locked
win 7 pro 0x8004fe21 saying not genuine RRS feed

  • Question

  • Yesterday we started getting a health check event id 3 and then 7 , but windows continues to say it is not a genuine copy.  No updates in recent history to cause.  I ran the MGADiag and here are the results:

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-M3DJT-4J3WC-733WD
    Windows Product Key Hash: xo+ajVSpae7/4VoZjS7m6JL0f3A=
    Windows Product ID: 00371-OEM-8992671-00524
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.1.7601.2.00010100.1.0.048
    ID: {99666031-B2FA-45A1-8A18-4AFECBA85DFF}(1)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Professional
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_ldr_escrow.180422-1430
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    2007 Microsoft Office system - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-b01a_E2AD56EA-766-0_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{99666031-B2FA-45A1-8A18-4AFECBA85DFF}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-733WD</PKey><PID>00371-OEM-8992671-00524</PID><PIDType>2</PIDType><SID>S-1-5-21-897614449-796617786-4095272778</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>XPS 8900</Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>2.1.3</Version><SMBIOSVersion major="2" minor="8"/><Date>20160120000000.000000+000</Date></BIOS><HWID>737A3407018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL  </OEMID><OEMTableID>CBX3   </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120000-0031-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>2007 Microsoft Office system</Name><Ver>12</Ver><Val>367512704EF1A5E</Val><Hash>ien2iiTEFoUrKxyIkZfBx/SKVVE=</Hash><Pid>89451-303-7607877-66637</Pid><PidType>1</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/></Applications></Office></Software></GenuineResults> 

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, Professional edition
    Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
    Activation ID: 50e329f7-a5fa-46b2-85fd-f224e5da7764
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 00371-00178-926-700524-02-1033-7601.0000-0972016
    Installation ID: 000915419461332891406966310235871356177140874326438110
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: 733WD
    License Status: Licensed
    Remaining Windows rearm count: 1
    Trusted time: 5/17/2018 2:02:23 PM

    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x0000000000000200
    Event Time Stamp: 5:16:2018 07:46
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui


    HWID Data-->
    HWID Hash Current: LgAAAAEAAAABAAEAAQACAAAAAgABAAEAHKLgArQU5IpuR/LwFjjqa2609nj0Ug==

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20001
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
      ACPI Table Name OEMID Value OEMTableID Value
      APIC   DELL    CBX3  
      FACP   DELL    CBX3  
      DBGP   INTEL   
      HPET   DELL    CBX3  
      BOOT   DELL    CBX3   
      MCFG   DELL    CBX3  
      FPDT   DELL    CBX3  
      FIDT   DELL    CBX3  
      SSDT   SataRe  SataTabl
      LPIT   INTEL   SKL
      SSDT   SataRe  SataTabl
      SSDT   SataRe  SataTabl
      SSDT   SataRe  SataTabl
      SSDT   SataRe  SataTabl
      SSDT   SataRe  SataTabl
      DBG2   INTEL   
      SSDT   SataRe  SataTabl
      SSDT   SataRe  SataTabl
      UEFI     
      SSDT   SataRe  SataTabl
      MSDM   DELL    CBX3  
      SLIC   DELL    CBX3  
      DMAR   INTEL   SKL
      ASF!   INTEL    HCG

    this is a genuine copy of windows and has been running fine until yesterday.

    thanks,

    Thursday, May 17, 2018 6:09 PM

Answers

  • I've uploaded a file - gb7aa.zip - to my OneDrive at http://1drv.ms/1Tts1dZ

    Please download and save it.

    Right-click on the saved file and select Extract all...

    Change the target to C:\ and click on Extract

    Close all windows (it would be a good idea to print these instructions!)

    Now reboot to the Repair Environment - as soon as the machine restarts, start tapping F8

    - this should bring up the Advanced Boot Menu, at the top of which should be the option 'Repair my Computer'

    Pick that

    You'll have to log in with your username and password.

    Pick the option to use a Command Prompt

    At the prompt type

    DIR C:\gb7aa

    hit the enter key - if you get a 'Not Found' error try

    DIR D:\gb7aa

    or

    DIR E:\gb7aa

    The drive letter in use when you find the folder will need to be substituted (for<drive>) into the following command...

    XCOPY <drive>:\gb7aa <drive>:\windows\winsxs /y /i /s /v /h

    (e.g. XCOPY P:\wfire P:\windows\winsxs /y /i /s /v /h )

    run the command (it should take almost no time) and when the prompt returns, type

    EXIT

    and hit the Enter key to exit Command Prompt - reboot to Normal Mode Windows.

    Now run SFC /SCANNOW in an Elevated Command Prompt

    then reboot and upload the new CBS.log file to your fileshare and post the link

    Reboot, and run MGADiag again, and post the new report.


    Noel Paton | Nil Carborundum Illegitemi
    CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Tuesday, June 12, 2018 4:13 PM
    Moderator

All replies

  • Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui

    ...looks like you have some corruption somewhere! :(

    Please run a full CHKDSK and SFC scan....

    Click on Start > All Programs > Accessories

    Right-click on the Command Prompt entry

    Select Run as Administrator and accept the UAC prompt - the Elevated Command Prompt window should pop up.

    At the Command prompt, type

     CHKDSK C: /R

    and hit the Enter key.

    You will be told that the drive is locked, and the CHKDSK will run at the next boot - hit the Y key, and then reboot.

    The CHKDSK will take a few hours depending on the size  of the drive, so be patient!

     After the CHKDSK has run, Windows should boot normally  (possibly after a second auto-reboot) - then run the SFC.

    SFC -System File Checker - Instructions

    Click on Start > All Programs > Accessories

    Right-click on the Command Prompt entry

    Select Run as Administrator and accept the UAC prompt - the Elevated Command Prompt window should pop up.

    At the Command prompt, type

    SFC /SCANNOW

    and hit the Enter key

    Wait for the scan to finish - make a note of any error messages - and then reboot.

    Upload the CBS.log file (compressed, please!) to your OneDrive or DropBox Public folder, and post a link - also post a new MGADiag report.


    Noel Paton | Nil Carborundum Illegitemi
    CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Monday, May 28, 2018 10:23 AM
    Moderator
  • Sorry for the delay.  <o:p></o:p>

    After the SFC scan I got the same message as before, “Beginning system scan  -  then Beginning system verification phase of system scan.<o:p></o:p>

    Windows resource protection found corrupt files but was unable to fix some of them.   Here is the CBS.log and the MGADiag report.<o:p></o:p>

    https://pcsinfo1-my.sharepoint.com/:u:/g/personal/gbirk_pcsinfo_com/EfIoHe-HqoJIoVPE8upPlwwBWXHFrlYhXrkRLLiUPs0Rkw?e=yC5ZEl

    thanks for any help.  

    Friday, June 1, 2018 7:22 PM
  • Here's the cause of your problem....

    2018-06-01 13:53:37, Info                  CSI    0000037c [SR] Repairing 1 components
    2018-06-01 13:53:37, Info                  CSI    0000037d [SR] Beginning Verify and Repair transaction
    2018-06-01 13:53:37, Info                  CSI    0000037e Hashes for file member \SystemRoot\WinSxS\x86_microsoft-windows-security-spp-clientext_31bf3856ad364e35_6.1.7600.16385_none_cc9d4bf812728aae\slcext.dll do not match actual file [l:20{10}]"slcext.dll" :
      Found: {l:32 b:gO5QDvcFYWAUwpHqE44VMYlRUzN8MC0uZcZuddXjY5I=} Expected: {l:32 b:BWDQ8D/37fOZpP52bSPFo987YRZ35OaKCW94r5tttfY=}
    2018-06-01 13:53:37, Info                  CSI    0000037f [SR] Cannot repair member file [l:20{10}]"slcext.dll" of Microsoft-Windows-Security-SPP-ClientExt, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
    2018-06-01 13:53:37, Info                  CSI    00000380 Hashes for file member \SystemRoot\WinSxS\x86_microsoft-windows-security-spp-clientext_31bf3856ad364e35_6.1.7600.16385_none_cc9d4bf812728aae\slcext.dll do not match actual file [l:20{10}]"slcext.dll" :
      Found: {l:32 b:gO5QDvcFYWAUwpHqE44VMYlRUzN8MC0uZcZuddXjY5I=} Expected: {l:32 b:BWDQ8D/37fOZpP52bSPFo987YRZ35OaKCW94r5tttfY=}
    2018-06-01 13:53:37, Info                  CSI    00000381 [SR] Cannot repair member file [l:20{10}]"slcext.dll" of Microsoft-Windows-Security-SPP-ClientExt, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
    2018-06-01 13:53:37, Info                  CSI    00000382 [SR] This component was referenced by [l:202{101}]"Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.WindowsFoundationDelivery"
    2018-06-01 13:53:37, Info                  CSI    00000383 Hashes for file member \??\C:\Windows\SysWOW64\slcext.dll do not match actual file [l:20{10}]"slcext.dll" :
      Found: {l:32 b:gO5QDvcFYWAUwpHqE44VMYlRUzN8MC0uZcZuddXjY5I=} Expected: {l:32 b:BWDQ8D/37fOZpP52bSPFo987YRZ35OaKCW94r5tttfY=}
    2018-06-01 13:53:37, Info                  CSI    00000384 Hashes for file member \SystemRoot\WinSxS\x86_microsoft-windows-security-spp-clientext_31bf3856ad364e35_6.1.7600.16385_none_cc9d4bf812728aae\slcext.dll do not match actual file [l:20{10}]"slcext.dll" :
      Found: {l:32 b:gO5QDvcFYWAUwpHqE44VMYlRUzN8MC0uZcZuddXjY5I=} Expected: {l:32 b:BWDQ8D/37fOZpP52bSPFo987YRZ35OaKCW94r5tttfY=}
    2018-06-01 13:53:37, Info                  CSI    00000385 [SR] Could not reproject corrupted file [ml:48{24},l:46{23}]"\??\C:\Windows\SysWOW64"\[l:20{10}]"slcext.dll"; source file in store is also corrupted
    2018-06-01 13:53:37, Info                  CSI    00000386 Repair results created:
    
    (as you see from my post to your Community thread!)

    It's difficult to imagine where this type of corruption comes from, without trawling through the whole Windows file list to see if something got renamed :(

    Both the System32 and SYSWOW64 copies and the WinSXS backups have been replaced by a false copy.

    We need to get the proper copy back into the system somehow - which usually means either

    1) taking possession of the winsxs copy, changing permissions, replacing that with a good one, then changing permissions and ownership back, and then running SFC again - or...

    2) putting a copy of the file into an easily accessible place (for Command-line access), then booting to Command-Line Safe Mode, replacing the Winsxs copies, rebooting to normal mode and running SFC again.

    I'd prefer knowing what caused the problem in the first place, but if you let me know your preferred option from the ones above (mine is option 2), I'll post instructions and the file.


    Noel Paton | Nil Carborundum Illegitemi
    CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Wednesday, June 6, 2018 4:37 PM
    Moderator
  • I'm not sure how it happened,  I was told 2 days later and did not see any new programs installed, just updates.   Thanks for looking at this,  I would like to see if i can get it fixed so option 2 will work for me,  I would appreciate instructions,   Thanks again for taking the time to look at this.
    Wednesday, June 6, 2018 4:57 PM
  • i would prefer option two,  if you could post instructions and the file i would appreciate it.  thanks
    Tuesday, June 12, 2018 1:04 PM
  • Sorry - I don't seem to be getting notifications! :(

    I'll get back to you asap with the instructions.


    Noel Paton | Nil Carborundum Illegitemi
    CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Tuesday, June 12, 2018 3:13 PM
    Moderator
  • I've uploaded a file - gb7aa.zip - to my OneDrive at http://1drv.ms/1Tts1dZ

    Please download and save it.

    Right-click on the saved file and select Extract all...

    Change the target to C:\ and click on Extract

    Close all windows (it would be a good idea to print these instructions!)

    Now reboot to the Repair Environment - as soon as the machine restarts, start tapping F8

    - this should bring up the Advanced Boot Menu, at the top of which should be the option 'Repair my Computer'

    Pick that

    You'll have to log in with your username and password.

    Pick the option to use a Command Prompt

    At the prompt type

    DIR C:\gb7aa

    hit the enter key - if you get a 'Not Found' error try

    DIR D:\gb7aa

    or

    DIR E:\gb7aa

    The drive letter in use when you find the folder will need to be substituted (for<drive>) into the following command...

    XCOPY <drive>:\gb7aa <drive>:\windows\winsxs /y /i /s /v /h

    (e.g. XCOPY P:\wfire P:\windows\winsxs /y /i /s /v /h )

    run the command (it should take almost no time) and when the prompt returns, type

    EXIT

    and hit the Enter key to exit Command Prompt - reboot to Normal Mode Windows.

    Now run SFC /SCANNOW in an Elevated Command Prompt

    then reboot and upload the new CBS.log file to your fileshare and post the link

    Reboot, and run MGADiag again, and post the new report.


    Noel Paton | Nil Carborundum Illegitemi
    CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Tuesday, June 12, 2018 4:13 PM
    Moderator