Hello, this morning I got the popup message above. I see this is a common class of problems, and I'm posting my diagnostic log in the hope you can give me some specific advice based on its contents
Diagnostic Report (1.9.0006.1): ----------------------------------------- WGA Data--> Validation Status: Invalid License Validation Code: 50 Online Validation Code: 0xc004d401 Cached Validation Code: N/A, hr = 0xc004d401 Windows Product Key: *****-*****-QHJ4Y-RGRR4-P26FG Windows Product Key Hash: AyfIbFTGS5Slevi1mVBQHAbHems= Windows Product ID: 89578-OEM-7359792-15345 Windows Product ID Type: 3 Windows License Type: OEM System Builder Windows OS version: 6.0.6001.2.00010300.1.0.003 ID: {10966FD6-83CA-438A-81C3-7DB7276AE7F8}(1) Is Admin: Yes TestCab: 0x0 WGA Version: Registered, 1.7.69.2 Signed By: Microsoft Product Name: Windows Vista (TM) Home Premium Architecture: 0x00000000 Build lab: 6001.vistasp1_gdr.080917-1612 TTS Error: M:20090416070404232- Validation Diagnostic: Resolution Status: N/A
OGA Data--> Office Status: 100 Genuine Microsoft Office Professional 2007 - 100 Genuine OGA Version: N/A, 0x80070002 Signed By: N/A, hr = 0x80070002 Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005
Browser Data--> Proxy settings: N/A User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32) Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe Download signed ActiveX controls: Prompt Download unsigned ActiveX controls: Disabled Run ActiveX controls and plug-ins: Allowed Initialize and script ActiveX controls not marked as safe: Disabled Allow scripting of Internet Explorer Webbrowser control: Disabled Active scripting: Allowed Script ActiveX controls marked as safe for scripting: Allowed
OEM Activation 2.0 Data--> BIOS valid for OA 2.0: yes, but no SLIC table Windows marker version: N/A OEMID and OEMTableID Consistent: N/A BIOS Information: ACPI Table Name OEMID Value OEMTableID Value APIC A_M_I_ OEMAPIC FACP A_M_I_ OEMFACP HPET A_M_I_ OEMHPET MCFG A_M_I_ OEMMCFG OEMB A_M_I_ AMI_OEM OSFR A_M_I_ OEMOSFR
I had a simialr problem 3 weeks ago after a Windows Update reboot, but that time I was locked inside a black Windows prison, with only my web browser to cry for help. ("Windows has discovered a change that will result in limited Windows functionality. Use the link below to find out how to fix Windows"). On that occassion a reboot saved me. As I have a currently working computer at present (apart from the error message) I haven't yet tried rebooting today. (I have tried revalidating, but that fails).
I don't have any of the sort of software mentioned here:
http://support.microsoft.com/kb/931276/en-us
(as far as I know, but I am just about to uninstall Avira AntiVir Personal, in case that is the culprit. I'm also running the OneCare safety scanner beta in case that helps, but it's still running its checks as I write this).
From your first and third Diagnostic Report, I can tell that the issue is a 'In Memory' Mod-Auth Tamper.
A Mod-Auth is when a protected system file is modified in some way. In reality, there are actually two types of Mod-Auth...'In Memory' and 'On Disk'
~An On Disk Mod-Auth is when a protected system file, itself, is modified on the hard drive. It can be caused by anything that can normally change/modify/corrupt a file (i.e. Malware, random corruption, bad hard disk sectors, complete or partial hard drive failure, human manipulation...so on) I can identify a On Disk Mod-Auth by there being a file (that had been modified) listed under the "File Scan Data" line in the Diagnostic Report. (None of your report show any file)
~An In Memory Mod-Auth is when a file, that is running in system memory, is actively being modified. The only think that can actively modify a file in System Memory is a running program. The program that is doing the modifing can only be either Incompatible with Vista or some sort of Malware. I can identify a In Memory Mod-Auth by the error code 0xc004d401, as shown on the 3rd line of your first Diagnostic Report and the fact that there are no files listed under the "File Scan Data" line.
For an Incompatible Program (or malware) to cause the Tamper Event, they have to be running. The fact that your second Diagnostic Report shows Genuine without any error codes tells me that the specific Incompatible Program (or malware) that is causing your problem is not a "Run At Startup" type program (such as Anti-Virus programs, Firewall programs and most Malware). Most Likely the program is a User Launched program and when you ran the second Diagnostic Report, you hadn't launched (or had just shut down) the bad program.
Unfortunatly, we (support) have not way (or tools) that can tell us what program is causing the problem. But knowing the above information should help you in identifing the offending program.
If you are unable to identify any program, you will then need to look at a possible Malware infection.
Thank you, Darin MSAttention All Forum Users: Please Do Not post your issue in someone else's Thread...Create your own.
If any post fixes your issue, please vote the post as Helpful. This will help us showcase the threads that best help our customers.
Marked as answer byDarin Smith MSThursday, April 16, 2009 9:35 PM
Hmm. Some odd behaviour. I've done a System Restore, and disabled all non-Microsoft services, start up programs, and scheduled Tasks. I haven't noticed anything suspcicious in the Task Manager. I run the diagnostic tool, it reports as Genuine, and then immediately I get the Unauthorised Change dialog box. If I then run the diagnostic tool again, I get a failure, including two more appearances from the popup. Here are my logs:
Diagnostic Report (1.9.0006.1): ----------------------------------------- WGA Data--> Validation Status: Genuine Validation Code: 0 Online Validation Code: 0x0 Cached Validation Code: 0x0 Windows Product Key: *****-*****-QHJ4Y-RGRR4-P26FG Windows Product Key Hash: AyfIbFTGS5Slevi1mVBQHAbHems= Windows Product ID: 89578-OEM-7359792-15345 Windows Product ID Type: 3 Windows License Type: OEM System Builder Windows OS version: 6.0.6001.2.00010300.1.0.003 ID: {10966FD6-83CA-438A-81C3-7DB7276AE7F8}(3) Is Admin: Yes TestCab: 0x0 WGA Version: Registered, 1.7.69.2 Signed By: Microsoft Product Name: Windows Vista (TM) Home Premium Architecture: 0x00000000 Build lab: 6001.vistasp1_gdr.080917-1612 TTS Error: M:20090416153152969- Validation Diagnostic: Resolution Status: N/A
OGA Data--> Office Status: 100 Genuine Microsoft Office Professional 2007 - 100 Genuine OGA Version: N/A, 0x80070002 Signed By: N/A, hr = 0x80070002 Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3
Browser Data--> Proxy settings: N/A User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32) Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe Download signed ActiveX controls: Prompt Download unsigned ActiveX controls: Disabled Run ActiveX controls and plug-ins: Allowed Initialize and script ActiveX controls not marked as safe: Disabled Allow scripting of Internet Explorer Webbrowser control: Disabled Active scripting: Allowed Script ActiveX controls marked as safe for scripting: Allowed
OGA Data--> Office Status: 100 Genuine Microsoft Office Professional 2007 - 100 Genuine OGA Version: N/A, 0x80070002 Signed By: N/A, hr = 0x80070002 Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3
Browser Data--> Proxy settings: N/A User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32) Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe Download signed ActiveX controls: Prompt Download unsigned ActiveX controls: Disabled Run ActiveX controls and plug-ins: Allowed Initialize and script ActiveX controls not marked as safe: Disabled Allow scripting of Internet Explorer Webbrowser control: Disabled Active scripting: Allowed Script ActiveX controls marked as safe for scripting: Allowed
I booted into Safe Mode, ran the diagnostic tool: Genuine
Then booting back into normal mode, it seemed to be OK, and I re-ran Validation just to be sure, and it is still OK.
Whether it continues working, we'll see...
I'd still welcome any advice Darin can give based on my diagnostic log, in case the problem re-occurs once I'm back up and running with my regular programs. I should note that Validation was failing with what, as far as I could tell, with only Microsoft programs running.
From your first and third Diagnostic Report, I can tell that the issue is a 'In Memory' Mod-Auth Tamper.
A Mod-Auth is when a protected system file is modified in some way. In reality, there are actually two types of Mod-Auth...'In Memory' and 'On Disk'
~An On Disk Mod-Auth is when a protected system file, itself, is modified on the hard drive. It can be caused by anything that can normally change/modify/corrupt a file (i.e. Malware, random corruption, bad hard disk sectors, complete or partial hard drive failure, human manipulation...so on) I can identify a On Disk Mod-Auth by there being a file (that had been modified) listed under the "File Scan Data" line in the Diagnostic Report. (None of your report show any file)
~An In Memory Mod-Auth is when a file, that is running in system memory, is actively being modified. The only think that can actively modify a file in System Memory is a running program. The program that is doing the modifing can only be either Incompatible with Vista or some sort of Malware. I can identify a In Memory Mod-Auth by the error code 0xc004d401, as shown on the 3rd line of your first Diagnostic Report and the fact that there are no files listed under the "File Scan Data" line.
For an Incompatible Program (or malware) to cause the Tamper Event, they have to be running. The fact that your second Diagnostic Report shows Genuine without any error codes tells me that the specific Incompatible Program (or malware) that is causing your problem is not a "Run At Startup" type program (such as Anti-Virus programs, Firewall programs and most Malware). Most Likely the program is a User Launched program and when you ran the second Diagnostic Report, you hadn't launched (or had just shut down) the bad program.
Unfortunatly, we (support) have not way (or tools) that can tell us what program is causing the problem. But knowing the above information should help you in identifing the offending program.
If you are unable to identify any program, you will then need to look at a possible Malware infection.
Thank you, Darin MSAttention All Forum Users: Please Do Not post your issue in someone else's Thread...Create your own.
If any post fixes your issue, please vote the post as Helpful. This will help us showcase the threads that best help our customers.
Marked as answer byDarin Smith MSThursday, April 16, 2009 9:35 PM
Thanks Darin, Much appreciated. This forum has been an invaluable source of information. I called MS directly, and somebody from MS phone support spent several hours remotely fiddling with my computer to little effect (and unfortunately without much of a willingness to consult these pages himself, even when prompted), but after a good read of your advice on here, and some experimentation, I seem to have been able to have brought things to a successful conclusion myself. Without the relatively comprehensive information you've supplied here that would have been impossible, so thanks again.
It's odd, because I seemed to have got it into a state where the Tamper Event seemed to be triggered by the diagnostic tool itself, right after it finished reporting the state as Genuine. I wasn't running any additional programs. Why booting into Safe Mode, validating successfully there, and then running exactly the same programs in exactly the same way in normal mode then failed to generate a Tamper Event, I think may have to stay a mystery for now.
Thank you, I'm glad we could be a resource for you. I hope you don't mind, but I forwarded your Feedback, about the forums, up my chain of command.
If there is anything you think I can help you with, please don't hesitate to contact me. I can't guarantee I'll have the answer, but I will try.
Be well Graham, DarinAttention All Forum Users: Please Do Not post your issue in someone else's Thread...Create your own.
If any post fixes your issue, please vote the post as Helpful. This will help us showcase the threads that best help our customers.