locked
An unauthorized change was made to Windows -- 0xC004D401 RRS feed

  • Question

  •  

    Good afternoon,

     

    Today I was working on my kids' PC and get a popup "Windows software protection" -- "An unauthorized change was made to Windows", with error 0xC004D401, "The security processor reported a system file mismatch error."

     

    I tried to run the windows validation and it says my system has had an unauthorized change made.

     

    This is a relatively new PC (xmas gift -- new HP from Circuit CIty), and has the original vista installed on it, plus whatever updates automatic updates has down.

     

    I started the event viewer (eventvwr.msc) and found some Warning messages in the Application logm from "Security-Licensing-SLC", event ID 1022:

    The system has been tampered. hr=0xC004D401

     

       details:

    - System

    - Provider
    [ Name] Microsoft-Windows-Security-Licensing-SLC
    [ Guid] {1FD7C1D2-D037-4620-8D29-B2C7E5FCC13A}
    [ EventSourceName] Software Licensing Service
    - EventID 1022
    [ Qualifiers] 32768
    Version 0
    Level 3
    Task 0
    Opcode 0
    Keywords 0x80000000000000
    - TimeCreated
    [ SystemTime] 2008-02-23T18:59:17.000Z
    EventRecordID 7935
    Correlation
    - Execution
    [ ProcessID] 0
    [ ThreadID] 0
    Channel Application
    Computer SUPERCOOL
    Security

    - EventData

    hr=0xC004D401

     

     

     

     

    I then did a filter on the log and looked back to see the first time the message appeared -- February 16th.

     

    Thinking back, I've installed the following programs in the past few weeks:

     

    1- A free trial of "User Time Manager" from www.vistafolder.com, version 4.2.1.1.  This is a 15 day free trial, and today it tells me there are 2 days left.  That means it was installed around the 10th, so that doesn't really fit with the start of the messages.

     

    2- A free trial of Virtual CD v9.0.0.0 ("Demo" version -- works for 30 days).  This one tells me I have 18 days left (12 days done).  Today's the 23rd, so that should also be around the 10th.

     

    Is there a place I can check when other programs may have been installed?

     

    Lastly, I searched around and found a view people who said to use the MGA Diagnostic Tool and paste the details here.  So, here it is:

     

    Diagnostic Report (1.7.0069.0):
    -----------------------------------------
    WGA Data-->
    Validation Status: Invalid License
    Validation Code: 50
    Online Validation Code: 0xc004d401
    Cached Validation Code: N/A, hr = 0xc004d401
    Windows Product Key: *****-*****-27HYQ-XTKW2-WQD8Q
    Windows Product Key Hash: U8YEZzymoD4DMyaMb32rPrNIS90=
    Windows Product ID: 89578-OEM-7332157-00061
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.0.6000.2.00010300.0.0.003
    CSVLK Server: N/A
    CSVLK PID: N/A
    ID: {9F019943-0D30-4766-AA1D-0EF6B3AC2090}(1)
    Is Admin: Yes
    TestCab: 0x0
    WGA Version: Registered, 1.7.59.1
    Signed By: Microsoft
    Product Name: Windows Vista (TM) Home Premium
    Architecture: 0x00000000
    Build lab: 6000.vista_ldr.071023-1545
    TTS Error: K:20080223104940032-M:20080223125026895-
    Validation Diagnostic:
    Resolution Status: N/A

    WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Notifications Data-->
    Cached Result: N/A
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: FCEE394C-2920-80070002_025D1FF3-282-80041010_025D1FF3-170-80041010_025D1FF3-171-1_025D1FF3-434-80040154_025D1FF3-178-80040154_025D1FF3-179-2_025D1FF3-185-80070002_025D1FF3-199-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
    Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{9F019943-0D30-4766-AA1D-0EF6B3AC2090}</UGUID><Version>1.7.0069.0</Version><OS>6.0.6000.2.00010300.0.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-WQD8Q</PKey><PID>89578-OEM-7332157-00061</PID><PIDType>2</PIDType><SID>S-1-5-21-2731909838-2984045968-3276640474</SID><SYSTEM><Manufacturer>HP-Pavilion</Manufacturer><Model>GN703AA-ABA a6228x</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version> 5.11</Version><SMBIOSVersion major="2" minor="4"/><Date>20070716000000.000000+000</Date></BIOS><HWID>72333507018400F6</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>HPQOEM</OEMID><OEMTableID>SLIC-CPC</OEMTableID></OEM><BRT/></MachineData><Software><Office><Result>109</Result><Products/></Office></Software></GenuineResults> 

    Spsys.log Content: U1BMRwEAAAAAAQAABAAAAOP3DQAAAAAAYWECADAgAADc+mtGA3HIARhDs/4hWdo7Xkl9D+HKpnhOb2b0MDaNfp3siIM+QArpWKAl1VA+VrarojPk9D3wBFF0H9Oh+hJEw7XKSAShRbchBVZ9nLlQM4S6/uTYnzpU1mjkjzXhcq94m48ceJqGOPu1UvB7bxiIfUEtgIRGphkOSa+EGUYcOX5/UvkAHnVxZcgJE7vAy9kku8TlF45JWpsbJiscvAYWgzyFZ0z79y0OKm53Bw867hHNE43WvZqUI0Rf1MqA3D5sWfEw7WeNfzOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwYQ7P+IVnaO15JfQ/hyqZ4yk63AcbiQ9/Uk5Y1SkBYADi72ZBAszPDDYk9ZI9djCgUI3Tw8A4p035EFwEhEbHhLGtqAuc/lS9NZDddkfFvJvwp88yC4J8pHueit06rqSv7tVLwe28YiH1BLYCERqYZDkmvhBlGHDl+f1L5AB51cWXICRO7wMvZJLvE5ReOSVqbGyYrHLwGFoM8hWdM+/ctgV+5kNkO9/d8+V0OdFV7/ZoayoauFCIvj8LRkH4zhiIzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMGEOz/iFZ2jteSX0P4cqmeHFTfhxDeuJiVc7IS5+DMhEbrihL0+0z7TQqjGT213RjFCN08PAOKdN+RBcBIRGx4encS5/wkpITVTRD9Edob9P8KfPMguCfKR7nordOq6kr+7VS8HtvGIh9QS2AhEamGQ5Jr4QZRhw5fn9S+QAedXFlyAkTu8DL2SS7xOUXjklamxsmKxy8BhaDPIVnTPv3LYFfuZDZDvf3fPldDnRVe/2aGsqGrhQiL4/C0ZB+M4YiM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDBhDs/4hWdo7Xkl9D+HKpnjTZ4WJRvvVZa6gLLFCMwRsGoC8kd0Ip7uyHUSKOPNJRlF0H9Oh+hJEw7XKSAShRbe4xXlBoOS5gLg84onm+K421mjkjzXhcq94m48ceJqGOPu1UvB7bxiIfUEtgIRGphkOSa+EGUYcOX5/UvkAHnVxZcgJE7vAy9kku8TlF45JWpsbJiscvAYWgzyFZ0z79y0OKm53Bw867hHNE43WvZqUI0Rf1MqA3D5sWfEw7WeNfzOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwYQ7P+IVnaO15JfQ/hyqZ4Arg+JEpOn7bGkTeDYhOz69+CXkt5ifxDxDeOB5RDpWRRdB/TofoSRMO1ykgEoUW3iMAcf+WVjoYfc8T7WOEnD9Zo5I814XKveJuPHHiahjj7tVLwe28YiH1BLYCERqYZDkmvhBlGHDl+f1L5AB51cWXICRO7wMvZJLvE5ReOSVqbGyYrHLwGFoM8hWdM+/ctDipudwcPOu4RzRON1r2alCNEX9TKgNw+bFnxMO1njX8zkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMGEOz/iFZ2jteSX0P4cqmeMIcU5mb/4MO9WyRaGlhWZSAJmXpULPyRxdNnWuhvkf0UXQf06H6EkTDtcpIBKFFt2ys6Hp1kS725OE3nDVsPY/WaOSPNeFyr3ibjxx4moY4+7VS8HtvGIh9QS2AhEamGQ5Jr4QZRhw5fn9S+QAedXFlyAkTu8DL2SS7xOUXjklamxsmKxy8BhaDPIVnTPv3LQ4qbncHDzruEc0Tjda9mpQjRF/UyoDcPmxZ8TDtZ41/M5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDA==

     

     

    Thanks for any help you can provide!

     

    Andrew

     

    Saturday, February 23, 2008 7:56 PM

Answers

  • Hi Andrew,

     

      You are correct, your Vista is suffering from an "In Memory" Mod-Auth tamper. The In Memory type of Mod-Auth are caused by an incompatible program running in Vista.

     

      Since this issue is only caused by programs that are Actively running at the time of the tamper and since Updates generally only run once, you can exclude the Updates (and or anything else that only runs once) as possible causes.

     

      The TTS (Tamper Time Stamp) is showing a "M" and "K" type tampers. "M" = Mod-Auth tamper and "K" = Kernel Mode tamper (which will probably go away when the Mod-Auth is fixed).  Generally, if you had a bad Driver, the TTS would show a "T" (for Trusted Store) type of tamper, so (most likely) you can exclude the drivers as possible causes.

     

     Lastly, since the process that detects tampers, runs randomly, and since a tamper would only be detected when the incompatible program was actually running, the incompatible program may have been installed some time ago and either Vista just hadn't detected it sooner or the program was run for the first time around the time you first saw the issue.

     

    Thank you,

    Darin Smith

    WGA Forum Manager

    Thursday, February 28, 2008 11:15 PM

All replies

  •  

    One bit of follow-up.  I saw another post on something similar, and so I checked the Reliability Monitor.  Since my first error occurred on Feb 16th (730pm), I checked for software installs for Feb16th, and the few days prior.  Here's what I've got:

     

     

    Cumulative Update for Media Center for Windows Vista (KB947172) -- Version 100 -- Success -- 2/16/2008

     

    Definition Update for Windows Defender - KB915597 (Definition 1 -- Version 100 -- Success -- 2/15/2008

     

    Update for Windows Vista (KB937287) -- Version 105 -- Success -- 2/14/2008

     

    Cumulative Security Update for Internet Explorer 7 in Windows V -- Version 101 -- Success -- 2/13/2008

    Enhanced Multimedia PS/2 keyboard -- Version 1.0.7.3 -- Success -- 2/13/2008

    HID Keyboard Device -- Version 6.0.6000.16609 -- Success -- 2/13/2008

    HID-compliant mouse -- Version 6.0.6000.16609 -- Success -- 2/13/2008

    IDE Channel -- Version 6.0.6000.16632 -- Success -- 2/13/2008

    IDE Channel -- Version 6.0.6000.16632 -- Success -- 2/13/2008

    Microsoft USB Wheel Mouse Optical -- Version 6.0.6000.16609 -- Success -- 2/13/2008

    Microsoft USB Wheel Mouse Optical -- Version 6.0.6000.16609 -- Success -- 2/13/2008

    PS/2 Compatible Mouse -- Version 6.0.6000.16609 -- Success -- 2/13/2008

    Security Update for Windows Vista (KB943055) -- Version 103 -- Success -- 2/13/2008

    Security Update for Windows Vista (KB946026) -- Version 102 -- Success -- 2/13/2008

    Security Update for Windows Vista (KB946456) -- Version 102 -- Success -- 2/13/2008

    Standard Dual Channel PCI IDE Controller -- Version 6.0.6000.16632 -- Success -- 2/13/2008

    Terminal Server Keyboard Driver -- Version 6.0.6000.16386 -- Success -- 2/13/2008

    Terminal Server Mouse Driver -- Version 6.0.6000.16386 -- Success -- 2/13/2008

    Update for Windows Mail Junk E-mail Filter [February 2008] (KB9 -- Version 100 -- Success -- 2/13/2008

    Update for Windows Vista (KB938371) -- Version 108 -- Success -- 2/13/2008

    Update for WIndows Vista (KB943302) -- Version 100 -- Success -- 2/13/2008

    Update for Windows Vista (KB943899) -- Version 100 -- Success -- 2/13/2008

    Windows Malicious Software Removal Tool - February 2008 (KB8908 -- Version 101 -- Success -- 2/13/2008

     

     

    Thanks again for your help, and I hope this information is helpful.

     

    Andrew

     

     

     

    Saturday, February 23, 2008 8:46 PM
  • Hi Andrew,

     

      You are correct, your Vista is suffering from an "In Memory" Mod-Auth tamper. The In Memory type of Mod-Auth are caused by an incompatible program running in Vista.

     

      Since this issue is only caused by programs that are Actively running at the time of the tamper and since Updates generally only run once, you can exclude the Updates (and or anything else that only runs once) as possible causes.

     

      The TTS (Tamper Time Stamp) is showing a "M" and "K" type tampers. "M" = Mod-Auth tamper and "K" = Kernel Mode tamper (which will probably go away when the Mod-Auth is fixed).  Generally, if you had a bad Driver, the TTS would show a "T" (for Trusted Store) type of tamper, so (most likely) you can exclude the drivers as possible causes.

     

     Lastly, since the process that detects tampers, runs randomly, and since a tamper would only be detected when the incompatible program was actually running, the incompatible program may have been installed some time ago and either Vista just hadn't detected it sooner or the program was run for the first time around the time you first saw the issue.

     

    Thank you,

    Darin Smith

    WGA Forum Manager

    Thursday, February 28, 2008 11:15 PM
  • 0xc004d401 caused by Glary Utilities not compatible with Windows Vista Home Premium, system 32, in my case
    Monday, December 28, 2009 8:38 AM
  • So, Darin:  How do I fix this?  I'm having the same error?  HP DV7, Vista.  Can't update my MS Essentials.  AND...Left click locked.  Limited use of right click.   Thanks!
    Tuesday, December 21, 2010 3:36 PM
  • "marla_b" wrote in message news:395376e2-f5a6-4e8e-8317-339439963104...
    So, Darin:  How do I fix this?  I'm having the same error?  HP DV7, Vista.  Can't update my MS Essentials.  AND...Left click locked.  Limited use of right click.   Thanks!

    Please post your problem to a NEW thread of your own - this avoids confusion.
    To properly analyse and solve problems with Activation and Validation, we need to see a full copy of the report produced by the MGADiag tool (download and save to desktop - http://go.microsoft.com/fwlink/?linkid=52012 )
    Once saved, run the tool.
    Click on the Continue button, which will produce the report.
    To copy the report to your response, click on the Copy button in the tool (ignore any error messages at this point), and then paste (using either r-click/Paste, or Ctrl+V ) into your response.
     

    --


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Tuesday, December 21, 2010 7:53 PM
    Moderator