Answered by:
Confirming a non-genuine copy of Win7

Question
-
Hello,
Recently I bought a used ThinkPad T400, and the seller claimed to have installed a "clean copy of Windows 7 Pro". There was no COA sticker affixed to the chassis for Win7, and no media. Immediately, that set off red flags.
Windows Update refuses to run at all, and the online Windows Validation reports that system files were tampered with and that this copy of Windows is not genuine.
Before I begin communication with the seller, I would like to confirm that this copy is not genuine like I suspect. Below is the MGADiag report:
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Code: 0x8004FE21
Cached Online Validation Code: N/A, hr = 0xc004f012
Windows Product Key: *****-*****-GK4PY-FDWYH-7TP9F
Windows Product Key Hash: u3xU6PnmumgYLgUpnmbqEw9Q2OA=
Windows Product ID: 00371-OEM-8992671-00004
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7600.2.00010100.0.0.048
ID: {2DFCF798-20ED-4E01-827A-992CFBDA9027}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Professional
Architecture: 0x00000009
Build lab: 7600.win7_gdr.120401-1505
TTS Error:
Validation Diagnostic:
Resolution Status: N/A
Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80092003
File Mismatch: C:\Windows\system32\wat\watux.exe[7.1.7600.16395], Hr = 0x80092003
File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7600.16385], Hr = 0x80092003
File Mismatch: C:\Windows\system32\sppc.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7600.16385], Hr = 0x80092003
File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7600.16385], Hr = 0x80092003
File Mismatch: C:\Windows\system32\slui.exe[6.1.7600.16385], Hr = 0x80092003
File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7600.16385], Hr = 0x80092003
File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x80092003
File Mismatch: C:\Windows\system32\drivers\spldr.sys[6.1.7127.0], Hr = 0x80092003
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\user32.dll[6.1.7600.16385], Hr = 0x800b0100
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{2DFCF798-20ED-4E01-827A-992CFBDA9027}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7600.2.00010100.0.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-7TP9F</PKey><PID>00371-OEM-8992671-00004</PID><PIDType>2</PIDType><SID>S-1-5-21-2331717625-649261489-2957277406</SID><SYSTEM><Manufacturer>LENOVO</Manufacturer><Model>6474C53</Model></SYSTEM><BIOS><Manufacturer>LENOVO</Manufacturer><Version>7UET48WW (1.18 )</Version><SMBIOSVersion major="2" minor="4"/><Date>20081009000000.000000+000</Date></BIOS><HWID>26B83607018400F8</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>LENOVO</OEMID><OEMTableID>TP-7X </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>
Spsys.log Content: 0x80070002
Licensing Data-->
Software licensing service version: 6.1.7600.16385
Name: Windows(R) 7, Professional edition
Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
Activation ID: 50e329f7-a5fa-46b2-85fd-f224e5da7764
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00371-00178-926-700004-02-1033-7600.0000-0702013
Installation ID: 006342234716047344222610898492467221351296741276116976
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: 7TP9F
License Status: Licensed
Remaining Windows rearm count: 3
Trusted time: 3/24/2013 12:54:14 PM
Windows Activation Technologies-->
HrOffline: 0x8004FE21
HrOnline: N/A
HealthStatus: 0x000000000001EFF0
Event Time Stamp: 3:24:2013 12:40
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
Tampered File: %systemroot%\system32\sppobjs.dll
Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
Tampered File: %systemroot%\system32\sppwinob.dll
Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
Tampered File: %systemroot%\system32\drivers\spsys.sys
HWID Data-->
HWID Hash Current: OgAAAAEABgABAAIAAQABAAAAAgABAAEAln1KYuE5sFQuCBDTgIXkLMSlemPA9mQ/AntwtlA1tPlGyg==
OEM Activation 1.0 Data-->
N/A
OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC LENOVO TP-7U
FACP LENOVO TP-7U
HPET LENOVO TP-7U
BOOT LENOVO TP-7U
MCFG LENOVO TP-7U
SSDT LENOVO TP-7U
ECDT LENOVO TP-7U
SLIC LENOVO TP-7X
ASF! LENOVO TP-7U
SSDT LENOVO TP-7U
TCPA
DMAR
SSDT LENOVO TP-7U
SSDT LENOVO TP-7U
SSDT LENOVO TP-7U
Sunday, March 24, 2013 5:10 PM
Answers
-
The installation is counterfeit, as you suspected.
The machine was manufactured in 2008 - almost a year before Windows 7 was released - but apparently has a Windows 7 SLIC table and is 'activated'. This can only happen if a hacker's Activation Exploit is present.
There are also driver problems - which is why Windows Update is not working.
You should take issue with the vendor and with whatever channel you bought it through, and claim a refund.
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
No - I do not work for Microsoft, or any of its contractors.- Proposed as answer by Noel D PatonModerator Tuesday, March 26, 2013 9:58 AM
- Marked as answer by george1009Editor Tuesday, April 2, 2013 2:17 PM
Sunday, March 24, 2013 5:53 PMModerator