locked
What I had to do to fix a 'Mod-Auth' Tamper state RRS feed

  • Question

  • I have an HP laptop that came with an OEM installation of Vista Home Premium, and have been using it for the past year without incident.

    However, some trouble started yesterday after trying to remove some malware, when I got a message from ‘lass.exe’ that the system needed to be restarted immediately. After logging in after reboot, I was greeted with a WGA message telling me to enter my product key. The product key printed on the bottom of my laptop didn’t work, and I clicked to validate my Vista copy as genuine.

    The WGA site responded that my copy was not genuine to my surprise. The WGA validation site’s error code, the popup messages from WGA and the results from ‘MGADiag.exe’ all indicated the product was no longer activated because it had been tampered with.

    I rebooted into Safe-Mode and checked the ‘Applications and Services Logs/Microsoft/Windows/CodeIntegrity’ log in the event viewer and found a few errors.

    Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.”

    I tried to restore to the last good restore point.

    After that failed, I located all the other copies of ‘tcpip.sys’ that were on my system.

    1.       C:\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18000_none_b31e1252666640f6\tcpip.sys

    2.       C:\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18063_none_b2e033a8669434a1\tcpip.sys

    3.       C:\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22167_none_b36dd19b7fae39c7\tcpip.sys

    4.       C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16386_none_5f4ed3e0926e99e4\tcpip.sys

    5.       C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16567_none_5f6577ce925d75a7\tcpip.sys

    6.       C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16627_none_5f90b964923d030a\tcpip.sys

    7.       C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.20689_none_5fdb7555ab898001\tcpip.sys

    8.       C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.20752_none_5ff4e4f9ab7777f4\tcpip.sys

    I used ‘fc.exe’ to compare all of these against the version in ‘\Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys’ and found that version 6.0.6001.18063 was in use instead of 6.0.6001.22167. However, since ‘tcpip.sys’ is loaded at boot, I could not simply overwrite it with the newer version.

    Luckily, I have my system dual-booting with a functional Linux installation that has NTFS support, and was able to do this there.

    My Vista installation still wasn’t activated, but all of the 'Mod-Auth' Tamper state error messages and status codes were gone.

    I tried the product key from the bottom of my computer again; it still didn’t work. Observing that the last-half of the key printed on the bottom of my computer did not match what ‘MGADiag.exe’ said it was, I searched for the sub-string that MGADiag.exe’ reported as the product key and found the full HP OEM key from which that came. That worked.

    In future, instead of simply telling the user that the installation has been tempered with, WGA should tell what has been changed and should offer to download the correct file from Microsoft.  Also, WGA should accept the key that is provided by the OEM to the user.  

     

    Thanks.

    Thursday, July 17, 2008 6:22 PM

Answers

  •  

    Hello DramaCoder,

     

      I completly agree, the error messaging could be allot better for Mod-Auth Tampers. Unfortunatly, there are actually 2 kinds of Mod-Auths.

     

      The first kind of Mod-Auth is the 'On Disk' type that is caused by a protected Vista system file being modified, on the hard drive, for whatever reason (corruption, manual editing, virus...so on)

    Which is the type of Mod-Auth you had, it sounds like

     

      The other kind of Mod-Auth is the 'In Memory' type that is caused by an Incompatible Program attempting to hook/shim (i.e modify) a protected Vista system file, in system memory.

     

     

      So as you can see, your suggestion, while very good, wouldn't help the other typs of Mod-Auth. But you can be sure that I am pushing for better error messaging (and/or even how Vista handles) for all Tamper scenarios. It will better help user to understand the nature of the issue issue and maybe resolve it themselves. Andif the user does need support, better messaging would also help me (and other support people) in diagnosing the issue.

     

    As for Vista not accepting the Product key from the sticker on your computer, it should have been accepted. But if not, I have provided the alternate steps for changing a Product Key

     

    ---------------------------------------------------------------------

    (If you have access to the Start button)

     

    1) Click the Start button

    2) Type: slui.exe 3 and hit the Enter key

    3) Type in the Product key from the sticker on your computer

    4) Click the Next button.

    5) You will be asked if want to Activate, click ok

    6) It will attempt to Activate by the internet and will return an Invalid Key error (this is ok, continue to step 7)

    7) Click the Start button

    8) Type: slui.exe 4 and hit the Enter key

    9) Select your location in the drop down menu and click the Next button

    10) The next screen provides the number to call to Activate by Phone

    NOTE: when you call that number, you will first hear an Automated Voice that will try to Activate Vista for you. If the Automated Voice gives you an option to talk to a Live Activation Rep, select that option. If not, do not enter any numbers. This should force the Automated Voice to transfer you to a Live Activation Rep. Trying to Activate thru the Automated Voice will not work, in your case, only thru the Live Activation Rep will your Activation be successful.

     

    Once completed, you may need to reboot twice.

    -------------------------------------------------------------------------
    (If you do not have access to the Start button)

     

    1) Click the option that opens a Internet Browser.

    2) A Internet Browser should come up, type: %windir%\system32\cmd.exe in the browser address bar

    3) A window with a black background will come up

    4) Type: slui.exe 3 and hit the Enter key

    5) Type in the Product key from the sticker on your computer

    6) Click the Next button.

    7) You will be asked if want to Activate, click ok

    8) It will attempt to Activate by the internet and will return an Invalid Key error (this is ok, continue to step 9)

    9) Return to the window with the black background

    10) Type: slui.exe 4 and hit the Enter key

    11) Select your location in the drop down menu and click the Next button

    12) The next screen provides the number to call to Activate by Phone

     

    NOTE: when you call that number, you will first hear an Automated Voice that will try to Activate Vista for you. If the Atomated Voice gives you an option to talk to a Live Activation Rep, select that option. If not, do not enter any numbers. This should force the Automated Voice to transfer you to a Live Activation Rep. Trying to Activate thru the Automated Voice will not work, in your case, only thru the Live Activation Rep will your Activation be successful.

     

    Once completed, you may need to reboot twice.

     

    Thank you,

    Darin Smith

    WGA Forum Manager

     

    p.s. Great job fixing the issue on your own!

    Friday, July 18, 2008 11:45 PM