locked
An unauthorized change was made to Windows Vista. RRS feed

  • Question

  • Hi, 

    Since a few days, I'm getting the An unauthorized change was made to Windows Vista error. It pops up in two different ways:

     When I start Windows and log in, the message comes up. I can't do anything else but to click OK, after which it logs me back out again. 

    I have to run a last known good configuration to get back to a working OS.

    The other time it happens, is when I run the MGADiag.exe, same message pops up. "An unauthorized change was made to Windows Vista". The security processor reported a system file mismatch error. Error code is 0xC004D401.

    Is there any way of finding out which system file it's talking about?

    Event log since yesterday is full of entries like these:

    Genuine state set to genuine for application Id 55c92734-d682-4d71-983e-d6ec3f16059f

    Successfully acquired genuine ticket for template Id 55c92734-d682-4d71-983e-d6ec3f16059f

    Proxy Execution Key has failed to load. hr=0xC004D401
    Proxy Execution Policy=Shell-InBoxGames-Solitaire-EnableGame

    The system has been tampered. hr=0xC004D401

     Security log shows entries like these:

    "Code integrity determined that the image hash of a file is not valid.  The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

    File Name:    \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18000_none_b31e1252666640f6\tcpip.sys"

     Can it be that my tcpip.sys has gone corrupt in some way? It's strange, though, because if that file was not working as intended I doubt I'd be able to make this post right now...

     

    I've looked in perfmon at all installed programs since last week and uninstalled every single one, to no avail.

    I've checked the list of incompatible software as well, no matches there.

    Here's from the WGA tool. A fun fact is that the TTS date changes every time I do the restore last known good config thing, so not sure how reliable it is.Also, some times it shows up like right now, as Genuine, but just as often it comes up with invalid license.

     

    Diagnostic Report (1.7.0110.1):
    -----------------------------------------
    WGA Data-->
    Validation Status: Genuine
    Validation Code: 0
    Online Validation Code: 0x0
    Cached Validation Code: 0x0
    Windows Product Key: *****-*****-9DKYC-FDG3K-3FTT3
    Windows Product Key Hash: XeT0Hs4RDHnT4Fcw8fLQa4H0LQU=
    Windows Product ID: 89578-OEM-7332157-00166
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.0.6001.2.00010300.1.0.003
    ID: {85CAB06A-2D39-43BF-B271-B65874AB5817}(3)
    Is Admin: Yes
    TestCab: 0x0
    WGA Version: Registered, 1.9.9.0
    Signed By: Microsoft
    Product Name: Windows Vista (TM) Home Premium
    Architecture: 0x00000000
    Build lab: 6001.vistasp1_gdr.080917-1612
    TTS Error: M:20090124165728139-
    Validation Diagnostic:
    Resolution Status: N/A

    WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: 6.0.6002.16398

    WGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    WGATray.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: B4D0AA8B-709-645_B4D0AA8B-709-645_025D1FF3-282-80041010_025D1FF3-170-80041010_025D1FF3-171-1_025D1FF3-434-80040154_025D1FF3-178-80040154_025D1FF3-179-2_025D1FF3-185-80070002_025D1FF3-199-3_FA827CE6-153-8007007e_FA827CE6-180-8007007e

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
    Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{85CAB06A-2D39-43BF-B271-B65874AB5817}</UGUID><Version>1.7.0110.1</Version><OS>6.0.6001.2.00010300.1.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-3FTT3</PKey><PID>89578-OEM-7332157-00166</PID><PIDType>2</PIDType><SID>S-1-5-21-3207594275-1031403138-55569583</SID><SYSTEM><Manufacturer>LG Electronics</Manufacturer><Model>P300-T.APE4V</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies LTD</Manufacturer><Version>ELGNSF18</Version><SMBIOSVersion major="2" minor="4"/><Date>20080630000000.000000+000</Date></BIOS><HWID>6C333507018400F8</HWID><UserLCID>041D</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Romance Standard Time(GMT+01:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>LGE   </OEMID><OEMTableID>LGPC    </OEMTableID></OEM><BRT/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  

    Spsys.log Content: U1BMRwEAAAAAAQAABAAAAFcGAAAAAAAAYWECAARAn5oIbs3ER33JARhy9171jCizkdIEkQaJZ66N9dlHoBKWqskjyAkXIQaEUnUjCE5zBBomcjKb2lHWzhQjdPDwDinTfkQXASERseEr99ePCX5pbu+XyZg1y2cmk/oA/SfEX6ot/bnNmgLA1vu1UvB7bxiIfUEtgIRGphkOSa+EGUYcOX5/UvkAHnVxZcgJE7vAy9kku8TlF45JWpsbJiscvAYWgzyFZ0z79y2BX7mQ2Q7393z5XQ50VXv9mhrKhq4UIi+PwtGQfjOGIjOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwYcvde9Ywos5HSBJEGiWeumPwEwvUkJJecJtGldWc8SFejOX9O3Jt6ZFRvW+MuYocUI3Tw8A4p035EFwEhEbHh/2FguIt/sJgd1asEGYs6d5P6AP0nxF+qLf25zZoCwNb7tVLwe28YiH1BLYCERqYZDkmvhBlGHDl+f1L5AB51cWXICRO7wMvZJLvE5ReOSVqbGyYrHLwGFoM8hWdM+/ctgV+5kNkO9/d8+V0OdFV7/ZoayoauFCIvj8LRkH4zhiIzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMGHL3XvWMKLOR0gSRBolnrpjCy6hXW44uXdSUApXBJXj//m6nn8HJRZ7c5xEuxmpjUXQf06H6EkTDtcpIBKFFt3qbBTfA9ikeAoDV2eCPKmjWaOSPNeFyr3ibjxx4moY4+7VS8HtvGIh9QS2AhEamGQ5Jr4QZRhw5fn9S+QAedXFlyAkTu8DL2SS7xOUXjklamxsmKxy8BhaDPIVnTPv3LQ4qbncHDzruEc0Tjda9mpQjRF/UyoDcPmxZ8TDtZ41/M5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDBhy9171jCizkdIEkQaJZ67Nrgkg2np0mUBOKMoRGas8YvD7MZ46sA5WN2z22Su6yxQjdPDwDinTfkQXASERseFkeS/XzrJ+PL6UVz6Mnf44k/oA/SfEX6ot/bnNmgLA1vu1UvB7bxiIfUEtgIRGphkOSa+EGUYcOX5/UvkAHnVxZcgJE7vAy9kku8TlF45JWpsbJiscvAYWgzyFZ0z79y2BX7mQ2Q7393z5XQ50VXv9mhrKhq4UIi+PwtGQfjOGIjOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwYcvde9Ywos5HSBJEGiWeuAzuz9WUmWYiVlPtsviGaznXrg4VxbBelvJ3PRVxLX2A8ZiIZ8SUultqIbAs2na9CX1vjLGXWD9RCaGS1cCMgSQbVOs8s97/WdjKyB2vcd1t3DT+mCSUc2d7Bj2THWrgqVoAPcagik9qcs1OIpJlV3FB8YXH9/GpCVo60xZnYqNxuDG7GXSRQZeiA/Gej4MzhN6aSh4VagsJL2g8wUu0UX/NNfofjLExZEZSdmQI0QIgzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMGHL3XvWMKLOR0gSRBolnrmFzC1CQsZgWACsLQ+0qec3OSxdVP2iLq/CqATuf8nB+FCN08PAOKdN+RBcBIRGx4WwYI0uGjdjUpwBLMsA50jaT+gD9J8Rfqi39uc2aAsDW+7VS8HtvGIh9QS2AhEamGQ5Jr4QZRhw5fn9S+QAedXFlyAkTu8DL2SS7xOUXjklamxsmKxy8BhaDPIVnTPv3LYFfuZDZDvf3fPldDnRVe/2aGsqGrhQiL4/C0ZB+M4YiM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDBhy9171jCizkdIEkQaJZ64B3pvaWLRLyXCY+Hvjq900YH4sY62HngLMrjBX9sul5zxmIhnxJS6W2ohsCzadr0J1GoFgCicUbwnFrmSOJsV1BtU6zyz3v9Z2MrIHa9x3W3cNP6YJJRzZ3sGPZMdauCpWgA9xqCKT2pyzU4ikmVXcUHxhcf38akJWjrTFmdio3G4MbsZdJFBl6ID8Z6PgzOE3ppKHhVqCwkvaDzBS7RRf801+h+MsTFkRlJ2ZAjRAiDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwYcvde9Ywos5HSBJEGiWeuuKN3d4thltt4jQ7dMJHYVZ1DW3/V2s9t9pReZrEf1B0UI3Tw8A4p035EFwEhEbHhLrKFaCr18ad6LcOzOgznBpP6AP0nxF+qLf25zZoCwNb7tVLwe28YiH1BLYCERqYZDkmvhBlGHDl+f1L5AB51cWXICRO7wMvZJLvE5ReOSVqbGyYrHLwGFoM8hWdM+/ctgV+5kNkO9/d8+V0OdFV7/ZoayoauFCIvj8LRkH4zhiIzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMGHL3XvWMKLOR0gSRBolnrutkjDxB4lu2kH0vOoAK2dv3mvzYIXq2NTSpOIqoh80FUXQf06H6EkTDtcpIBKFFt3qcYZAadSTqRTBnLL462XjWaOSPNeFyr3ibjxx4moY4+7VS8HtvGIh9QS2AhEamGQ5Jr4QZRhw5fn9S+QAedXFlyAkTu8DL2SS7xOUXjklamxsmKxy8BhaDPIVnTPv3LQ4qbncHDzruEc0Tjda9mpQjRF/UyoDcPmxZ8TDtZ41/M5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDBhy9171jCizkdIEkQaJZ67FLFS/pYy5Ksm5F4KcqLmOO6bUJ4LxPyf7ovjKHWQ78TxmIhnxJS6W2ohsCzadr0I25crpzM9o3Fms1hAC0DZoBtU6zyz3v9Z2MrIHa9x3W3cNP6YJJRzZ3sGPZMdauCpWgA9xqCKT2pyzU4ikmVXcUHxhcf38akJWjrTFmdio3G4MbsZdJFBl6ID8Z6PgzOE3ppKHhVqCwkvaDzBS7RRf801+h+MsTFkRlJ2ZAjRAiDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAw=

    Licensing Data-->
    C:\Windows\system32\slmgr.vbs(1634, 5) (null): 0xC004D401

    HWID Data-->
    HWID Hash Current: NAAAAAEAAQABAAEAAgABAAAABAABAAEAeqjkN7d0Xu0i34KJw5ry9Np40yl4Tei1rFZGyg==

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20000
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
      ACPI Table Name    OEMID Value    OEMTableID Value
      APIC            PTLTD              APIC  
      FACP            LGE           LGPC    
      HPET            LGE           LGPC    
      BOOT            PTLTD         $SBFTBL$
      MCFG            LGE           LGPC    
      TCPA            LGE           LGPC    
      TMOR            PTLTD                 
      SLIC            LGE           LGPC    
      SSDT            SataRe        SataAhci
      SSDT            SataRe        SataAhci
      SSDT            SataRe        SataAhci
      SSDT            SataRe        SataAhci
      SSDT            SataRe        SataAhci

    Best regards,

    Iiro

     

     

    • Changed type Darin Smith MS Monday, January 26, 2009 10:59 PM The post is a question
    Saturday, January 24, 2009 4:27 PM

Answers

  • Hello Iiro,

    I see you did some research before posting, but it looks like you got the two types of this issue, confused.

    Your issue is, what we call, a Mod-Auth Tamper.  The Text Book definition of a Mod-Auth is "The security processor reported a system file mismatch error." meaning a system file's Signature Hash (think fingerprint) doesn't match the signature hash (for that system file) listed in the System Catalog. (any change/modification to a system file (even a very small change that may not disrupt the file from working correctly) will change the signature hash.

     

    A Mod-Auth Tamper can occur in two variations: In Memory and On Disk.

    ~In Memory: When an OS is running, a number of the system files are loaded into system memory.  The cause of an In Memory Mod-Auth temper is when a running program (either a user installed program or some sort of Malware) that is incompatible with Vista, is actively modifying (i.e. tampering) that system file that is residing in system memory (meaning the physical file, located on the hard drive, has not been modified).

    The fix for this variation of Mod-Auth is to remove (or update to a compatible version) the program that is causing the problem. Once this is done, the program will no longer attempt to modify the system file and thus no Mod-Auth error. Usually a system restore will Not resolve the issue. 

    ~On Disk: Something (possibly an incompatible program, virus, or even random corruption) at some point in the past, modified the physical system file located on the hard drive.

    The fix for this variation of Mod-Auth is to repair or replace the modified system file. (Note: Even if the modification was caused by a incompatible program or virus and the bad program was removed, the system file would still be modified and still cause the Mod-Auth tamper state).  Sometimes a system restore will restore back to before the file was modified and resolve the issue.

    Note: Vista sees both of these types of Mod-Auth as the same thing (so usually give a similar error for both) but as you can see, the fix is very different for each.

    I believe the variation that you have is of the In Memory type. There is a program, which is incompatible with Vista, that is basically trying to do something which, in older versions of Windows was OK, but due to security, Vista doesn't allow. Also know that Malware (such as Viruses and Trojans) are also programs and can also be incompatible with Vista.

    Now that you know the types of Mod-Auths that can occur, I will tell you how Vista detects a Mod-Auth tamper event (this will answer some of the other questions you have raised in your post). A security service, in Vista, runs randomly and checks for a tampering of protected system files (both the ones loaded into system memory and the ones on the hard drive). Since that service runs randomly, Vista may not immediately detect right as a system file becomes modified. So the user may not get an error for 0-4 hours (maybe more) after a Tamper has occurred. When a Tamper is detected, the TTS (Tamper Time Stamp) will change to reflect the most recent time/date that a tamper was last detected (but doing a system restore may make the TTS change back to an earlier time/date, since you have gone "Back in Time" to a past known good configuration), but once the next tamper is detected, it will change again to reflect that most recent time/date.

    "So, this is all interesting information, but how do I fix the issue?" you ask.  Well, it sounds like you have already read how to do it from my past forum posts. If you have already looked for and removed recently installed programs then you have done much of what I would have suggested. If that did not resolve the issue, I can give you some additional things you can try.

    First, when you see the error, you know that the program, that is causing the Mod-Auth, is running. Look to see what programs are running right then (including the programs running the background) and confirm they are all compatible with Vista (best way is to go to the program's website and see if it says that the programs is specify compatible with Vista) or just uninstall them.  Once you are sure that all the programs that you (or someone else that has access to the computer) installed are good, you may want to think about the possibility that the Mod-Auth maybe caused by a Virus or Trojan that is incompatible with Vista. I know that sounds strange, but I have recently seen a number of people that have had an In memory Mod-Auth, ran a scan and found a Virus or Trojan...removed it...and the Mod-Auth errors stopped.  If it is a Trojan that is causing the issue, it does kind of makes sense, to me, that is the tcpip.sys file that is being tampered.

    Lastly, Since everyone has different programs installed on their computer, it is extremely hard for support to figure out what program is causing the problem, but if you still need assistance in identifying the Incompatible Program, please create a no cost support request at http://go.microsoft.com/fwlink/?linkid=52029 .

    Thank you,

    Darin MS


    Attention Forum All Users: Please Do Not post your issue in someone else's Thread...Create your own.
    Tuesday, January 27, 2009 12:46 AM
  • I forgot to mention that Microsoft has a group that provides free help with Malware related infections, called PC Safety. 

    PC Safety: Call 1-866-PCSafety (1-866-727-2338)

    Darin


    Attention Forum All Users: Please Do Not post your issue in someone else's Thread...Create your own.
    • Marked as answer by Darin Smith MS Tuesday, January 27, 2009 1:27 AM
    Tuesday, January 27, 2009 1:27 AM

All replies

  • Hello Iiro,

    I see you did some research before posting, but it looks like you got the two types of this issue, confused.

    Your issue is, what we call, a Mod-Auth Tamper.  The Text Book definition of a Mod-Auth is "The security processor reported a system file mismatch error." meaning a system file's Signature Hash (think fingerprint) doesn't match the signature hash (for that system file) listed in the System Catalog. (any change/modification to a system file (even a very small change that may not disrupt the file from working correctly) will change the signature hash.

     

    A Mod-Auth Tamper can occur in two variations: In Memory and On Disk.

    ~In Memory: When an OS is running, a number of the system files are loaded into system memory.  The cause of an In Memory Mod-Auth temper is when a running program (either a user installed program or some sort of Malware) that is incompatible with Vista, is actively modifying (i.e. tampering) that system file that is residing in system memory (meaning the physical file, located on the hard drive, has not been modified).

    The fix for this variation of Mod-Auth is to remove (or update to a compatible version) the program that is causing the problem. Once this is done, the program will no longer attempt to modify the system file and thus no Mod-Auth error. Usually a system restore will Not resolve the issue. 

    ~On Disk: Something (possibly an incompatible program, virus, or even random corruption) at some point in the past, modified the physical system file located on the hard drive.

    The fix for this variation of Mod-Auth is to repair or replace the modified system file. (Note: Even if the modification was caused by a incompatible program or virus and the bad program was removed, the system file would still be modified and still cause the Mod-Auth tamper state).  Sometimes a system restore will restore back to before the file was modified and resolve the issue.

    Note: Vista sees both of these types of Mod-Auth as the same thing (so usually give a similar error for both) but as you can see, the fix is very different for each.

    I believe the variation that you have is of the In Memory type. There is a program, which is incompatible with Vista, that is basically trying to do something which, in older versions of Windows was OK, but due to security, Vista doesn't allow. Also know that Malware (such as Viruses and Trojans) are also programs and can also be incompatible with Vista.

    Now that you know the types of Mod-Auths that can occur, I will tell you how Vista detects a Mod-Auth tamper event (this will answer some of the other questions you have raised in your post). A security service, in Vista, runs randomly and checks for a tampering of protected system files (both the ones loaded into system memory and the ones on the hard drive). Since that service runs randomly, Vista may not immediately detect right as a system file becomes modified. So the user may not get an error for 0-4 hours (maybe more) after a Tamper has occurred. When a Tamper is detected, the TTS (Tamper Time Stamp) will change to reflect the most recent time/date that a tamper was last detected (but doing a system restore may make the TTS change back to an earlier time/date, since you have gone "Back in Time" to a past known good configuration), but once the next tamper is detected, it will change again to reflect that most recent time/date.

    "So, this is all interesting information, but how do I fix the issue?" you ask.  Well, it sounds like you have already read how to do it from my past forum posts. If you have already looked for and removed recently installed programs then you have done much of what I would have suggested. If that did not resolve the issue, I can give you some additional things you can try.

    First, when you see the error, you know that the program, that is causing the Mod-Auth, is running. Look to see what programs are running right then (including the programs running the background) and confirm they are all compatible with Vista (best way is to go to the program's website and see if it says that the programs is specify compatible with Vista) or just uninstall them.  Once you are sure that all the programs that you (or someone else that has access to the computer) installed are good, you may want to think about the possibility that the Mod-Auth maybe caused by a Virus or Trojan that is incompatible with Vista. I know that sounds strange, but I have recently seen a number of people that have had an In memory Mod-Auth, ran a scan and found a Virus or Trojan...removed it...and the Mod-Auth errors stopped.  If it is a Trojan that is causing the issue, it does kind of makes sense, to me, that is the tcpip.sys file that is being tampered.

    Lastly, Since everyone has different programs installed on their computer, it is extremely hard for support to figure out what program is causing the problem, but if you still need assistance in identifying the Incompatible Program, please create a no cost support request at http://go.microsoft.com/fwlink/?linkid=52029 .

    Thank you,

    Darin MS


    Attention Forum All Users: Please Do Not post your issue in someone else's Thread...Create your own.
    Tuesday, January 27, 2009 12:46 AM
  • I forgot to mention that Microsoft has a group that provides free help with Malware related infections, called PC Safety. 

    PC Safety: Call 1-866-PCSafety (1-866-727-2338)

    Darin


    Attention Forum All Users: Please Do Not post your issue in someone else's Thread...Create your own.
    • Marked as answer by Darin Smith MS Tuesday, January 27, 2009 1:27 AM
    Tuesday, January 27, 2009 1:27 AM