none
Windows Genuine Advantage pop-up continues despite activation; sfc /scannow reveals hash mismatch on slwga.dll RRS feed

  • Question

  • Hello all,

    My volume, domain-based license for Windows 7 Professional is supposed to activate automatically upon connection to the network and it usually does.  However, I have a user whose laptop recently began issuing the WGA nag seemingly out of nowhere, despite the system menu indicating that Windows is activated.  I have tried reactivating it manually both on my own and with MS tech support on the phone, with no change.  I ran the MGAdiag tool and initially found a validation code 0x800fe21 error with no file scan reports, but a report of 'tampered file... slcext.dll | slcext.dll.mui' later on.  I tried sfc /scannow, but it only reported 'corrupt files...could not fix some of them'.  I then replaced the slcext.dll with the same dll from an install DVD, but the problem persisted and the diagnostic report did not change.  Finally, I replaced as much of the WAT file hierarchy as I could find in System32 (sppobjs.dll, sppc.dll, sppcext.dll, sppwinob.dll, slc.dll, slcext.dll, sppuinotify.dll, slui.exe, sppcomapi.dll, sppcommdlg.dll, sppsvc.exe)   with files from an installation DVD.  This finally changed the MGAdiag report so that it is as follows:

     

    Diagnostic Report (1.9.0027.0):

    -----------------------------------------

    Windows Validation Data-->

     

    Validation Code: 0

    Cached Online Validation Code: 0x0

    Windows Product Key: *****-*****-J8D7P-XQJJ2-GPDD4

    Windows Product Key Hash: xgsndMkYdJsYmUng0qIJ/thx+HI=

    Windows Product ID: 00371-868-0000007-85279

    Windows Product ID Type: 1

    Windows License Type: KMS Client

    Windows OS version: 6.1.7600.2.00010100.0.0.048

    ID: {0055D73C-7B1C-4A30-973E-FF3E4F11ED7B}(3)

    Is Admin: Yes

    TestCab: 0x0

    LegitcheckControl ActiveX: N/A, hr = 0x80070002

    Signed By: N/A, hr = 0x80070002

    Product Name: Windows 7 Professional

    Architecture: 0x00000009

    Build lab: 7600.win7_gdr.100618-1621

    TTS Error:

    Validation Diagnostic:

    Resolution Status: N/A

     

    Vista WgaER Data-->

    ThreatID(s): N/A, hr = 0x80070002

    Version: N/A, hr = 0x80070002

     

    Windows XP Notifications Data-->

    Cached Result: N/A, hr = 0x80070002

    File Exists: No

    Version: N/A, hr = 0x80070002

    WgaTray.exe Signed By: N/A, hr = 0x80070002

    WgaLogon.dll Signed By: N/A, hr = 0x80070002

     

    OGA Notifications Data-->

    Cached Result: N/A, hr = 0x80070002

    Version: N/A, hr = 0x80070002

    OGAExec.exe Signed By: N/A, hr = 0x80070002

    OGAAddin.dll Signed By: N/A, hr = 0x80070002

     

    OGA Data-->

    Office Status: 109 N/A

    OGA Version: N/A, 0x80070002

    Signed By: N/A, hr = 0x80070002

    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

     

    Browser Data-->

    Proxy settings: N/A

    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)

    Default Browser: C:\Program Files (x86)\Internet Explorer\iexplore.exe

    Download signed ActiveX controls: Prompt

    Download unsigned ActiveX controls: Disabled

    Run ActiveX controls and plug-ins: Allowed

    Initialize and script ActiveX controls not marked as safe: Disabled

    Allow scripting of Internet Explorer Webbrowser control: Disabled

    Active scripting: Allowed

    Script ActiveX controls marked as safe for scripting: Allowed

     

    File Scan Data-->

     

    Other data-->

    Office Details: <GenuineResults><MachineData><UGUID>{0055D73C-7B1C-4A30-973E-FF3E4F11ED7B}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7600.2.00010100.0.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-GPDD4</PKey><PID>00371-868-0000007-85279</PID><PIDType>1</PIDType><SID>S-1-5-21-4258130026-898627856-1927301690</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP EliteBook 8540p</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>68CVD Ver. F.0A</Version><SMBIOSVersion major="2" minor="6"/><Date>20100622000000.000000+000</Date></BIOS><HWID>7CB83607018400FC</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>HPQOEM</OEMID><OEMTableID>SLIC-MPC</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults> 

     

    Spsys.log Content: 0x80070002

     

    Licensing Data-->

    Software licensing service version: 6.1.7600.16385

     

    Name: Windows(R) 7, Professional edition

    Description: Windows Operating System - Windows(R) 7, VOLUME_KMSCLIENT channel

    Activation ID: b92e9980-b9d5-4821-9c94-140f632f6312

    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f

    Extended PID: 00371-00170-868-000000-03-1033-7600.0000-0892011

    Installation ID: 016366928894357251275883924576040275932131858374162173

    Partial Product Key: GPDD4

    License Status: Licensed

    Volume activation expiration: 259200 minute(s) (180 day(s))

    Remaining Windows rearm count: 1

    Trusted time: 3/30/2011 5:07:58 PM

     

    Key Management Service client information

        Client Machine ID (CMID): 02dc6a2f-b6dc-40a8-a843-d3cab84a06bc

        KMS machine name from DNS: sauspatch.labs.att.com:1688

        KMS machine extended PID: 55041-00168-313-224255-03-1033-7600.0000-3142009

        Activation interval: 120 minutes

        Renewal interval: 10080 minutes

        KMS host caching is enabled

     

    Windows Activation Technologies-->

    HrOffline: 0x00000000

    HrOnline: 0x00000000

    HealthStatus: 0x0000000000000000

    Event Time Stamp: 3:25:2011 08:31

    ActiveX: Registered, Version: 7.1.7600.16395

    Admin Service: Not Registered - 0x80070005

    HealthStatus Bitmask Output:

     

     

    HWID Data-->

    HWID Hash Current: NAAAAAEABAABAAEAAAACAAAAAgABAAEA6GFAcc4Pmr348CL8RG26Q7yGyizUAU7nwg1cXQ==

     

    OEM Activation 1.0 Data-->

    N/A

     

    OEM Activation 2.0 Data-->

    BIOS valid for OA 2.0: yes

    Windows marker version: 0x20001

    OEMID and OEMTableID Consistent: yes

    BIOS Information:

      ACPI Table Name           OEMID Value     OEMTableID Value

      APIC                                    HPQOEM                             1521   

      FACP                                   HPQOEM                             1521   

      HPET                                    HPQOEM                             1521   

      MCFG                                 HPQOEM                             1521   

      TCPA                                   HPQOEM                             1521   

      SSDT                                    HPQOEM                             SataAhci

      SSDT                                    HPQOEM                             SataAhci

      SLIC                                      HPQOEM                             SLIC-MPC

      SSDT                                    HPQOEM                             SataAhci

      SSDT                                    HPQOEM                             SataAhci

      SSDT                                    HPQOEM                             SataAhci

      SSDT                                    HPQOEM                             SataAhci

      ASF!                                     HPQOEM                             1521   

     

    As you can see, it is still not quite genuine for some reason... I tried sfc /scannow again and found that a different file was upsetting Windows.  From the CBS log:

    2011-03-30 17:26:59, Info                  CSI    000002e1 [SR] Verify complete
    2011-03-30 17:26:59, Info                  CSI    000002e2 [SR] Verifying 80 (0x0000000000000050) components
    2011-03-30 17:26:59, Info                  CSI    000002e3 [SR] Beginning Verify and Repair transaction
    2011-03-30 17:27:02, Info                  CSI    000002e4 Repair results created:
    POQ 121 starts:
     
    POQ 121 ends.
    2011-03-30 17:27:02, Info                  CSI    000002e5 [SR] Verify complete
    2011-03-30 17:27:02, Info                  CSI    000002e6 [SR] Repairing 1 components
    2011-03-30 17:27:02, Info                  CSI    000002e7 [SR] Beginning Verify and Repair transaction
    2011-03-30 17:27:02, Info                  CSI    000002e8 Hashes for file member \SystemRoot\WinSxS\amd64_microsoft-windows-security-spp-wga_31bf3856ad364e35_6.1.7600.16385_none_5b467ba9bd0679bb\slwga.dll do not match actual file [l:18{9}]"slwga.dll" :
      Found: {l:32 b:TbvuElzomT1l9AmstyZ6sapEsyBVwLkK2djkv/jUxI0=} Expected: {l:32 b:tA0Qz/3NPjGqCgnuGHJFrqI37BjJCy4RlMd/Gm1roU0=}
    2011-03-30 17:27:02, Info                  CSI    000002e9 [SR] Cannot repair member file [l:18{9}]"slwga.dll" of Microsoft-Windows-Security-SPP-WGA, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
    2011-03-30 17:27:02, Info                  CSI    000002ea Hashes for file member \SystemRoot\WinSxS\amd64_microsoft-windows-security-spp-wga_31bf3856ad364e35_6.1.7600.16385_none_5b467ba9bd0679bb\slwga.dll do not match actual file [l:18{9}]"slwga.dll" :
      Found: {l:32 b:TbvuElzomT1l9AmstyZ6sapEsyBVwLkK2djkv/jUxI0=} Expected: {l:32 b:tA0Qz/3NPjGqCgnuGHJFrqI37BjJCy4RlMd/Gm1roU0=}
    2011-03-30 17:27:02, Info                  CSI    000002eb [SR] Cannot repair member file [l:18{9}]"slwga.dll" of Microsoft-Windows-Security-SPP-WGA, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
    2011-03-30 17:27:02, Info                  CSI    000002ec [SR] This component was referenced by [l:202{101}]"Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.WindowsFoundationDelivery"
    2011-03-30 17:27:02, Info                  CSI    000002ed Repair results created:
    POQ 122 starts:
     
    POQ 122 ends.

     

    So there is a hash mismatch on slwga.dll which is angering Windows... I tried replacing slwga.dll again, but the diag report and cbs log results stayed exactly the same.  What can be done about a hash mismatch?  I'm afraid the WGA notification is going to continue vexing and eventually crippling my user, and (worse) lots of Windows Update downloads are failing with 'unknown error' code 8e5e03fb, which I expect is due to Windows believing it is not quite genuine.  What can I do from here?  I've heard that Service Pack 1 might help, but I am loath to install it blindly when the problem seems so close to resolution...

     

    Thanks,

    CCJ

    Thursday, March 31, 2011 3:19 PM

Answers

  • Yes, I'd seen that thread before but I didn't have time to try much of what it suggested... user had backups of his files and needed the machine back ASAP, so I just re-imaged the laptop.  Bit of a shame really; I would have liked to have figured out a reliable fix for this issue just in case it ever comes up again.  Anyway, thanks for the advice.
    Friday, April 1, 2011 2:11 PM

All replies

  • "CresCoJeff" wrote in message news:58073842-2190-427f-bd94-fba311e2a683...

    Hello all,

    My volume, domain-based license for Windows 7 Professional is supposed to activate automatically upon connection to the network and it usually does.  However, I have a user whose laptop recently began issuing the WGA nag seemingly out of nowhere, despite the system menu indicating that Windows is activated.  I have tried reactivating it manually both on my own and with MS tech support on the phone, with no change.  I ran the MGAdiag tool and initially found a validation code 0x800fe21 error with no file scan reports, but a report of 'tampered file... slcext.dll | slcext.dll.mui' later on.  I tried sfc /scannow, but it only reported 'corrupt files...could not fix some of them'.  I then replaced the slcext.dll with the same dll from an install DVD, but the problem persisted and the diagnostic report did not change.  Finally, I replaced as much of the WAT file hierarchy as I could find in System32 (sppobjs.dll, sppc.dll, sppcext.dll, sppwinob.dll, slc.dll, slcext.dll, sppuinotify.dll, slui.exe, sppcomapi.dll, sppcommdlg.dll, sppsvc.exe)   with files from an installation DVD.  This finally changed the MGAdiag report so that it is as follows:

    Diagnostic Report (1.9.0027.0):

    -----------------------------------------

    Windows Validation Data-->

     

    Validation Code: 0

    Cached Online Validation Code: 0x0

    Windows Product Key: *****-*****-J8D7P-XQJJ2-GPDD4

    Windows Product Key Hash: xgsndMkYdJsYmUng0qIJ/thx+HI=

    Windows Product ID: 00371-868-0000007-85279

    Windows Product ID Type: 1

    Windows License Type: KMS Client

    Windows OS version: 6.1.7600.2.00010100.0.0.048

    So there is a hash mismatch on slwga.dll which is angering Windows... I tried replacing slwga.dll again, but the diag report and cbs log results stayed exactly the same.  What can be done about a hash mismatch?  I'm afraid the WGA notification is going to continue vexing and eventually crippling my user, and (worse) lots of Windows Update downloads are failing with 'unknown error' code 8e5e03fb, which I expect is due to Windows believing it is not quite genuine.  What can I do from here?  I've heard that Service Pack 1 might help, but I am loath to install it blindly when the problem seems so close to resolution...

     

    Thanks,

    CCJ


    Try uninstalling and reinstalling the WAT Update - KB971033
    With any luck that should repair the error

    --


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Thursday, March 31, 2011 3:59 PM
    Moderator
  • Well I uninstalled KB971033 and grabbed the download version from http://support.microsoft.com/kb/971033, but the re-installation fails with error code 8e5e03fb...
    Thursday, March 31, 2011 5:22 PM
  • "CresCoJeff" wrote in message news:a36f5601-7101-4c1c-b7e8-75cf0d16215b...
    Well I uninstalled KB971033 and grabbed the download version from http://support.microsoft.com/kb/971033, but the re-installation fails with error code 8e5e03fb...

    See the advice in this thread
    which may help.
     

    --


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Friday, April 1, 2011 2:59 AM
    Moderator
  • Yes, I'd seen that thread before but I didn't have time to try much of what it suggested... user had backups of his files and needed the machine back ASAP, so I just re-imaged the laptop.  Bit of a shame really; I would have liked to have figured out a reliable fix for this issue just in case it ever comes up again.  Anyway, thanks for the advice.
    Friday, April 1, 2011 2:11 PM
  • "CresCoJeff" wrote in message news:9908d47c-64c6-448d-bafb-9b5c64fb3106...
    Yes, I'd seen that thread before but I didn't have time to try much of what it suggested... user had backups of his files and needed the machine back ASAP, so I just re-imaged the laptop.  Bit of a shame really; I would have liked to have figured out a reliable fix for this issue just in case it ever comes up again.  Anyway, thanks for the advice.

    I know that problem all too well - you find an 'interesting' fault,  and want to chase it down, but the client needs the machine back in hours rather than days, so you have to take the 'easy' route out.
    Frustrating, to say the least!

    --


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Friday, April 1, 2011 6:46 PM
    Moderator