locked
"an unauthorized change was made to windows" after windows update restart. RRS feed

  • Question

  • After i restart my computer after windows update has run, it goes to the password page, which i do, it then hangs for ages, then come up with the following message
    "an unauthorized change was made to windows"
    If i then boot into safe mode and do a sytem restore to before the update it will work again, but only until windows update runs again, it first did it about a month ago, but i have had this laptop for almost a year, a dell xps m1530 that came with windows vista home premium installed so it is definately geniune.
    My Office 2007 is also geniune.
    Thanks for any help, i'm supposed to be revising right now!

    Diagnostic Report (1.9.0006.1):
    -----------------------------------------
    WGA Data-->
    Validation Status: Invalid License
    Validation Code: 50
    Online Validation Code: 0xc004d401
    Cached Validation Code: N/A, hr = 0xc004d401
    Windows Product Key: *****-*****-F4GJK-KG77H-B9HD2
    Windows Product Key Hash: iJAth4TbScMi8HdcPurlASXdEkw=
    Windows Product ID: 89578-OEM-7332157-00204
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.0.6001.2.00010300.1.0.003
    ID: {7C1D607B-0FC9-49AE-B06F-D7EB563D579C}(1)
    Is Admin: Yes
    TestCab: 0x0
    WGA Version: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows Vista (TM) Home Premium
    Architecture: 0x00000000
    Build lab: 6001.vistasp1_gdr.080917-1612
    TTS Error: M:20090506113546054-
    Validation Diagnostic:
    Resolution Status: N/A

    WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: 6.0.6002.16398

    WGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    WGATray.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Enterprise 2007 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
    Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{7C1D607B-0FC9-49AE-B06F-D7EB563D579C}</UGUID><Version>1.9.0006.1</Version><OS>6.0.6001.2.00010300.1.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-B9HD2</PKey><PID>89578-OEM-7332157-00204</PID><PIDType>2</PIDType><SID>S-1-5-21-1325000197-581319121-2675626905</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>XPS M1530                       </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A12</Version><SMBIOSVersion major="2" minor="4"/><Date>20081119000000.000000+000</Date></BIOS><HWID>62313507018400F8</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL  </OEMID><OEMTableID>M08    </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120000-0030-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>627CA123F0C5ED0</Val><Hash>jVDXuYw2lHQjlTSy6J2IxdpOq+g=</Hash><Pid>81599-872-6386577-65166</Pid><PidType>1</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults> 

    Spsys.log Content: U1BMRwEAAAAAAQAABAAAAI8JAAAAAAAAYWECAARAM5z74CiYC7LJARhy9171jCizkdIEkQaJZ64cqPhrR2KHfUvd+kOYWKgvL4bGqL7LLCgV4dRv6/9udlF0H9Oh+hJEw7XKSAShRbcVOrbZUFu5H86IkvcsWdYx1mjkjzXhcq94m48ceJqGOPu1UvB7bxiIfUEtgIRGphkOSa+EGUYcOX5/UvkAHnVxZcgJE7vAy9kku8TlF45JWpsbJiscvAYWgzyFZ0z79y0OKm53Bw867hHNE43WvZqUI0Rf1MqA3D5sWfEw7WeNfzOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwYcvde9Ywos5HSBJEGiWeuNmZhqF+LhYbDUR5oSQtf/fb345IQ6MGYUGNYiMNcV1U8ZiIZ8SUultqIbAs2na9C/RpKXJrRSMls8j0dOLTkcQbVOs8s97/WdjKyB2vcd1t3DT+mCSUc2d7Bj2THWrgqVoAPcagik9qcs1OIpJlV3FB8YXH9/GpCVo60xZnYqNxuDG7GXSRQZeiA/Gej4MzhN6aSh4VagsJL2g8wUu0UX/NNfofjLExZEZSdmQI0QIgzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMGHL3XvWMKLOR0gSRBolnrmDoRmxzQ+mI9BLP9s+XeSlhoLp7+N68zH1LY6YQAoNDFCN08PAOKdN+RBcBIRGx4b4Q8XPHv8rfGc1uXt+dIzKT+gD9J8Rfqi39uc2aAsDW+7VS8HtvGIh9QS2AhEamGQ5Jr4QZRhw5fn9S+QAedXFlyAkTu8DL2SS7xOUXjklamxsmKxy8BhaDPIVnTPv3LYFfuZDZDvf3fPldDnRVe/2aGsqGrhQiL4/C0ZB+M4YiM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDBhy9171jCizkdIEkQaJZ663ZGRtbKv9zxF9IyE8lFjhH9toKfAMC3bPFbypSqPPiBQjdPDwDinTfkQXASERseFZ81tCyHo+LgTmH4Ptng/Jk/oA/SfEX6ot/bnNmgLA1vu1UvB7bxiIfUEtgIRGphkOSa+EGUYcOX5/UvkAHnVxZcgJE7vAy9kku8TlF45JWpsbJiscvAYWgzyFZ0z79y2BX7mQ2Q7393z5XQ50VXv9mhrKhq4UIi+PwtGQfjOGIjOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwYcvde9Ywos5HSBJEGiWeuT+nuMNLj9AfixbwOBNyF4ZtsCzCOf/v+uPMNO7hqt2QUI3Tw8A4p035EFwEhEbHh1Hd8uFnwrHvivAu01+WS5pP6AP0nxF+qLf25zZoCwNb7tVLwe28YiH1BLYCERqYZDkmvhBlGHDl+f1L5AB51cWXICRO7wMvZJLvE5ReOSVqbGyYrHLwGFoM8hWdM+/ctgV+5kNkO9/d8+V0OdFV7/ZoayoauFCIvj8LRkH4zhiIzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMGHL3XvWMKLOR0gSRBolnrpjcsw/8pANS279q+m5QDnPK+DZ4tS5bDqGk5BFLgeeMFCN08PAOKdN+RBcBIRGx4QWDgxz8asodok+VWZZ5AbeT+gD9J8Rfqi39uc2aAsDW+7VS8HtvGIh9QS2AhEamGQ5Jr4QZRhw5fn9S+QAedXFlyAkTu8DL2SS7xOUXjklamxsmKxy8BhaDPIVnTPv3LYFfuZDZDvf3fPldDnRVe/2aGsqGrhQiL4/C0ZB+M4YiM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDBhy9171jCizkdIEkQaJZ67OPPa+D3lnZbFHgE7BCAHPsPiRVf1tH0/NprRNo4gznDxmIhnxJS6W2ohsCzadr0JmXS6V0vmNDb3O9fq8QLjRBtU6zyz3v9Z2MrIHa9x3W3cNP6YJJRzZ3sGPZMdauCpWgA9xqCKT2pyzU4ikmVXcUHxhcf38akJWjrTFmdio3G4MbsZdJFBl6ID8Z6PgzOE3ppKHhVqCwkvaDzBS7RRf801+h+MsTFkRlJ2ZAjRAiDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAw=

    Licensing Data-->
    C:\Windows\system32\slmgr.vbs(1634, 5) (null): 0xC004D401

    HWID Data-->
    HWID Hash Current: PAAAAAEABwABAAEAAQABAAAAAwABAAEAJJRsXRaWEnlOapp6HrMyD0aDBgxgDr598vTuEdgZrFZyikbK

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20000
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
      ACPI Table Name    OEMID Value    OEMTableID Value
      APIC            DELL          M08   
      FACP            DELL          M08   
      HPET            DELL          M08   
      BOOT            DELL          M08   
      MCFG            DELL          M08   
      SLIC            DELL          M08   
      OSFR            DELL          M08   
      SSDT            PmRef        CpuPm


    Wednesday, May 6, 2009 10:47 AM

Answers

  • Hi barrboy89,

      The error code 0xc004d401 tells me the issue, that your Vista is experiencing, is an Mod-Auth Tamper.   A Mod-Auth Tamper is when a Vista System File has been modified without Vista knowing why.  A Mod-Auth Tamper can occure in Two ways a) On Disk or b) In Memory.

      a) An 'On Disk Mod-Auth Tamper' is when the physical system file (located on the hard drive) is modified or becomes corrupt.  If you remove the source of the issue  (such as a malware infection or a bad Update), the damage (and the non-genuine issue) will still remain.

      b) An 'In Memory Mod-Auth Tamper' is when a running program hooks or shims (i.e. modifies) a Vista system file that is running in system memory (i.e. RAM)  (note: the physical file, on the had drive, is unmodified).  If you remove the source of the issue (Incompatible Programs or malware infections are the only cause), the damage (and the non-genuine issue) will disapear.  

      A good way to think of the two types of Mod-Auth tampers is 
    An On Disk Tamper is like taking a glass of food coloring and poring it on the ground (i.e. you modified the ground), even after you take the glass away, the food coloring is still there. 
    An In Memory Tamper is like taking a glass of food coloring and poring it into a stream (i.e. you modified the stream), once you take the glass away, the food coloring will disapear quite quickly.

     From the rest of your Diagnostic Report, I know that the type of Mod-Auth tamper you have is an 'In Memory Mod-Auth Tamper'. (Note: If the Mod-Auth had been a 'On Disk' type, there woulod have been a line under "File Scan Data-->" that showed which file had been modified or corrupt).

     As you can see, for an In Memory Mod-Auth tamper to occure, there needs to be a incompatible program (or malware) that is running and activily modifing the system files in system memory. Windows Updates have been known to cause an On Disk mod-Auth Tamper (if the update was interupted during the install process) but it is very unusual for a Windows Update to cause an In Memory Mod-Auth Tamper.  The reason it is unusual is that Windows Updates usually run once, they update a portion of Vista and that's it. The Update does not run again after that.

      I think the first thing we need to do is identifiy exactly what Update appears to be causing this issue. I suggest looking at the Windows Update interface and see what Updates are waiting to be installed. If there is more then one, install one at a time (with a reboot inbetween) untill you see the issue. Once you see the issue, write down which update it was (full name including the KB number) and then restore to a point befor you installed that specific update.  Depending which update it is will dictate how we proceed from there.

    Thanks,
    Darin MS

     
    Attention All Forum Users: Please Do Not post your issue in someone else's Thread...Create your own. If any post fixes your issue, please vote the post as Helpful. This will help us showcase the threads that best help our customers.
    • Marked as answer by Stephen Holm Monday, May 11, 2009 6:18 PM
    Wednesday, May 6, 2009 9:34 PM

All replies

  • Hi barrboy89,

      The error code 0xc004d401 tells me the issue, that your Vista is experiencing, is an Mod-Auth Tamper.   A Mod-Auth Tamper is when a Vista System File has been modified without Vista knowing why.  A Mod-Auth Tamper can occure in Two ways a) On Disk or b) In Memory.

      a) An 'On Disk Mod-Auth Tamper' is when the physical system file (located on the hard drive) is modified or becomes corrupt.  If you remove the source of the issue  (such as a malware infection or a bad Update), the damage (and the non-genuine issue) will still remain.

      b) An 'In Memory Mod-Auth Tamper' is when a running program hooks or shims (i.e. modifies) a Vista system file that is running in system memory (i.e. RAM)  (note: the physical file, on the had drive, is unmodified).  If you remove the source of the issue (Incompatible Programs or malware infections are the only cause), the damage (and the non-genuine issue) will disapear.  

      A good way to think of the two types of Mod-Auth tampers is 
    An On Disk Tamper is like taking a glass of food coloring and poring it on the ground (i.e. you modified the ground), even after you take the glass away, the food coloring is still there. 
    An In Memory Tamper is like taking a glass of food coloring and poring it into a stream (i.e. you modified the stream), once you take the glass away, the food coloring will disapear quite quickly.

     From the rest of your Diagnostic Report, I know that the type of Mod-Auth tamper you have is an 'In Memory Mod-Auth Tamper'. (Note: If the Mod-Auth had been a 'On Disk' type, there woulod have been a line under "File Scan Data-->" that showed which file had been modified or corrupt).

     As you can see, for an In Memory Mod-Auth tamper to occure, there needs to be a incompatible program (or malware) that is running and activily modifing the system files in system memory. Windows Updates have been known to cause an On Disk mod-Auth Tamper (if the update was interupted during the install process) but it is very unusual for a Windows Update to cause an In Memory Mod-Auth Tamper.  The reason it is unusual is that Windows Updates usually run once, they update a portion of Vista and that's it. The Update does not run again after that.

      I think the first thing we need to do is identifiy exactly what Update appears to be causing this issue. I suggest looking at the Windows Update interface and see what Updates are waiting to be installed. If there is more then one, install one at a time (with a reboot inbetween) untill you see the issue. Once you see the issue, write down which update it was (full name including the KB number) and then restore to a point befor you installed that specific update.  Depending which update it is will dictate how we proceed from there.

    Thanks,
    Darin MS

     
    Attention All Forum Users: Please Do Not post your issue in someone else's Thread...Create your own. If any post fixes your issue, please vote the post as Helpful. This will help us showcase the threads that best help our customers.
    • Marked as answer by Stephen Holm Monday, May 11, 2009 6:18 PM
    Wednesday, May 6, 2009 9:34 PM
  • Hi, thanks for your response. I dont really have time to try each update one by one as there are loads. So i'll probably just do a fresh install of windows in a few weeks. Its very annoying though!! Thanks anyway.
    Tuesday, May 12, 2009 9:33 PM