Good afternoon,
Today I was working on my kids' PC and get a popup "Windows software protection" -- "An unauthorized change was made to Windows", with error 0xC004D401, "The security processor reported a system file mismatch error."
I tried to run the windows validation and it says my system has had an unauthorized change made.
This is a relatively new PC (xmas gift -- new HP from Circuit CIty), and has the original vista installed on it, plus whatever updates automatic updates has down.
I started the event viewer (eventvwr.msc) and found some Warning messages in the Application logm from "Security-Licensing-SLC", event ID 1022:
The system has been tampered. hr=0xC004D401
details:
|
|
|
|
|
[ Name] |
Microsoft-Windows-Security-Licensing-SLC |
|
|
|
[ Guid] |
{1FD7C1D2-D037-4620-8D29-B2C7E5FCC13A} |
|
|
|
[ EventSourceName] |
Software Licensing Service | |
|
|
|
Keywords |
0x80000000000000 | |
|
|
|
|
|
[ SystemTime] |
2008-02-23T18:59:17.000Z | |
I then did a filter on the log and looked back to see the first time the message appeared -- February 16th.
Thinking back, I've installed the following programs in the past few weeks:
1- A free trial of "User Time Manager" from www.vistafolder.com, version 4.2.1.1. This is a 15 day free trial, and today it tells me there are 2 days left. That means it was installed around the 10th, so that doesn't really fit with the start of the messages.
2- A free trial of Virtual CD v9.0.0.0 ("Demo" version -- works for 30 days). This one tells me I have 18 days left (12 days done). Today's the 23rd, so that should also be around the 10th.
Is there a place I can check when other programs may have been installed?
Lastly, I searched around and found a view people who said to use the MGA Diagnostic Tool and paste the details here. So, here it is:
Diagnostic Report (1.7.0069.0):
-----------------------------------------
WGA Data-->
Validation Status: Invalid License
Validation Code: 50
Online Validation Code: 0xc004d401
Cached Validation Code: N/A, hr = 0xc004d401
Windows Product Key: *****-*****-27HYQ-XTKW2-WQD8Q
Windows Product Key Hash: U8YEZzymoD4DMyaMb32rPrNIS90=
Windows Product ID: 89578-OEM-7332157-00061
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.0.6000.2.00010300.0.0.003
CSVLK Server: N/A
CSVLK PID: N/A
ID: {9F019943-0D30-4766-AA1D-0EF6B3AC2090}(1)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.7.59.1
Signed By: Microsoft
Product Name: Windows Vista (TM) Home Premium
Architecture: 0x00000000
Build lab: 6000.vista_ldr.071023-1545
TTS Error: K:20080223104940032-M:20080223125026895-
Validation Diagnostic:
Resolution Status: N/A
WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
Notifications Data-->
Cached Result: N/A
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: FCEE394C-2920-80070002_025D1FF3-282-80041010_025D1FF3-170-80041010_025D1FF3-171-1_025D1FF3-434-80040154_025D1FF3-178-80040154_025D1FF3-179-2_025D1FF3-185-80070002_025D1FF3-199-3
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{9F019943-0D30-4766-AA1D-0EF6B3AC2090}</UGUID><Version>1.7.0069.0</Version><OS>6.0.6000.2.00010300.0.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-WQD8Q</PKey><PID>89578-OEM-7332157-00061</PID><PIDType>2</PIDType><SID>S-1-5-21-2731909838-2984045968-3276640474</SID><SYSTEM><Manufacturer>HP-Pavilion</Manufacturer><Model>GN703AA-ABA a6228x</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version> 5.11</Version><SMBIOSVersion major="2" minor="4"/><Date>20070716000000.000000+000</Date></BIOS><HWID>72333507018400F6</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>HPQOEM</OEMID><OEMTableID>SLIC-CPC</OEMTableID></OEM><BRT/></MachineData><Software><Office><Result>109</Result><Products/></Office></Software></GenuineResults>
Spsys.log Content: U1BMRwEAAAAAAQAABAAAAOP3DQAAAAAAYWECADAgAADc+mtGA3HIARhDs/4hWdo7Xkl9D+HKpnhOb2b0MDaNfp3siIM+QArpWKAl1VA+VrarojPk9D3wBFF0H9Oh+hJEw7XKSAShRbchBVZ9nLlQM4S6/uTYnzpU1mjkjzXhcq94m48ceJqGOPu1UvB7bxiIfUEtgIRGphkOSa+EGUYcOX5/UvkAHnVxZcgJE7vAy9kku8TlF45JWpsbJiscvAYWgzyFZ0z79y0OKm53Bw867hHNE43WvZqUI0Rf1MqA3D5sWfEw7WeNfzOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwYQ7P+IVnaO15JfQ/hyqZ4yk63AcbiQ9/Uk5Y1SkBYADi72ZBAszPDDYk9ZI9djCgUI3Tw8A4p035EFwEhEbHhLGtqAuc/lS9NZDddkfFvJvwp88yC4J8pHueit06rqSv7tVLwe28YiH1BLYCERqYZDkmvhBlGHDl+f1L5AB51cWXICRO7wMvZJLvE5ReOSVqbGyYrHLwGFoM8hWdM+/ctgV+5kNkO9/d8+V0OdFV7/ZoayoauFCIvj8LRkH4zhiIzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMGEOz/iFZ2jteSX0P4cqmeHFTfhxDeuJiVc7IS5+DMhEbrihL0+0z7TQqjGT213RjFCN08PAOKdN+RBcBIRGx4encS5/wkpITVTRD9Edob9P8KfPMguCfKR7nordOq6kr+7VS8HtvGIh9QS2AhEamGQ5Jr4QZRhw5fn9S+QAedXFlyAkTu8DL2SS7xOUXjklamxsmKxy8BhaDPIVnTPv3LYFfuZDZDvf3fPldDnRVe/2aGsqGrhQiL4/C0ZB+M4YiM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDBhDs/4hWdo7Xkl9D+HKpnjTZ4WJRvvVZa6gLLFCMwRsGoC8kd0Ip7uyHUSKOPNJRlF0H9Oh+hJEw7XKSAShRbe4xXlBoOS5gLg84onm+K421mjkjzXhcq94m48ceJqGOPu1UvB7bxiIfUEtgIRGphkOSa+EGUYcOX5/UvkAHnVxZcgJE7vAy9kku8TlF45JWpsbJiscvAYWgzyFZ0z79y0OKm53Bw867hHNE43WvZqUI0Rf1MqA3D5sWfEw7WeNfzOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwYQ7P+IVnaO15JfQ/hyqZ4Arg+JEpOn7bGkTeDYhOz69+CXkt5ifxDxDeOB5RDpWRRdB/TofoSRMO1ykgEoUW3iMAcf+WVjoYfc8T7WOEnD9Zo5I814XKveJuPHHiahjj7tVLwe28YiH1BLYCERqYZDkmvhBlGHDl+f1L5AB51cWXICRO7wMvZJLvE5ReOSVqbGyYrHLwGFoM8hWdM+/ctDipudwcPOu4RzRON1r2alCNEX9TKgNw+bFnxMO1njX8zkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMGEOz/iFZ2jteSX0P4cqmeMIcU5mb/4MO9WyRaGlhWZSAJmXpULPyRxdNnWuhvkf0UXQf06H6EkTDtcpIBKFFt2ys6Hp1kS725OE3nDVsPY/WaOSPNeFyr3ibjxx4moY4+7VS8HtvGIh9QS2AhEamGQ5Jr4QZRhw5fn9S+QAedXFlyAkTu8DL2SS7xOUXjklamxsmKxy8BhaDPIVnTPv3LQ4qbncHDzruEc0Tjda9mpQjRF/UyoDcPmxZ8TDtZ41/M5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDA==
Thanks for any help you can provide!
Andrew
