Answered by:
Windows Genuine Advantage pop-up continues despite activation; sfc /scannow reveals hash mismatch on slwga.dll

Question
-
Hello all,
My volume, domain-based license for Windows 7 Professional is supposed to activate automatically upon connection to the network and it usually does. However, I have a user whose laptop recently began issuing the WGA nag seemingly out of nowhere, despite the system menu indicating that Windows is activated. I have tried reactivating it manually both on my own and with MS tech support on the phone, with no change. I ran the MGAdiag tool and initially found a validation code 0x800fe21 error with no file scan reports, but a report of 'tampered file... slcext.dll | slcext.dll.mui' later on. I tried sfc /scannow, but it only reported 'corrupt files...could not fix some of them'. I then replaced the slcext.dll with the same dll from an install DVD, but the problem persisted and the diagnostic report did not change. Finally, I replaced as much of the WAT file hierarchy as I could find in System32 (sppobjs.dll, sppc.dll, sppcext.dll, sppwinob.dll, slc.dll, slcext.dll, sppuinotify.dll, slui.exe, sppcomapi.dll, sppcommdlg.dll, sppsvc.exe) with files from an installation DVD. This finally changed the MGAdiag report so that it is as follows:
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-J8D7P-XQJJ2-GPDD4
Windows Product Key Hash: xgsndMkYdJsYmUng0qIJ/thx+HI=
Windows Product ID: 00371-868-0000007-85279
Windows Product ID Type: 1
Windows License Type: KMS Client
Windows OS version: 6.1.7600.2.00010100.0.0.048
ID: {0055D73C-7B1C-4A30-973E-FF3E4F11ED7B}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Professional
Architecture: 0x00000009
Build lab: 7600.win7_gdr.100618-1621
TTS Error:
Validation Diagnostic:
Resolution Status: N/A
Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{0055D73C-7B1C-4A30-973E-FF3E4F11ED7B}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7600.2.00010100.0.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-GPDD4</PKey><PID>00371-868-0000007-85279</PID><PIDType>1</PIDType><SID>S-1-5-21-4258130026-898627856-1927301690</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP EliteBook 8540p</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>68CVD Ver. F.0A</Version><SMBIOSVersion major="2" minor="6"/><Date>20100622000000.000000+000</Date></BIOS><HWID>7CB83607018400FC</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>HPQOEM</OEMID><OEMTableID>SLIC-MPC</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>
Spsys.log Content: 0x80070002
Licensing Data-->
Software licensing service version: 6.1.7600.16385
Name: Windows(R) 7, Professional edition
Description: Windows Operating System - Windows(R) 7, VOLUME_KMSCLIENT channel
Activation ID: b92e9980-b9d5-4821-9c94-140f632f6312
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00371-00170-868-000000-03-1033-7600.0000-0892011
Installation ID: 016366928894357251275883924576040275932131858374162173
Partial Product Key: GPDD4
License Status: Licensed
Volume activation expiration: 259200 minute(s) (180 day(s))
Remaining Windows rearm count: 1
Trusted time: 3/30/2011 5:07:58 PM
Key Management Service client information
Client Machine ID (CMID): 02dc6a2f-b6dc-40a8-a843-d3cab84a06bc
KMS machine name from DNS: sauspatch.labs.att.com:1688
KMS machine extended PID: 55041-00168-313-224255-03-1033-7600.0000-3142009
Activation interval: 120 minutes
Renewal interval: 10080 minutes
KMS host caching is enabled
Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x00000000
HealthStatus: 0x0000000000000000
Event Time Stamp: 3:25:2011 08:31
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Not Registered - 0x80070005
HealthStatus Bitmask Output:
HWID Data-->
HWID Hash Current: NAAAAAEABAABAAEAAAACAAAAAgABAAEA6GFAcc4Pmr348CL8RG26Q7yGyizUAU7nwg1cXQ==
OEM Activation 1.0 Data-->
N/A
OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC HPQOEM 1521
FACP HPQOEM 1521
HPET HPQOEM 1521
MCFG HPQOEM 1521
TCPA HPQOEM 1521
SSDT HPQOEM SataAhci
SSDT HPQOEM SataAhci
SLIC HPQOEM SLIC-MPC
SSDT HPQOEM SataAhci
SSDT HPQOEM SataAhci
SSDT HPQOEM SataAhci
SSDT HPQOEM SataAhci
ASF! HPQOEM 1521
As you can see, it is still not quite genuine for some reason... I tried sfc /scannow again and found that a different file was upsetting Windows. From the CBS log:
2011-03-30 17:26:59, Info CSI 000002e1 [SR] Verify complete
2011-03-30 17:26:59, Info CSI 000002e2 [SR] Verifying 80 (0x0000000000000050) components
2011-03-30 17:26:59, Info CSI 000002e3 [SR] Beginning Verify and Repair transaction
2011-03-30 17:27:02, Info CSI 000002e4 Repair results created:
POQ 121 starts:
POQ 121 ends.
2011-03-30 17:27:02, Info CSI 000002e5 [SR] Verify complete
2011-03-30 17:27:02, Info CSI 000002e6 [SR] Repairing 1 components
2011-03-30 17:27:02, Info CSI 000002e7 [SR] Beginning Verify and Repair transaction
2011-03-30 17:27:02, Info CSI 000002e8 Hashes for file member \SystemRoot\WinSxS\amd64_microsoft-windows-security-spp-wga_31bf3856ad364e35_6.1.7600.16385_none_5b467ba9bd0679bb\slwga.dll do not match actual file [l:18{9}]"slwga.dll" :
Found: {l:32 b:TbvuElzomT1l9AmstyZ6sapEsyBVwLkK2djkv/jUxI0=} Expected: {l:32 b:tA0Qz/3NPjGqCgnuGHJFrqI37BjJCy4RlMd/Gm1roU0=}
2011-03-30 17:27:02, Info CSI 000002e9 [SR] Cannot repair member file [l:18{9}]"slwga.dll" of Microsoft-Windows-Security-SPP-WGA, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2011-03-30 17:27:02, Info CSI 000002ea Hashes for file member \SystemRoot\WinSxS\amd64_microsoft-windows-security-spp-wga_31bf3856ad364e35_6.1.7600.16385_none_5b467ba9bd0679bb\slwga.dll do not match actual file [l:18{9}]"slwga.dll" :
Found: {l:32 b:TbvuElzomT1l9AmstyZ6sapEsyBVwLkK2djkv/jUxI0=} Expected: {l:32 b:tA0Qz/3NPjGqCgnuGHJFrqI37BjJCy4RlMd/Gm1roU0=}
2011-03-30 17:27:02, Info CSI 000002eb [SR] Cannot repair member file [l:18{9}]"slwga.dll" of Microsoft-Windows-Security-SPP-WGA, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2011-03-30 17:27:02, Info CSI 000002ec [SR] This component was referenced by [l:202{101}]"Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.WindowsFoundationDelivery"
2011-03-30 17:27:02, Info CSI 000002ed Repair results created:
POQ 122 starts:
POQ 122 ends.So there is a hash mismatch on slwga.dll which is angering Windows... I tried replacing slwga.dll again, but the diag report and cbs log results stayed exactly the same. What can be done about a hash mismatch? I'm afraid the WGA notification is going to continue vexing and eventually crippling my user, and (worse) lots of Windows Update downloads are failing with 'unknown error' code 8e5e03fb, which I expect is due to Windows believing it is not quite genuine. What can I do from here? I've heard that Service Pack 1 might help, but I am loath to install it blindly when the problem seems so close to resolution...
Thanks,
CCJ
Thursday, March 31, 2011 3:19 PM
Answers
-
Yes, I'd seen that thread before but I didn't have time to try much of what it suggested... user had backups of his files and needed the machine back ASAP, so I just re-imaged the laptop. Bit of a shame really; I would have liked to have figured out a reliable fix for this issue just in case it ever comes up again. Anyway, thanks for the advice.
- Marked as answer by Darin Smith MS Friday, April 1, 2011 7:38 PM
Friday, April 1, 2011 2:11 PM
All replies
-
"CresCoJeff" wrote in message news:58073842-2190-427f-bd94-fba311e2a683...
Hello all,
My volume, domain-based license for Windows 7 Professional is supposed to activate automatically upon connection to the network and it usually does. However, I have a user whose laptop recently began issuing the WGA nag seemingly out of nowhere, despite the system menu indicating that Windows is activated. I have tried reactivating it manually both on my own and with MS tech support on the phone, with no change. I ran the MGAdiag tool and initially found a validation code 0x800fe21 error with no file scan reports, but a report of 'tampered file... slcext.dll | slcext.dll.mui' later on. I tried sfc /scannow, but it only reported 'corrupt files...could not fix some of them'. I then replaced the slcext.dll with the same dll from an install DVD, but the problem persisted and the diagnostic report did not change. Finally, I replaced as much of the WAT file hierarchy as I could find in System32 (sppobjs.dll, sppc.dll, sppcext.dll, sppwinob.dll, slc.dll, slcext.dll, sppuinotify.dll, slui.exe, sppcomapi.dll, sppcommdlg.dll, sppsvc.exe) with files from an installation DVD. This finally changed the MGAdiag report so that it is as follows:
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-J8D7P-XQJJ2-GPDD4
Windows Product Key Hash: xgsndMkYdJsYmUng0qIJ/thx+HI=
Windows Product ID: 00371-868-0000007-85279
Windows Product ID Type: 1
Windows License Type: KMS Client
Windows OS version: 6.1.7600.2.00010100.0.0.048
So there is a hash mismatch on slwga.dll which is angering Windows... I tried replacing slwga.dll again, but the diag report and cbs log results stayed exactly the same. What can be done about a hash mismatch? I'm afraid the WGA notification is going to continue vexing and eventually crippling my user, and (worse) lots of Windows Update downloads are failing with 'unknown error' code 8e5e03fb, which I expect is due to Windows believing it is not quite genuine. What can I do from here? I've heard that Service Pack 1 might help, but I am loath to install it blindly when the problem seems so close to resolution...
Thanks,
CCJ
Try uninstalling and reinstalling the WAT Update - KB971033With any luck that should repair the error
--
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed SlothThursday, March 31, 2011 3:59 PMModerator -
Well I uninstalled KB971033 and grabbed the download version from http://support.microsoft.com/kb/971033, but the re-installation fails with error code 8e5e03fb...Thursday, March 31, 2011 5:22 PM
-
"CresCoJeff" wrote in message news:a36f5601-7101-4c1c-b7e8-75cf0d16215b...Well I uninstalled KB971033 and grabbed the download version from http://support.microsoft.com/kb/971033, but the re-installation fails with error code 8e5e03fb...
See the advice in this threadwhich may help.
--
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed SlothFriday, April 1, 2011 2:59 AMModerator -
Yes, I'd seen that thread before but I didn't have time to try much of what it suggested... user had backups of his files and needed the machine back ASAP, so I just re-imaged the laptop. Bit of a shame really; I would have liked to have figured out a reliable fix for this issue just in case it ever comes up again. Anyway, thanks for the advice.
- Marked as answer by Darin Smith MS Friday, April 1, 2011 7:38 PM
Friday, April 1, 2011 2:11 PM -
"CresCoJeff" wrote in message news:9908d47c-64c6-448d-bafb-9b5c64fb3106...Yes, I'd seen that thread before but I didn't have time to try much of what it suggested... user had backups of his files and needed the machine back ASAP, so I just re-imaged the laptop. Bit of a shame really; I would have liked to have figured out a reliable fix for this issue just in case it ever comes up again. Anyway, thanks for the advice.
I know that problem all too well - you find an 'interesting' fault, and want to chase it down, but the client needs the machine back in hours rather than days, so you have to take the 'easy' route out.Frustrating, to say the least!
--
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed SlothFriday, April 1, 2011 6:46 PMModerator