Answered by:
An unauthorized change was made to Windows -- 0xC004D401

Question
-
Good afternoon,
Today I was working on my kids' PC and get a popup "Windows software protection" -- "An unauthorized change was made to Windows", with error 0xC004D401, "The security processor reported a system file mismatch error."
I tried to run the windows validation and it says my system has had an unauthorized change made.
This is a relatively new PC (xmas gift -- new HP from Circuit CIty), and has the original vista installed on it, plus whatever updates automatic updates has down.
I started the event viewer (eventvwr.msc) and found some Warning messages in the Application logm from "Security-Licensing-SLC", event ID 1022:
The system has been tampered. hr=0xC004D401
details:
- System - Provider [ Name] Microsoft-Windows-Security-Licensing-SLC [ Guid] {1FD7C1D2-D037-4620-8D29-B2C7E5FCC13A} [ EventSourceName] Software Licensing Service - EventID 1022 [ Qualifiers] 32768 Version 0 Level 3 Task 0 Opcode 0 Keywords 0x80000000000000 - TimeCreated [ SystemTime] 2008-02-23T18:59:17.000Z EventRecordID 7935 Correlation - Execution [ ProcessID] 0 [ ThreadID] 0 Channel Application Computer SUPERCOOL Security - EventData hr=0xC004D401 I then did a filter on the log and looked back to see the first time the message appeared -- February 16th.
Thinking back, I've installed the following programs in the past few weeks:
1- A free trial of "User Time Manager" from www.vistafolder.com, version 4.2.1.1. This is a 15 day free trial, and today it tells me there are 2 days left. That means it was installed around the 10th, so that doesn't really fit with the start of the messages.
2- A free trial of Virtual CD v9.0.0.0 ("Demo" version -- works for 30 days). This one tells me I have 18 days left (12 days done). Today's the 23rd, so that should also be around the 10th.
Is there a place I can check when other programs may have been installed?
Lastly, I searched around and found a view people who said to use the MGA Diagnostic Tool and paste the details here. So, here it is:
Diagnostic Report (1.7.0069.0):
-----------------------------------------
WGA Data-->
Validation Status: Invalid License
Validation Code: 50
Online Validation Code: 0xc004d401
Cached Validation Code: N/A, hr = 0xc004d401
Windows Product Key: *****-*****-27HYQ-XTKW2-WQD8Q
Windows Product Key Hash: U8YEZzymoD4DMyaMb32rPrNIS90=
Windows Product ID: 89578-OEM-7332157-00061
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.0.6000.2.00010300.0.0.003
CSVLK Server: N/A
CSVLK PID: N/A
ID: {9F019943-0D30-4766-AA1D-0EF6B3AC2090}(1)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.7.59.1
Signed By: Microsoft
Product Name: Windows Vista (TM) Home Premium
Architecture: 0x00000000
Build lab: 6000.vista_ldr.071023-1545
TTS Error: K:20080223104940032-M:20080223125026895-
Validation Diagnostic:
Resolution Status: N/AWgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002Notifications Data-->
Cached Result: N/A
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: FCEE394C-2920-80070002_025D1FF3-282-80041010_025D1FF3-170-80041010_025D1FF3-171-1_025D1FF3-434-80040154_025D1FF3-178-80040154_025D1FF3-179-2_025D1FF3-185-80070002_025D1FF3-199-3Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: AllowedFile Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{9F019943-0D30-4766-AA1D-0EF6B3AC2090}</UGUID><Version>1.7.0069.0</Version><OS>6.0.6000.2.00010300.0.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-WQD8Q</PKey><PID>89578-OEM-7332157-00061</PID><PIDType>2</PIDType><SID>S-1-5-21-2731909838-2984045968-3276640474</SID><SYSTEM><Manufacturer>HP-Pavilion</Manufacturer><Model>GN703AA-ABA a6228x</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version> 5.11</Version><SMBIOSVersion major="2" minor="4"/><Date>20070716000000.000000+000</Date></BIOS><HWID>72333507018400F6</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>HPQOEM</OEMID><OEMTableID>SLIC-CPC</OEMTableID></OEM><BRT/></MachineData><Software><Office><Result>109</Result><Products/></Office></Software></GenuineResults>Spsys.log Content: U1BMRwEAAAAAAQAABAAAAOP3DQAAAAAAYWECADAgAADc+mtGA3HIARhDs/4hWdo7Xkl9D+HKpnhOb2b0MDaNfp3siIM+QArpWKAl1VA+VrarojPk9D3wBFF0H9Oh+hJEw7XKSAShRbchBVZ9nLlQM4S6/uTYnzpU1mjkjzXhcq94m48ceJqGOPu1UvB7bxiIfUEtgIRGphkOSa+EGUYcOX5/UvkAHnVxZcgJE7vAy9kku8TlF45JWpsbJiscvAYWgzyFZ0z79y0OKm53Bw867hHNE43WvZqUI0Rf1MqA3D5sWfEw7WeNfzOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwYQ7P+IVnaO15JfQ/hyqZ4yk63AcbiQ9/Uk5Y1SkBYADi72ZBAszPDDYk9ZI9djCgUI3Tw8A4p035EFwEhEbHhLGtqAuc/lS9NZDddkfFvJvwp88yC4J8pHueit06rqSv7tVLwe28YiH1BLYCERqYZDkmvhBlGHDl+f1L5AB51cWXICRO7wMvZJLvE5ReOSVqbGyYrHLwGFoM8hWdM+/ctgV+5kNkO9/d8+V0OdFV7/ZoayoauFCIvj8LRkH4zhiIzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMGEOz/iFZ2jteSX0P4cqmeHFTfhxDeuJiVc7IS5+DMhEbrihL0+0z7TQqjGT213RjFCN08PAOKdN+RBcBIRGx4encS5/wkpITVTRD9Edob9P8KfPMguCfKR7nordOq6kr+7VS8HtvGIh9QS2AhEamGQ5Jr4QZRhw5fn9S+QAedXFlyAkTu8DL2SS7xOUXjklamxsmKxy8BhaDPIVnTPv3LYFfuZDZDvf3fPldDnRVe/2aGsqGrhQiL4/C0ZB+M4YiM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDBhDs/4hWdo7Xkl9D+HKpnjTZ4WJRvvVZa6gLLFCMwRsGoC8kd0Ip7uyHUSKOPNJRlF0H9Oh+hJEw7XKSAShRbe4xXlBoOS5gLg84onm+K421mjkjzXhcq94m48ceJqGOPu1UvB7bxiIfUEtgIRGphkOSa+EGUYcOX5/UvkAHnVxZcgJE7vAy9kku8TlF45JWpsbJiscvAYWgzyFZ0z79y0OKm53Bw867hHNE43WvZqUI0Rf1MqA3D5sWfEw7WeNfzOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwYQ7P+IVnaO15JfQ/hyqZ4Arg+JEpOn7bGkTeDYhOz69+CXkt5ifxDxDeOB5RDpWRRdB/TofoSRMO1ykgEoUW3iMAcf+WVjoYfc8T7WOEnD9Zo5I814XKveJuPHHiahjj7tVLwe28YiH1BLYCERqYZDkmvhBlGHDl+f1L5AB51cWXICRO7wMvZJLvE5ReOSVqbGyYrHLwGFoM8hWdM+/ctDipudwcPOu4RzRON1r2alCNEX9TKgNw+bFnxMO1njX8zkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMGEOz/iFZ2jteSX0P4cqmeMIcU5mb/4MO9WyRaGlhWZSAJmXpULPyRxdNnWuhvkf0UXQf06H6EkTDtcpIBKFFt2ys6Hp1kS725OE3nDVsPY/WaOSPNeFyr3ibjxx4moY4+7VS8HtvGIh9QS2AhEamGQ5Jr4QZRhw5fn9S+QAedXFlyAkTu8DL2SS7xOUXjklamxsmKxy8BhaDPIVnTPv3LQ4qbncHDzruEc0Tjda9mpQjRF/UyoDcPmxZ8TDtZ41/M5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDA==
Thanks for any help you can provide!
Andrew
Saturday, February 23, 2008 7:56 PM
Answers
-
Hi Andrew,
You are correct, your Vista is suffering from an "In Memory" Mod-Auth tamper. The In Memory type of Mod-Auth are caused by an incompatible program running in Vista.
Since this issue is only caused by programs that are Actively running at the time of the tamper and since Updates generally only run once, you can exclude the Updates (and or anything else that only runs once) as possible causes.
The TTS (Tamper Time Stamp) is showing a "M" and "K" type tampers. "M" = Mod-Auth tamper and "K" = Kernel Mode tamper (which will probably go away when the Mod-Auth is fixed). Generally, if you had a bad Driver, the TTS would show a "T" (for Trusted Store) type of tamper, so (most likely) you can exclude the drivers as possible causes.
Lastly, since the process that detects tampers, runs randomly, and since a tamper would only be detected when the incompatible program was actually running, the incompatible program may have been installed some time ago and either Vista just hadn't detected it sooner or the program was run for the first time around the time you first saw the issue.
Thank you,
Darin Smith
WGA Forum Manager
Thursday, February 28, 2008 11:15 PM
All replies
-
One bit of follow-up. I saw another post on something similar, and so I checked the Reliability Monitor. Since my first error occurred on Feb 16th (730pm), I checked for software installs for Feb16th, and the few days prior. Here's what I've got:
Cumulative Update for Media Center for Windows Vista (KB947172) -- Version 100 -- Success -- 2/16/2008
Definition Update for Windows Defender - KB915597 (Definition 1 -- Version 100 -- Success -- 2/15/2008
Update for Windows Vista (KB937287) -- Version 105 -- Success -- 2/14/2008
Cumulative Security Update for Internet Explorer 7 in Windows V -- Version 101 -- Success -- 2/13/2008
Enhanced Multimedia PS/2 keyboard -- Version 1.0.7.3 -- Success -- 2/13/2008
HID Keyboard Device -- Version 6.0.6000.16609 -- Success -- 2/13/2008
HID-compliant mouse -- Version 6.0.6000.16609 -- Success -- 2/13/2008
IDE Channel -- Version 6.0.6000.16632 -- Success -- 2/13/2008
IDE Channel -- Version 6.0.6000.16632 -- Success -- 2/13/2008
Microsoft USB Wheel Mouse Optical -- Version 6.0.6000.16609 -- Success -- 2/13/2008
Microsoft USB Wheel Mouse Optical -- Version 6.0.6000.16609 -- Success -- 2/13/2008
PS/2 Compatible Mouse -- Version 6.0.6000.16609 -- Success -- 2/13/2008
Security Update for Windows Vista (KB943055) -- Version 103 -- Success -- 2/13/2008
Security Update for Windows Vista (KB946026) -- Version 102 -- Success -- 2/13/2008
Security Update for Windows Vista (KB946456) -- Version 102 -- Success -- 2/13/2008
Standard Dual Channel PCI IDE Controller -- Version 6.0.6000.16632 -- Success -- 2/13/2008
Terminal Server Keyboard Driver -- Version 6.0.6000.16386 -- Success -- 2/13/2008
Terminal Server Mouse Driver -- Version 6.0.6000.16386 -- Success -- 2/13/2008
Update for Windows Mail Junk E-mail Filter [February 2008] (KB9 -- Version 100 -- Success -- 2/13/2008
Update for Windows Vista (KB938371) -- Version 108 -- Success -- 2/13/2008
Update for WIndows Vista (KB943302) -- Version 100 -- Success -- 2/13/2008
Update for Windows Vista (KB943899) -- Version 100 -- Success -- 2/13/2008
Windows Malicious Software Removal Tool - February 2008 (KB8908 -- Version 101 -- Success -- 2/13/2008
Thanks again for your help, and I hope this information is helpful.
Andrew
Saturday, February 23, 2008 8:46 PM -
Hi Andrew,
You are correct, your Vista is suffering from an "In Memory" Mod-Auth tamper. The In Memory type of Mod-Auth are caused by an incompatible program running in Vista.
Since this issue is only caused by programs that are Actively running at the time of the tamper and since Updates generally only run once, you can exclude the Updates (and or anything else that only runs once) as possible causes.
The TTS (Tamper Time Stamp) is showing a "M" and "K" type tampers. "M" = Mod-Auth tamper and "K" = Kernel Mode tamper (which will probably go away when the Mod-Auth is fixed). Generally, if you had a bad Driver, the TTS would show a "T" (for Trusted Store) type of tamper, so (most likely) you can exclude the drivers as possible causes.
Lastly, since the process that detects tampers, runs randomly, and since a tamper would only be detected when the incompatible program was actually running, the incompatible program may have been installed some time ago and either Vista just hadn't detected it sooner or the program was run for the first time around the time you first saw the issue.
Thank you,
Darin Smith
WGA Forum Manager
Thursday, February 28, 2008 11:15 PM -
0xc004d401 caused by Glary Utilities not compatible with Windows Vista Home Premium, system 32, in my caseMonday, December 28, 2009 8:38 AM
-
So, Darin: How do I fix this? I'm having the same error? HP DV7, Vista. Can't update my MS Essentials. AND...Left click locked. Limited use of right click. Thanks!Tuesday, December 21, 2010 3:36 PM
-
"marla_b" wrote in message news:395376e2-f5a6-4e8e-8317-339439963104...So, Darin: How do I fix this? I'm having the same error? HP DV7, Vista. Can't update my MS Essentials. AND...Left click locked. Limited use of right click. Thanks!
Please post your problem to a NEW thread of your own - this avoids confusion.To properly analyse and solve problems with Activation and Validation, we need to see a full copy of the report produced by the MGADiag tool (download and save to desktop - http://go.microsoft.com/fwlink/?linkid=52012 )
Once saved, run the tool.
Click on the Continue button, which will produce the report.
To copy the report to your response, click on the Copy button in the tool (ignore any error messages at this point), and then paste (using either r-click/Paste, or Ctrl+V ) into your response.
--
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed SlothTuesday, December 21, 2010 7:53 PMModerator