locked
"Windows is Not Genuine" Error (But it shows it is!) (0x8004fe21) (Windows 7) RRS feed

  • Question

  • Hey, all.

    So, I'm troubleshooting an issue I'm seeing at a small office.  They had some pretty nasty malware on three of their machines.  It seemed to center around a bundled malware version of normally-legitimate-program they downloaded.

    I cleaned out the bad stuff, and ran a few third-party programs to remove the malware.  In doing so, it may have deleted some registry keys or something else contributing to this error.

    The three computers are all getting a "Not Genuine" windows error message with an error code of 0x8004fe21.

    I saw some other resolutions, but according to the threads, it depends on what is found in the mgadiag log.

    Thoughts?

    Here's the mgadiag text:

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: N/A, hr = 0xc004f012
    Windows Product Key: *****-*****-788W3-H689G-6P6GT
    Windows Product Key Hash: yr8OHoeXhbT4dc6MxGYjdAStSPY=
    Windows Product ID: 00371-OEM-8992671-00008
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.1.7601.2.00010100.1.0.048
    ID: {82FD5538-1B39-4ADC-B5DE-5293A7AC9B37}(1)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Professional
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.140303-2144
    TTS Error: 
    Validation Diagnostic: 
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Enterprise 2007 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-b01a_E2AD56EA-766-0_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80092003

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{82FD5538-1B39-4ADC-B5DE-5293A7AC9B37}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-6P6GT</PKey><PID>00371-OEM-8992671-00008</PID><PIDType>2</PIDType><SID>S-1-5-21-94572575-1731517301-3624133147</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP Compaq Pro 4300 SFF PC</Model></SYSTEM><BIOS><Manufacturer>AMI</Manufacturer><Version>8.11</Version><SMBIOSVersion major="2" minor="7"/><Date>20130308000000.000000+000</Date></BIOS><HWID>702A3B07018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>HPQOEM</OEMID><OEMTableID>SLIC-CPC</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>8CB0E85BE12758C</Val><Hash>wBRScGfIELWcr+41OMvtT05w2hQ=</Hash><Pid>89388-710-2363842-65799</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>  

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, Professional edition
    Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
    Activation ID: 50e329f7-a5fa-46b2-85fd-f224e5da7764
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 00371-00178-926-700008-02-1033-7601.0000-1642014
    Installation ID: 020453113780815665138515462646562465743004083341227236
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: 6P6GT
    License Status: Licensed
    Remaining Windows rearm count: 0
    Trusted time: 06/20/2014 9:42:40 AM

    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x0000000000000001
    Event Time Stamp: 6:19:2014 12:23
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered File: %systemroot%\system32\wat\watadminsvc.exe


    HWID Data-->
    HWID Hash Current: KgAAAAEAAQABAAEAAAABAAAAAQABAAEA6GFW/tJ+Dt/4rSybkr8cG5Zj

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20001
    OEMID and OEMTableID Consistent: yes
    BIOS Information: 
      ACPI Table Name OEMID Value OEMTableID Value
      APIC HPQOEM SLIC-CPC
      FACP HPQOEM SLIC-CPC
      DBGP HPQOEM SLIC-CPC
      HPET HPQOEM SLIC-CPC
      MCFG HPQOEM SLIC-CPC
      FPDT HPQOEM SLIC-CPC
      ASF! INTEL HCG
      SLIC HPQOEM SLIC-CPC
      SSDT SataRe SataTabl
      SSDT SataRe SataTabl
      SSDT SataRe SataTabl
      SSDT SataRe SataTabl


    • Edited by RogueJD Friday, June 20, 2014 2:59 PM
    Friday, June 20, 2014 2:59 PM

Answers

  • It looks to me as if this computer shipped with Windows 8.x installed, rather than Windows 7

    If that's the case, then your easiest solution is to use the Recovery media to return to an ex-factory state (either for Win7 or Win8.x)

    Having said that, the most obvious error is this one...

    Tampered File: %systemroot%\system32\wat\watadminsvc.exe

    This can be caused by a number of things - but let's go for the simplest one first...

    Close all open windows.

    Open an Elevated Command Prompt window, and type the following command

    wusa /uninstall /kb:971033

    and hit the Enter key

    Accept the warnings/confirmations, and wait for it to complete

    copy and paste the output (if any) from the command prompt window to a reply here,

    Reboot

    reinstall the update from http://support.microsoft.com/kb/971033

    Reboot

    run another MGADiag report, and post it.


    Noel Paton | Nil Carborundum Illegitemi
    CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Friday, June 20, 2014 7:42 PM
    Moderator

All replies

  • I've seen (and completed) the following steps, but it did not work:

    1) Click Start button.

    2) Type: CMD.exe into the ‘Search programs and files’ field
    3) Right-Click on CMD.exe and select Run as Administrator
    4) Type: net stop sppsvc (It may ask you if you are sure, select yes)
    Note: the Software Protection service may not be running, this is ok.
    5) Type: cd %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform
    6) Type: rename tokens.dat tokens.bar
    7) Type: cd %windir%\system32
    8) Type: net start sppsvc
    9) Type: slui.exe
    10) After a couple of seconds Windows Activation dialog will appear. You may be asked to re-activate and/or re-enter your product key or Activation may occur automatically.

    Friday, June 20, 2014 3:05 PM
  • It looks to me as if this computer shipped with Windows 8.x installed, rather than Windows 7

    If that's the case, then your easiest solution is to use the Recovery media to return to an ex-factory state (either for Win7 or Win8.x)

    Having said that, the most obvious error is this one...

    Tampered File: %systemroot%\system32\wat\watadminsvc.exe

    This can be caused by a number of things - but let's go for the simplest one first...

    Close all open windows.

    Open an Elevated Command Prompt window, and type the following command

    wusa /uninstall /kb:971033

    and hit the Enter key

    Accept the warnings/confirmations, and wait for it to complete

    copy and paste the output (if any) from the command prompt window to a reply here,

    Reboot

    reinstall the update from http://support.microsoft.com/kb/971033

    Reboot

    run another MGADiag report, and post it.


    Noel Paton | Nil Carborundum Illegitemi
    CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Friday, June 20, 2014 7:42 PM
    Moderator
  • Thanks for the walkthrough, Noel.

    We purchase the computers from a large distributor.  We specifically request Windows 7 Pro instead of Windows 8 / 8.1, and we receive them from the manufacturer with 7 Pro.   They likely reformat with an OEM copy of 7 Pro.

    The command prompt for uninstalling did not produce any output.

    I'll post on whether or not this was a fix.  I'll have them keep an eye on the computer today, and post the results tomorrow.

    Thanks, Noel!

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0
    Cached Online Validation Code: N/A, hr = 0xc004f012
    Windows Product Key: *****-*****-788W3-H689G-6P6GT
    Windows Product Key Hash: yr8OHoeXhbT4dc6MxGYjdAStSPY=
    Windows Product ID: 00371-OEM-8992671-00008
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.1.7601.2.00010100.1.0.048
    ID: {82FD5538-1B39-4ADC-B5DE-5293A7AC9B37}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Professional
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.140303-2144
    TTS Error: 
    Validation Diagnostic: 
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Enterprise 2007 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-b01a_E2AD56EA-766-0_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{82FD5538-1B39-4ADC-B5DE-5293A7AC9B37}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-6P6GT</PKey><PID>00371-OEM-8992671-00008</PID><PIDType>2</PIDType><SID>S-1-5-21-94572575-1731517301-3624133147</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP Compaq Pro 4300 SFF PC</Model></SYSTEM><BIOS><Manufacturer>AMI</Manufacturer><Version>8.11</Version><SMBIOSVersion major="2" minor="7"/><Date>20130308000000.000000+000</Date></BIOS><HWID>70F63907018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>HPQOEM</OEMID><OEMTableID>SLIC-CPC</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>8CB0E85BE12758C</Val><Hash>wBRScGfIELWcr+41OMvtT05w2hQ=</Hash><Pid>89388-710-2363842-65799</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>  

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, Professional edition
    Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
    Activation ID: 50e329f7-a5fa-46b2-85fd-f224e5da7764
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 00371-00178-926-700008-02-1033-7601.0000-1642014
    Installation ID: 020453113780815665138515462646562465743004083341227236
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: 6P6GT
    License Status: Licensed
    Remaining Windows rearm count: 0
    Trusted time: 06/23/2014 9:18:36 AM

    Windows Activation Technologies-->
    HrOffline: 0x00000000
    HrOnline: 0x00000000
    HealthStatus: 0x0000000000000000
    Event Time Stamp: 6:19:2014 12:23
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:


    HWID Data-->
    HWID Hash Current: KgAAAAEAAQABAAEAAAABAAAAAQABAAEA6GFW/tJ+Dt/4rSybkr8cG5Zj

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20001
    OEMID and OEMTableID Consistent: yes
    BIOS Information: 
      ACPI Table Name OEMID Value OEMTableID Value
      APIC HPQOEM SLIC-CPC
      FACP HPQOEM SLIC-CPC
      DBGP HPQOEM SLIC-CPC
      HPET HPQOEM SLIC-CPC
      MCFG HPQOEM SLIC-CPC
      FPDT HPQOEM SLIC-CPC
      ASF! INTEL HCG
      SLIC HPQOEM SLIC-CPC
      SSDT SataRe SataTabl
      SSDT SataRe SataTabl
      SSDT SataRe SataTabl
      SSDT SataRe SataTabl

    Monday, June 23, 2014 2:20 PM
  • The report says it's fixed, at least :)

    You should check validation at www.microsoft.com/genuine/validate  and see what it has to say now.


    Noel Paton | Nil Carborundum Illegitemi
    CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.


    Monday, June 23, 2014 4:31 PM
    Moderator
  • Confirmed fix!  No issues.  Thanks!
    Tuesday, June 24, 2014 9:00 PM
  • You're welcome  - good luck with them!

    Noel Paton | Nil Carborundum Illegitemi
    CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Wednesday, June 25, 2014 8:35 PM
    Moderator