locked
An unauthorized change was made to windows RRS feed

  • Question

  • Hello, this morning I got the popup message above. I see this is a common class of problems, and I'm posting my diagnostic log in the hope you can give me some specific advice based on its contents

    Diagnostic Report (1.9.0006.1):
    -----------------------------------------
    WGA Data-->
    Validation Status: Invalid License
    Validation Code: 50
    Online Validation Code: 0xc004d401
    Cached Validation Code: N/A, hr = 0xc004d401
    Windows Product Key: *****-*****-QHJ4Y-RGRR4-P26FG
    Windows Product Key Hash: AyfIbFTGS5Slevi1mVBQHAbHems=
    Windows Product ID: 89578-OEM-7359792-15345
    Windows Product ID Type: 3
    Windows License Type: OEM System Builder
    Windows OS version: 6.0.6001.2.00010300.1.0.003
    ID: {10966FD6-83CA-438A-81C3-7DB7276AE7F8}(1)
    Is Admin: Yes
    TestCab: 0x0
    WGA Version: Registered, 1.7.69.2
    Signed By: Microsoft
    Product Name: Windows Vista (TM) Home Premium
    Architecture: 0x00000000
    Build lab: 6001.vistasp1_gdr.080917-1612
    TTS Error: M:20090416070404232-
    Validation Diagnostic:
    Resolution Status: N/A

    WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: 6.0.6002.16398

    WGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    WGATray.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Professional 2007 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
    Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{10966FD6-83CA-438A-81C3-7DB7276AE7F8}</UGUID><Version>1.9.0006.1</Version><OS>6.0.6001.2.00010300.1.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-P26FG</PKey><PID>89578-OEM-7359792-15345</PID><PIDType>3</PIDType><SID>S-1-5-21-3730839758-1625785226-1738333337</SID><SYSTEM><Manufacturer>System manufacturer</Manufacturer><Model>P5K Premium</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>0612   </Version><SMBIOSVersion major="2" minor="4"/><Date>20080319000000.000000+000</Date></BIOS><HWID>FA333507018400F8</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0014-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional 2007</Name><Ver>12</Ver><Val>43396B22F1CCEBC</Val><Hash>+GBaJs3nHNWs9YDPb2XtlyGO4bc=</Hash><Pid>89392-862-4229486-65538</Pid><PidType>8</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/></Applications></Office></Software></GenuineResults> 

    Spsys.log Content: U1BMRwEAAAAAAQAABAAAAAQFAAAAAAAAYWECAATAVody+ZeYTLHJARhy9171jCizkdIEkQaJZ66kAXB1yL8KWwnCi4NBzkC3Iqit4UaWROALfzP2sZcUEFF0H9Oh+hJEw7XKSAShRbdRQX0dzkKME/MsdgbOG2Qv1mjkjzXhcq94m48ceJqGOPu1UvB7bxiIfUEtgIRGphkOSa+EGUYcOX5/UvkAHnVxypUpTYFJ/5Q9EhdGhJKYTJsbJiscvAYWgzyFZ0z79y0OKm53Bw867hHNE43WvZqUI0Rf1MqA3D5sWfEw7WeNfzOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwYcvde9Ywos5HSBJEGiWeu0b3+0KMtfaOlpGuhQ34tIypTlo6dhhh+U8P49VLZqKxRdB/TofoSRMO1ykgEoUW3scjpiqENXAgQ30pnjD7wSNZo5I814XKveJuPHHiahjj7tVLwe28YiH1BLYCERqYZDkmvhBlGHDl+f1L5AB51ccqVKU2BSf+UPRIXRoSSmEybGyYrHLwGFoM8hWdM+/ctDipudwcPOu4RzRON1r2alCNEX9TKgNw+bFnxMO1njX8zkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgM

    Licensing Data-->
    C:\Windows\system32\slmgr.vbs(1634, 5) (null): 0xC004D401

    HWID Data-->
    HWID Hash Current: PgAAAAEABgABAAEAAQACAAAABAABAAEA6GFKFmSyCoAA+AKliP1k/giFPBhwFvL0GuyioSabBtqsViH/Rso=

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes, but no SLIC table
    Windows marker version: N/A
    OEMID and OEMTableID Consistent: N/A
    BIOS Information:
      ACPI Table Name    OEMID Value    OEMTableID Value
      APIC            A_M_I_        OEMAPIC
      FACP            A_M_I_        OEMFACP
      HPET            A_M_I_        OEMHPET
      MCFG            A_M_I_        OEMMCFG
      OEMB            A_M_I_        AMI_OEM
      OSFR            A_M_I_        OEMOSFR


    I had a simialr problem 3 weeks ago after a Windows Update reboot, but that time I was locked inside a black Windows prison, with only my web browser to cry for help. ("Windows has discovered a change that will result in limited Windows functionality. Use the link below to find out how to fix Windows"). On that occassion a reboot saved me. As I have a currently working computer at present (apart from the error message) I haven't yet tried rebooting today. (I have tried revalidating, but that fails).

    I don't have any of the sort of software mentioned here:

    http://support.microsoft.com/kb/931276/en-us

    (as far as I know, but I am just about to uninstall Avira AntiVir Personal, in case that is the culprit. I'm also running the OneCare safety scanner beta in case that helps, but it's still running its checks as I write this).

    Thanks in advance for any help.

    Regards,
    Graham


    Thursday, April 16, 2009 10:35 AM

Answers

  • Hi Graham_S,

      From your first and third Diagnostic Report, I can tell that the issue is a 'In Memory' Mod-Auth Tamper.  

    A Mod-Auth is when a protected system file is modified in some way. In reality, there are actually two types of Mod-Auth...'In Memory' and 'On Disk'

    ~An On Disk Mod-Auth is when a protected system file, itself, is modified on the hard drive.
    It can be caused by anything that can normally change/modify/corrupt a file (i.e. Malware, random corruption, bad hard disk sectors, complete or partial hard drive failure, human manipulation...so on)
    I can identify a On Disk Mod-Auth by there being a file (that had been modified) listed under the "File Scan Data" line in the Diagnostic Report. (None of your report show any file)

    ~An In Memory Mod-Auth is when a file, that is running in system memory, is actively being modified.
    The only think that can actively modify a file in System Memory is a running program. The program that is doing the modifing can only be either Incompatible with Vista or some sort of Malware.
    I can identify a In Memory Mod-Auth by the error code 0xc004d401, as shown on the 3rd line of your first Diagnostic Report and the fact that there are no files listed under the "File Scan Data" line.

    For an Incompatible Program (or malware) to cause the Tamper Event, they have to be running.  The fact that your second Diagnostic Report shows Genuine without any error codes tells me that the specific Incompatible Program (or malware) that is causing your problem is not a "Run At Startup" type program (such as Anti-Virus programs, Firewall programs and most Malware).  Most Likely the program is a User Launched program and when you ran the second Diagnostic Report, you hadn't launched (or had just shut down) the bad program.

    Unfortunatly, we (support) have not way (or tools) that can tell us what program is causing the problem. But knowing the above information should help you in identifing the offending program.

    If you are unable to identify any program, you will then need to look at a possible Malware infection.

    Thank you,
    Darin MS
    Attention All Forum Users: Please Do Not post your issue in someone else's Thread...Create your own. If any post fixes your issue, please vote the post as Helpful. This will help us showcase the threads that best help our customers.
    Thursday, April 16, 2009 9:34 PM

All replies

  • Hmm. Some odd behaviour. I've done a System Restore, and disabled all non-Microsoft services, start up programs, and scheduled Tasks. I haven't noticed anything suspcicious in the Task Manager. I run the diagnostic tool, it reports as Genuine, and then immediately I get the Unauthorised Change dialog box. If I then run the diagnostic tool again, I get a failure, including two more appearances from the popup. Here are my logs:

    Diagnostic Report (1.9.0006.1):
    -----------------------------------------
    WGA Data-->
    Validation Status: Genuine
    Validation Code: 0
    Online Validation Code: 0x0
    Cached Validation Code: 0x0
    Windows Product Key: *****-*****-QHJ4Y-RGRR4-P26FG
    Windows Product Key Hash: AyfIbFTGS5Slevi1mVBQHAbHems=
    Windows Product ID: 89578-OEM-7359792-15345
    Windows Product ID Type: 3
    Windows License Type: OEM System Builder
    Windows OS version: 6.0.6001.2.00010300.1.0.003
    ID: {10966FD6-83CA-438A-81C3-7DB7276AE7F8}(3)
    Is Admin: Yes
    TestCab: 0x0
    WGA Version: Registered, 1.7.69.2
    Signed By: Microsoft
    Product Name: Windows Vista (TM) Home Premium
    Architecture: 0x00000000
    Build lab: 6001.vistasp1_gdr.080917-1612
    TTS Error: M:20090416153152969-
    Validation Diagnostic:
    Resolution Status: N/A

    WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: 6.0.6002.16398

    WGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    WGATray.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Professional 2007 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
    Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{10966FD6-83CA-438A-81C3-7DB7276AE7F8}</UGUID><Version>1.9.0006.1</Version><OS>6.0.6001.2.00010300.1.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-P26FG</PKey><PID>89578-OEM-7359792-15345</PID><PIDType>3</PIDType><SID>S-1-5-21-3730839758-1625785226-1738333337</SID><SYSTEM><Manufacturer>System manufacturer</Manufacturer><Model>P5K Premium</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>0612   </Version><SMBIOSVersion major="2" minor="4"/><Date>20080319000000.000000+000</Date></BIOS><HWID>FA333507018400F8</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0014-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional 2007</Name><Ver>12</Ver><Val>43396B22F1CCEBC</Val><Hash>+GBaJs3nHNWs9YDPb2XtlyGO4bc=</Hash><Pid>89392-862-4229486-65538</Pid><PidType>8</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/></Applications></Office></Software></GenuineResults> 

    Spsys.log Content: U1BMRwEAAAAAAQAABAAAAAQFAAAAAAAAYWECAATAVody+ZeYTLHJARhy9171jCizkdIEkQaJZ66kAXB1yL8KWwnCi4NBzkC3Iqit4UaWROALfzP2sZcUEFF0H9Oh+hJEw7XKSAShRbdRQX0dzkKME/MsdgbOG2Qv1mjkjzXhcq94m48ceJqGOPu1UvB7bxiIfUEtgIRGphkOSa+EGUYcOX5/UvkAHnVxypUpTYFJ/5Q9EhdGhJKYTJsbJiscvAYWgzyFZ0z79y0OKm53Bw867hHNE43WvZqUI0Rf1MqA3D5sWfEw7WeNfzOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwYcvde9Ywos5HSBJEGiWeu0b3+0KMtfaOlpGuhQ34tIypTlo6dhhh+U8P49VLZqKxRdB/TofoSRMO1ykgEoUW3scjpiqENXAgQ30pnjD7wSNZo5I814XKveJuPHHiahjj7tVLwe28YiH1BLYCERqYZDkmvhBlGHDl+f1L5AB51ccqVKU2BSf+UPRIXRoSSmEybGyYrHLwGFoM8hWdM+/ctDipudwcPOu4RzRON1r2alCNEX9TKgNw+bFnxMO1njX8zkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMGHL3XvWMKLOR0gSRBolnrs23xkSrZxZDu3b/EBdycMHnlM8o1UYkOA4U0zusx7BIPGYiGfElLpbaiGwLNp2vQnnR9AShVVBaPssZCLDyaBYG1TrPLPe/1nYysgdr3Hdbdw0/pgklHNnewY9kx1q4KkHbxRZ3MUetk80KNI/HN61QfGFx/fxqQlaOtMWZ2Kjcbgxuxl0kUGXogPxno+DM4TemkoeFWoLCS9oPMFLtFF/zTX6H4yxMWRGUnZkCNECIM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDBhy9171jCizkdIEkQaJZ64z2Dlqy4Y1NbCb7MRxcFJEJ0Zq/Au8i6hFWD6jOowbHxQjdPDwDinTfkQXASERseFiSStnumkEjWWhT6pYqJjck/oA/SfEX6ot/bnNmgLA1vu1UvB7bxiIfUEtgIRGphkOSa+EGUYcOX5/UvkAHnVxypUpTYFJ/5Q9EhdGhJKYTJsbJiscvAYWgzyFZ0z79y2BX7mQ2Q7393z5XQ50VXv9mhrKhq4UIi+PwtGQfjOGIjOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwYcvde9Ywos5HSBJEGiWeuuQj05JtzmsFrazeWvCaYQdho/k5NzdOWEufJeu35jAlRdB/TofoSRMO1ykgEoUW3mD7Drp+zROoygb8DTeLA7tZo5I814XKveJuPHHiahjj7tVLwe28YiH1BLYCERqYZDkmvhBlGHDl+f1L5AB51ccqVKU2BSf+UPRIXRoSSmEybGyYrHLwGFoM8hWdM+/ctDipudwcPOu4RzRON1r2alCNEX9TKgNw+bFnxMO1njX8zkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMGHL3XvWMKLOR0gSRBolnrh/hqjrj6UIK39eabtMi4d9SRoS+L1ygVe3wrYLtg8YnFCN08PAOKdN+RBcBIRGx4aG6S2wR8j9Pn4gDPkO74+eT+gD9J8Rfqi39uc2aAsDW+7VS8HtvGIh9QS2AhEamGQ5Jr4QZRhw5fn9S+QAedXHKlSlNgUn/lD0SF0aEkphMmxsmKxy8BhaDPIVnTPv3LYFfuZDZDvf3fPldDnRVe/2aGsqGrhQiL4/C0ZB+M4YiM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDBhy9171jCizkdIEkQaJZ67HjmHMF31Ie8wgtJk50qyIxp/FcnX6f2HXJtUeJyEMWFF0H9Oh+hJEw7XKSAShRbfn6Gf9PNN3eQVyJwmzG7Vn1mjkjzXhcq94m48ceJqGOPu1UvB7bxiIfUEtgIRGphkOSa+EGUYcOX5/UvkAHnVxypUpTYFJ/5Q9EhdGhJKYTJsbJiscvAYWgzyFZ0z79y0OKm53Bw867hHNE43WvZqUI0Rf1MqA3D5sWfEw7WeNfzOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwYcvde9Ywos5HSBJEGiWeuPBAkigNo7VMOW6GQvpkXUokjhdYD5FO7WdfCzB2Pb11RdB/TofoSRMO1ykgEoUW38q6B+ydO8mwR3XopCbJ+mdZo5I814XKveJuPHHiahjj7tVLwe28YiH1BLYCERqYZDkmvhBlGHDl+f1L5AB51ccqVKU2BSf+UPRIXRoSSmEybGyYrHLwGFoM8hWdM+/ctDipudwcPOu4RzRON1r2alCNEX9TKgNw+bFnxMO1njX8zkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMGHL3XvWMKLOR0gSRBolnrlbLAM5a1FCjhz96/MDpdpRXNLWcyKDN8ZBuYPqdOYLeUXQf06H6EkTDtcpIBKFFt2Xf3hAf3Hs9X0NqhuUs7CfWaOSPNeFyr3ibjxx4moY4+7VS8HtvGIh9QS2AhEamGQ5Jr4QZRhw5fn9S+QAedXHKlSlNgUn/lD0SF0aEkphMmxsmKxy8BhaDPIVnTPv3LQ4qbncHDzruEc0Tjda9mpQjRF/UyoDcPmxZ8TDtZ41/M5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDBhy9171jCizkdIEkQaJZ64kJMKZT69xd5kEefM4Yb5NSZ+qIk9XTco6EQgcx6qwSTxmIhnxJS6W2ohsCzadr0IXt0RhWKnLMN7GK7C79yynBtU6zyz3v9Z2MrIHa9x3W3cNP6YJJRzZ3sGPZMdauCpB28UWdzFHrZPNCjSPxzetUHxhcf38akJWjrTFmdio3G4MbsZdJFBl6ID8Z6PgzOE3ppKHhVqCwkvaDzBS7RRf801+h+MsTFkRlJ2ZAjRAiDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAw=

    Licensing Data-->
    C:\Windows\system32\slmgr.vbs(1648, 9) (null): 0xC004D401

    HWID Data-->
    HWID Hash Current: PgAAAAEABgABAAEAAQACAAAABAABAAEA6GFKFmSyCoAA+AKliP1k/giFPBhwFvL0GuyioSabBtqsViH/Rso=

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes, but no SLIC table
    Windows marker version: N/A
    OEMID and OEMTableID Consistent: N/A
    BIOS Information:
      ACPI Table Name    OEMID Value    OEMTableID Value
      APIC            A_M_I_        OEMAPIC
      FACP            A_M_I_        OEMFACP
      HPET            A_M_I_        OEMHPET
      MCFG            A_M_I_        OEMMCFG
      OEMB            A_M_I_        AMI_OEM
      OSFR            A_M_I_        OEMOSFR





    Diagnostic Report (1.9.0006.1):
    -----------------------------------------
    WGA Data-->
    Validation Status: Invalid License
    Validation Code: 50
    Online Validation Code: 0xc004d401
    Cached Validation Code: N/A, hr = 0xc004d401
    Windows Product Key: *****-*****-QHJ4Y-RGRR4-P26FG
    Windows Product Key Hash: AyfIbFTGS5Slevi1mVBQHAbHems=
    Windows Product ID: 89578-OEM-7359792-15345
    Windows Product ID Type: 3
    Windows License Type: OEM System Builder
    Windows OS version: 6.0.6001.2.00010300.1.0.003
    ID: {10966FD6-83CA-438A-81C3-7DB7276AE7F8}(3)
    Is Admin: Yes
    TestCab: 0x0
    WGA Version: Registered, 1.7.69.2
    Signed By: Microsoft
    Product Name: Windows Vista (TM) Home Premium
    Architecture: 0x00000000
    Build lab: 6001.vistasp1_gdr.080917-1612
    TTS Error: M:20090416154747115-
    Validation Diagnostic:
    Resolution Status: N/A

    WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: 6.0.6002.16398

    WGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    WGATray.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Professional 2007 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
    Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{10966FD6-83CA-438A-81C3-7DB7276AE7F8}</UGUID><Version>1.9.0006.1</Version><OS>6.0.6001.2.00010300.1.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-P26FG</PKey><PID>89578-OEM-7359792-15345</PID><PIDType>3</PIDType><SID>S-1-5-21-3730839758-1625785226-1738333337</SID><SYSTEM><Manufacturer>System manufacturer</Manufacturer><Model>P5K Premium</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>0612   </Version><SMBIOSVersion major="2" minor="4"/><Date>20080319000000.000000+000</Date></BIOS><HWID>FA333507018400F8</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0014-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional 2007</Name><Ver>12</Ver><Val>43396B22F1CCEBC</Val><Hash>+GBaJs3nHNWs9YDPb2XtlyGO4bc=</Hash><Pid>89392-862-4229486-65538</Pid><PidType>8</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/></Applications></Office></Software></GenuineResults> 

    Spsys.log Content: U1BMRwEAAAAAAQAABAAAAAQFAAAAAAAAYWECAATAVody+ZeYTLHJARhy9171jCizkdIEkQaJZ66kAXB1yL8KWwnCi4NBzkC3Iqit4UaWROALfzP2sZcUEFF0H9Oh+hJEw7XKSAShRbdRQX0dzkKME/MsdgbOG2Qv1mjkjzXhcq94m48ceJqGOPu1UvB7bxiIfUEtgIRGphkOSa+EGUYcOX5/UvkAHnVxypUpTYFJ/5Q9EhdGhJKYTJsbJiscvAYWgzyFZ0z79y0OKm53Bw867hHNE43WvZqUI0Rf1MqA3D5sWfEw7WeNfzOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwYcvde9Ywos5HSBJEGiWeu0b3+0KMtfaOlpGuhQ34tIypTlo6dhhh+U8P49VLZqKxRdB/TofoSRMO1ykgEoUW3scjpiqENXAgQ30pnjD7wSNZo5I814XKveJuPHHiahjj7tVLwe28YiH1BLYCERqYZDkmvhBlGHDl+f1L5AB51ccqVKU2BSf+UPRIXRoSSmEybGyYrHLwGFoM8hWdM+/ctDipudwcPOu4RzRON1r2alCNEX9TKgNw+bFnxMO1njX8zkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMGHL3XvWMKLOR0gSRBolnrs23xkSrZxZDu3b/EBdycMHnlM8o1UYkOA4U0zusx7BIPGYiGfElLpbaiGwLNp2vQnnR9AShVVBaPssZCLDyaBYG1TrPLPe/1nYysgdr3Hdbdw0/pgklHNnewY9kx1q4KkHbxRZ3MUetk80KNI/HN61QfGFx/fxqQlaOtMWZ2Kjcbgxuxl0kUGXogPxno+DM4TemkoeFWoLCS9oPMFLtFF/zTX6H4yxMWRGUnZkCNECIM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDBhy9171jCizkdIEkQaJZ64z2Dlqy4Y1NbCb7MRxcFJEJ0Zq/Au8i6hFWD6jOowbHxQjdPDwDinTfkQXASERseFiSStnumkEjWWhT6pYqJjck/oA/SfEX6ot/bnNmgLA1vu1UvB7bxiIfUEtgIRGphkOSa+EGUYcOX5/UvkAHnVxypUpTYFJ/5Q9EhdGhJKYTJsbJiscvAYWgzyFZ0z79y2BX7mQ2Q7393z5XQ50VXv9mhrKhq4UIi+PwtGQfjOGIjOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwYcvde9Ywos5HSBJEGiWeuuQj05JtzmsFrazeWvCaYQdho/k5NzdOWEufJeu35jAlRdB/TofoSRMO1ykgEoUW3mD7Drp+zROoygb8DTeLA7tZo5I814XKveJuPHHiahjj7tVLwe28YiH1BLYCERqYZDkmvhBlGHDl+f1L5AB51ccqVKU2BSf+UPRIXRoSSmEybGyYrHLwGFoM8hWdM+/ctDipudwcPOu4RzRON1r2alCNEX9TKgNw+bFnxMO1njX8zkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMGHL3XvWMKLOR0gSRBolnrh/hqjrj6UIK39eabtMi4d9SRoS+L1ygVe3wrYLtg8YnFCN08PAOKdN+RBcBIRGx4aG6S2wR8j9Pn4gDPkO74+eT+gD9J8Rfqi39uc2aAsDW+7VS8HtvGIh9QS2AhEamGQ5Jr4QZRhw5fn9S+QAedXHKlSlNgUn/lD0SF0aEkphMmxsmKxy8BhaDPIVnTPv3LYFfuZDZDvf3fPldDnRVe/2aGsqGrhQiL4/C0ZB+M4YiM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDBhy9171jCizkdIEkQaJZ67HjmHMF31Ie8wgtJk50qyIxp/FcnX6f2HXJtUeJyEMWFF0H9Oh+hJEw7XKSAShRbfn6Gf9PNN3eQVyJwmzG7Vn1mjkjzXhcq94m48ceJqGOPu1UvB7bxiIfUEtgIRGphkOSa+EGUYcOX5/UvkAHnVxypUpTYFJ/5Q9EhdGhJKYTJsbJiscvAYWgzyFZ0z79y0OKm53Bw867hHNE43WvZqUI0Rf1MqA3D5sWfEw7WeNfzOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwYcvde9Ywos5HSBJEGiWeuPBAkigNo7VMOW6GQvpkXUokjhdYD5FO7WdfCzB2Pb11RdB/TofoSRMO1ykgEoUW38q6B+ydO8mwR3XopCbJ+mdZo5I814XKveJuPHHiahjj7tVLwe28YiH1BLYCERqYZDkmvhBlGHDl+f1L5AB51ccqVKU2BSf+UPRIXRoSSmEybGyYrHLwGFoM8hWdM+/ctDipudwcPOu4RzRON1r2alCNEX9TKgNw+bFnxMO1njX8zkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMGHL3XvWMKLOR0gSRBolnrlbLAM5a1FCjhz96/MDpdpRXNLWcyKDN8ZBuYPqdOYLeUXQf06H6EkTDtcpIBKFFt2Xf3hAf3Hs9X0NqhuUs7CfWaOSPNeFyr3ibjxx4moY4+7VS8HtvGIh9QS2AhEamGQ5Jr4QZRhw5fn9S+QAedXHKlSlNgUn/lD0SF0aEkphMmxsmKxy8BhaDPIVnTPv3LQ4qbncHDzruEc0Tjda9mpQjRF/UyoDcPmxZ8TDtZ41/M5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDBhy9171jCizkdIEkQaJZ64kJMKZT69xd5kEefM4Yb5NSZ+qIk9XTco6EQgcx6qwSTxmIhnxJS6W2ohsCzadr0IXt0RhWKnLMN7GK7C79yynBtU6zyz3v9Z2MrIHa9x3W3cNP6YJJRzZ3sGPZMdauCpB28UWdzFHrZPNCjSPxzetUHxhcf38akJWjrTFmdio3G4MbsZdJFBl6ID8Z6PgzOE3ppKHhVqCwkvaDzBS7RRf801+h+MsTFkRlJ2ZAjRAiDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwYcvde9Ywos5HSBJEGiWeun5fcthl71dVODm2OvGAWm/+mhu4+rvDddUgKc9o3GRIUI3Tw8A4p035EFwEhEbHhloL7y/fFbFftrDmTb2hFPpP6AP0nxF+qLf25zZoCwNb7tVLwe28YiH1BLYCERqYZDkmvhBlGHDl+f1L5AB51ccqVKU2BSf+UPRIXRoSSmEybGyYrHLwGFoM8hWdM+/ctgV+5kNkO9/d8+V0OdFV7/ZoayoauFCIvj8LRkH4zhiIzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgM

    Licensing Data-->
    C:\Windows\system32\slmgr.vbs(1634, 5) (null): 0xC004D401

    HWID Data-->
    HWID Hash Current: PgAAAAEABgABAAEAAQACAAAABAABAAEA6GFKFmSyCoAA+AKliP1k/giFPBhwFvL0GuyioSabBtqsViH/Rso=

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes, but no SLIC table
    Windows marker version: N/A
    OEMID and OEMTableID Consistent: N/A
    BIOS Information:
      ACPI Table Name    OEMID Value    OEMTableID Value
      APIC            A_M_I_        OEMAPIC
      FACP            A_M_I_        OEMFACP
      HPET            A_M_I_        OEMHPET
      MCFG            A_M_I_        OEMMCFG
      OEMB            A_M_I_        AMI_OEM
      OSFR            A_M_I_        OEMOSFR


    Thursday, April 16, 2009 2:53 PM
  • The issue seems fixed, possibly temporarily.

    I booted into Safe Mode, ran the diagnostic tool: Genuine

    Then booting back into normal mode, it seemed to be OK, and I re-ran Validation just to be sure, and it is still OK.

    Whether it continues working, we'll see...

    I'd still welcome any advice Darin can give based on my diagnostic log, in case the problem re-occurs once I'm back up and running with my regular programs. I should note that Validation was failing with what, as far as I could tell, with only Microsoft programs running.
    Thursday, April 16, 2009 4:07 PM
  • Hi Graham_S,

      From your first and third Diagnostic Report, I can tell that the issue is a 'In Memory' Mod-Auth Tamper.  

    A Mod-Auth is when a protected system file is modified in some way. In reality, there are actually two types of Mod-Auth...'In Memory' and 'On Disk'

    ~An On Disk Mod-Auth is when a protected system file, itself, is modified on the hard drive.
    It can be caused by anything that can normally change/modify/corrupt a file (i.e. Malware, random corruption, bad hard disk sectors, complete or partial hard drive failure, human manipulation...so on)
    I can identify a On Disk Mod-Auth by there being a file (that had been modified) listed under the "File Scan Data" line in the Diagnostic Report. (None of your report show any file)

    ~An In Memory Mod-Auth is when a file, that is running in system memory, is actively being modified.
    The only think that can actively modify a file in System Memory is a running program. The program that is doing the modifing can only be either Incompatible with Vista or some sort of Malware.
    I can identify a In Memory Mod-Auth by the error code 0xc004d401, as shown on the 3rd line of your first Diagnostic Report and the fact that there are no files listed under the "File Scan Data" line.

    For an Incompatible Program (or malware) to cause the Tamper Event, they have to be running.  The fact that your second Diagnostic Report shows Genuine without any error codes tells me that the specific Incompatible Program (or malware) that is causing your problem is not a "Run At Startup" type program (such as Anti-Virus programs, Firewall programs and most Malware).  Most Likely the program is a User Launched program and when you ran the second Diagnostic Report, you hadn't launched (or had just shut down) the bad program.

    Unfortunatly, we (support) have not way (or tools) that can tell us what program is causing the problem. But knowing the above information should help you in identifing the offending program.

    If you are unable to identify any program, you will then need to look at a possible Malware infection.

    Thank you,
    Darin MS
    Attention All Forum Users: Please Do Not post your issue in someone else's Thread...Create your own. If any post fixes your issue, please vote the post as Helpful. This will help us showcase the threads that best help our customers.
    Thursday, April 16, 2009 9:34 PM
  • Thanks Darin,
    Much appreciated. This forum has been an invaluable source of information. I called MS directly, and somebody from MS phone support spent several hours remotely fiddling with my computer to little effect (and unfortunately without much of a willingness to consult these pages himself, even when prompted), but after a good read of your advice on here, and some experimentation, I seem to have been able to have brought things to a successful conclusion myself. Without the relatively comprehensive information you've supplied here that would have been impossible, so thanks again.

    It's odd, because I seemed to have got it into a state where the Tamper Event seemed to be triggered by the diagnostic tool itself, right after it finished reporting the state as Genuine. I wasn't running any additional programs. Why booting into Safe Mode, validating successfully there, and then running exactly the same programs in exactly the same way in normal mode then failed to generate a Tamper Event, I think may have to stay a mystery for now.

    Regards,
    Graham
    Thursday, April 16, 2009 10:26 PM
  • Hi Graham,

      Thank you, I'm glad we could be a resource for you. I hope you don't mind, but I forwarded your Feedback, about the forums, up my chain of command.

    If there is anything you think I can help you with, please don't hesitate to contact me. I can't guarantee I'll have the answer, but I will try.

    Be well Graham,
    Darin
    Attention All Forum Users: Please Do Not post your issue in someone else's Thread...Create your own. If any post fixes your issue, please vote the post as Helpful. This will help us showcase the threads that best help our customers.
    Friday, April 17, 2009 8:11 PM