  Office Diagnostics: 025D1FF3-282-80041010_025D1FF3-170-80041010_025D1FF3-171-1_025D1FF3-434-80040154_025D1FF3-178-80040154_025D1FF3-179-2_025D1FF3-185-80070002_025D1FF3-199-3

  Browser Data-->
  Proxy settings: N/A
  User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
  Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
  Download signed ActiveX controls: Prompt
  Download unsigned ActiveX controls: Disabled
  Run ActiveX controls and plug-ins: Allowed
  Initialize and script ActiveX controls not marked as safe: Disabled
  Allow scripting of Internet Explorer Webbrowser control: Disabled
  Active scripting: Allowed
  Script ActiveX controls marked as safe for scripting: Allowed

  File Scan Data-->

  Other data-->
  Office Details: <GenuineResults><MachineData><UGUID>{A4A56552-EA49-465D-8DBF-11CD91D6F1BA}</UGUID><Version>1.7.0095.0</Version><OS>6.0.6001.2.00010300.1.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-RJ34F</PKey><PID>89578-OEM-7332157-00237</PID><PIDType>2</PIDType><SID>S-1-5-21-3109895235-2961211582-1546064704</SID><SYSTEM><Manufacturer>TOSHIBA</Manufacturer><Model>Satellite P200</Model></SYSTEM><BIOS><Manufacturer>TOSHIBA</Manufacturer><Version>V1.30</Version><SMBIOSVersion major="2" minor="4"/><Date>20070326000000.000000+000</Date></BIOS><HWID>BF313507018400FA</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>TOSCPL</OEMID><OEMTableID>TOSCPL00</OEMTableID></OEM><BRT/></MachineData><Software><Office><Result>108</Result><Products><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>108</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>64BC76978749586</Val><Hash>GW6PzcEVEDTVKeO5Ym5UUm41dBk=</Hash><Pid>89388-707-0441865-65887</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="108"/><App Id="16" Version="12" Result="108"/><App Id="18" Version="12" Result="108"/><App Id="19" Version="12" Result="108"/><App Id="1A" Version="12" Result="108"/><App Id="1B" Version="12" Result="108"/><App Id="44" Version="12" Result="108"/><App Id="A1" Version="12" Result="108"/><App Id="BA" Version="12" Result="108"/></Applications></Office></Software></GenuineResults> 

  Spsys.log Content: U1BMRwEAAAAAAQAABAAAAJIdDgAAAAAAYWECAATwfJBZeQdGGCPJAW4aG1/FHasdtBRBPRnxqCKmiVv43V1KwvhmEo5bHBXY3jOgNcFVrDdRvgAFfOUuz6L2Phiey+bkYkBrsgnDMQn2WsBZYbIZJJLJezdT4XiJM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAxuGhtfxR2rHbQUQT0Z8agilTb9QcByEv4O5xo5oNuBFjO3T+6hvkMMJDQC7Uu9LqB4XhvK77fVDePCOlXUoQqX9lrAWWGyGSSSyXs3U+F4iTOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgM

  
  
  Thanks again for your help.,
  
  Kate

  Tuesday, September 30, 2008 6:06 PM
• 

  

  0

  Sign in to vote

   Hey Kate,
  
  
  Thank you for providing us with your diagnostic results :-).  Vista is in, what we call a 'Mod-Auth' Tamper state.  There are 2 types of Mod-Auth tampers.

   

  1) A critical system file was modified On Disk - What this means is that the file, located on the hard drive, and was modified in some way. This can be caused by a malicious program (spyware, malware, and virus) or by manual file modification (by a user of the system). There is also a very small chance that an Update may fail in mid-update and cause this type of issue. As a safety mechanism, Updates are made so that if they fail, they roll back any updating that was done before the failure, but there is an off-chance that the roll back did not occur.

   

  2) A critical system file was modified In Memory - What this means is the file itself (on the hard drive) is un-modified, but the code, from that file, running in the system, was modified in some way. and is usually caused by a running program that is incompatible with Vista.

   

  Because there is No Mismatched files listed under the "File Scan Data-->" line of your Diagnostic Report, your issue is an In Memory Mod-Auth and therefore caused by an incompatible program. This means there is a program install and running that is trying to access parts of the OS that Vista does not allow which by definition means it is incompatible with Vista.

   

  In addition to why a Tamper occurs, it's also important to understand how Vista detects the Tamper event. There is a Service that runs in Vista that detects a Tamper to a Critical System file. But this Service runs randomly, so if you were to install an incompatible program and run it, Vista (most likely) would not immediately enter a Tamper State and it could take some time for the Tamper to be detected. The important point to note is that the moment Vista detects the Tamper, you know that the program that caused the tamper, is currently running.

  Below I have provided a number of steps to help you identify the program that is causing the tamper:
   
    First, go to http://support.microsoft.com/kb/931699/ and confirm that you do not have any of the programs known to cause this type of issue.
   
    Second, in your Diagnostic report above, you can see the line that starts with 'TTS Error:' followed by a bunch numbers: M:xxxxxxxxxxxxxxxxx- This is the Tamper Time Stamp and it breaks down like this:

   

  (Year)       (Month)       (Day)       (Time in 24format)      (Millisecond)
  

  M:2008           09            30               1813                             55512-
  

  Now that you know the time of the tamper, you can now try to connect that time with a program.

  1) Login to Vista and select the option that launches an Internet Browser

  2) Type into the browser address bar: %windir%\system32\perfmon.msc and hit Enter

  3) When asked if you want to Open or Save this file, select Open

  4) In the left hand panel, click Reliability Monitor

  5) Click on the “System Stability Chart” above the date 09/30    

  6) Below the chart, in the “System Stability Report” section look at the report titled "Software (Un) Installs for 09/30/2008    
  
  7) Look for any program that shows "Application Install" in the 'Activity' column.

  8) Since the process that detects tampers runs randomly, it can take up to 3 days for the process to detect the tamper and set Vista to a Tamper State. Because of this, please repeat
       steps 5) thru 7) for the dates 09/29/2008, 09/28/2008 and 09/27/2008.    

    This could tell you what programs were installed on or around the Tamper date and should help you narrow down the possible programs that could be causing the issue . Unfortunately, if you installed the program (say) on 09/01/2007, but you didn't run (and, hence, prompted the tamper state)  till 09/30/2008, this process may not be helpful.  The removal of any application you may have installed recently could go a long way to troubleshooting these issues as well since it may fall outside of the 3 day time frame described above.

   Note: Since everyone has different programs installed on their computer, it is extremely hard for support to figure out what program is causing the problem, but if you still need assistance in identifying the Incompatible Program, please create a no cost support request at http://go.microsoft.com/fwlink/?linkid=52029. 
  
  
  
  Thank you,
  
  
  Stephen Holm, MS
  WGA Forum Manager

  ---

  Stephen Holm

  • Marked as answer by Stephen Holm Tuesday, September 30, 2008 8:19 PM

  Tuesday, September 30, 2008 8:19 PM