locked
Is there a recent bug with the WGA detection for Windows XP? RRS feed

  • Question

  • Hi. 
    So my friend (she's not very computer savey) just asked for my help with regards to a 'windows genuine warning' she received recently from MSE.  She is quite confused as she purchased her copy of Windows XP a number of years ago and has never had any problems, and even installed MSE when it became available with no issues.

    So I did a google search and I notice that this related MS kb article http://support.microsoft.com/kb/905474 (Article ID: 905474 - Last Review: May 25, 2012 - Revision: 12.0) has just been updated 3 days ago. 

    So is there some connection? 
    Has WGA checking been "updated" software wise, and has a bug has been introduced? 
    I've been at my friends place and she does indeed have a Genuine version of Windows XP Pro OEM, with the CD and its hologram cover, and the booklet, and the Cert of Authenticity, sitting right in front of her PC while we talked about whats going on.  She told me she received the xp disk with her pc.

    So I can only assume that something wierd is going on with WGA checking, as the timing is too coincedental.  Also, I can find no evidence that anything is wrong on her PC.  No warnings popped up when I rebooted her pc.  Windows Update and MSE Update seem to work fine too.  She said something about MSE saying it would deactivate in 30 days due to windows not being genuine, though I can't find any evidence of that either.

    The only thing I could see on her side is that she installed some privacy add-ons into Firefox (NoScript, BetterPrivacy, Adblock Plus) and it looks like BetterPrivacy deletes something called flash cookies (*.LSO files).  Would that affect WGA?

    I may run the diag program if I get a chance later, but I prefer not to have to get too involved in this or install any cruft on someone elses pc if I don't have too. 

    So based on the info provided is there a chance that this WGA warning is a false positive (or a way to advertise upgrading to windows 7 or something) and that nothing needs to be done?
    If not a false positive, what options does she have (other then buying a retail copy of windows xp pro) as she does have what looks to be a perfectly legal copy of Windows XP Pro, with all the licence decals / product key and everything (it is an OEM copy, and she says she got it with the PC). 

    Thanks in advance,

    AL.



    • Edited by TonyL1l1 Tuesday, May 29, 2012 2:07 AM clarifiaction again
    Tuesday, May 29, 2012 2:02 AM

Answers

  • No further reply from the original Poster.

    Issue is assumed to be resolved.


    Darin MS

    Tuesday, June 12, 2012 12:53 AM

All replies

  • To help us analyze and troubleshoot the issue you are experiencing, please download and run the Microsoft Genuine Advantage Diagnostics Tool.
    Once you run the tool, click on the
    Continue button, then click on the Copy button and paste the report into your post.


    Carey Frisch

    Tuesday, May 29, 2012 2:13 AM
    Moderator
  • Thanks Carey, I will see when I can get to her pc again.  But the preliminary info I am looking for does not need a Diags tool dump to answer. 

    The preliminary info I am looking for is:

    1) whether any changes to WGA have occured in the past few days or if there is a known bug that may have been introduced, before I run a piece of software on someone else pc that I do not know what exactly it will do to that pc.

    2) if deleting all *.LSO file (flash cookies) will affect WGA.

    And lastly,
    3) I am wanting to know what options are available to her if for some reason the 'not genuine' warning is not a false positive, as it looks like she purchased a legal copy of Windows XP Pro in the proper manner and she has the documenation to prove it.

    *Like I mentioned, none of these questions need a Diags Tool dump to answer, so please (if you know the answers) could you answer these questions for me.  I will, like I said, try and run the diags on her pc when next I see her.

    Thank you.


    • Edited by TonyL1l1 Tuesday, May 29, 2012 6:51 AM
    Tuesday, May 29, 2012 6:51 AM
  • 1) No, there have been no recent changes to WGA and no known bugs.

    2) Deleting Flash Cookies (or any cookies) would not be the cause of a Non-Genuine error.

    3) Her options would  partly depend on if the PC originally came with some form of Windows, pre-installed.  If it did, she could revert to that original version of Windows. Or she could buy a copy of Windows for a trusted retailer. We would have a better idea of her full range of options once we see a Diag.

    Thank you,


    Darin MS


    Tuesday, May 29, 2012 5:11 PM
  • Darin, thanks for the info.

    I'll see if I can get to her pc again this weekend to run the diag tool.  But is there some sort of user/victim replacement program she would qualify for if it turns out she does have a genuine windows xp pro CD/CoA 'hardware' and has just fallen victim of product key abuse? 
    Oh, and she told me Windows XP Pro was the only os she has had on her pc (and that matches the Windows XP Pro CD i saw).

    One more thing... are there any manual checks that I could do as well (I found this thread, http://social.microsoft.com/Forums/eu/genuinewindowsxp/thread/e4e80ba8-32ba-41aa-9110-8c9c746811d3 , which has a few manual checks near the bottom of the thread that can be performed - I can do those too)?

    Thanks.
    Back in a few.

    Wednesday, May 30, 2012 3:00 AM
  • "TonyL1l1" wrote in message news:869c9ebe-d286-4272-ab49-b81ab1835be0...

    Darin, thanks for the info.

    I'll see if I can get to her pc again this weekend to run the diag tool.  But is there some sort of user/victim replacement program she would qualify for if it turns out she does have a genuine windows xp pro CD/CoA 'hardware' and has just fallen victim of product key abuse? 
    Oh, and she told me Windows XP Pro was the only os she has had on her pc (and that matches the Windows XP Pro CD i saw).

    One more thing... are there any manual checks that I could do as well (I found this thread, http://social.microsoft.com/Forums/eu/genuinewindowsxp/thread/e4e80ba8-32ba-41aa-9110-8c9c746811d3 , which has a few manual checks near the bottom of the thread that can be performed - I can do those too)?

    Thanks.
    Back in a few.

    First check the OS installed against any COA sticker present - that's the prime verifier. If there is one, it will state the Windows version and edition for which the machine was licensed when it left the manufacturer.
    If there is no COA sticker - then does your friend have the fancy case in which the CD came? that should have the Proof of License sticker on it - and the Key should be the one in the MGADiag report.
     
    Until we see the MGADiag report, we can't make any comments on the notification.
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Wednesday, May 30, 2012 10:03 AM
    Moderator
  • Okay I got to her pc and did the checking and the report.

    1) OS installed on her pc is WinXP Pro.  This matches the CD she gave me and the CoA sticker ("Windows XP Prof. OEM Software")

    2) I looked at the CD contents and her windows XP Pro install disk's setupp.ini file has:
    Pid=76487OEM

    3) The Windows XP Pro CD does have an embedded hologram within the disk (no label on top)

    4) The CoA label:
    - has 2 holes that are rough (feathered I guess you could say),
    - the metallic strip is indeed interwoven within the label, and
    - I can see text on the metallic strip that looks like it says "Our Passion" (I don't have a magnifying glass, but I am near sighted :D).

    5) The WGADiag report has Windows Product Key of *****-*****-GM23Q-9X4HW-W2FMM.  The CoA matches the values shown.

    6) AND,

    Diagnostic Report (1.9.0027.0):

    -----------------------------------------

    Windows Validation Data-->

    Validation Status: Genuine

    Validation Code: 0

    Cached Validation Code: N/A

    Windows Product Key: *****-*****-GM23Q-9X4HW-W2FMM

    Windows Product Key Hash: YFkqXSmDSXLtxvZabtPbPapOXYY=

    Windows Product ID: 76487-OEM-2227697-38436

    Windows Product ID Type: 3

    Windows License Type: OEM System Builder

    Windows OS version: 5.1.2600.2.00010100.3.0.pro

    ID: {B89F7FEC-DA91-4CD8-96F1-1771EEBFB98A}(3)

    Is Admin: Yes

    TestCab: 0x0

    LegitcheckControl ActiveX: Registered, 1.9.40.0

    Signed By: Microsoft

    Product Name: N/A

    Architecture: N/A

    Build lab: N/A

    TTS Error: N/A

    Validation Diagnostic: 025D1FF3-230-1

    Resolution Status: N/A

    Vista WgaER Data-->

    ThreatID(s): N/A

    Version: N/A

    Windows XP Notifications Data-->

    Cached Result: 0

    File Exists: Yes

    Version: 1.9.40.0

    WgaTray.exe Signed By: Microsoft

    WgaLogon.dll Signed By: Microsoft

     

    So is everything fine? 

    If so, why did she get a not genuine notificiation?

    OH, I did notice these things:

    7) The Clock in XP was off by about 20 minutes.
    8) Windows Update install history (using I.E.) shows that KB2833880 FAILED to install once ("Windows XP Security Update for Microsoft .NET Framework 2.0 SP2 on Windows Server 2003 and Windows XP x86 (KB2633880)  Tuesday, May 22, 2012 Automatic Updates"), but later that day it installed correctly.

    So any ideas what is going on?  Has MSE been updated recently, and maybe a WGA bug was introduced?  This is her current MSE version info, but not sure what version she had last weekend:

    MSE Version Info:
    Security Essentials Version: 4.0.1526.0
    Antimalware Client Version: 4.0.1526.0
    Engine Version: 1.1.8403.0
    Antivirus definition: 1.127.1284.0
    Antispyware definition: 1.127.1284.0

    Sunday, June 3, 2012 11:14 PM
  • I have never seen so little information in an MGADiag report.

    There are whole secrtions of data missing - is that the entire report as collected via a Notepad dump?

    If so, then there are servious problems with the machine.

    the report from my VM looks like this....

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->
    Validation Status: Genuine
    Validation Code: 0
    Cached Validation Code: N/A
    Windows Product Key: *****-*****-RW2C7-47JRT-9V9K8
    Windows Product Key Hash: wFfbXJSZeXS7QRxI6Cc6o7IKMiM=
    Windows Product ID: 76487-341-4879356-22705
    Windows Product ID Type: 5
    Windows License Type: Retail
    Windows OS version: 5.1.2600.2.00010100.3.0.pro
    ID: {7CCBDE25-A966-483C-931F-70F81931F8A6}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: Registered, 1.9.40.0
    Signed By: Microsoft
    Product Name: N/A
    Architecture: N/A
    Build lab: N/A
    TTS Error: N/A
    Validation Diagnostic: 025D1FF3-230-1
    Resolution Status: N/A
    
    Vista WgaER Data-->
    ThreatID(s): N/A
    Version: N/A
    
    Windows XP Notifications Data-->
    Cached Result: 0
    File Exists: Yes
    Version: 1.9.40.0
    WgaTray.exe Signed By: Microsoft
    WgaLogon.dll Signed By: Microsoft
    
    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002
    
    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: B4D0AA8B-543-80070002_025D1FF3-230-1
    
    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed
    
    File Scan Data-->
    
    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{7CCBDE25-A966-483C-931F-70F81931F8A6}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-9V9K8</PKey><PID>76487-341-4879356-22705</PID><PIDType>5</PIDType><SID>S-1-5-21-117609710-839522115-1957994488</SID><SYSTEM><Manufacturer>innotek GmbH</Manufacturer><Model>VirtualBox</Model></SYSTEM><BIOS><Manufacturer>innotek GmbH</Manufacturer><Version>VirtualBox</Version><SMBIOSVersion major="2" minor="5"/><Date>20061201000000.000000+000</Date></BIOS><HWID>251D3A170184006D</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.9.40.0"/><File Name="WgaLogon.dll" Version="1.9.40.0"/></GANotification></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  
    
    Licensing Data-->
    N/A
    
    Windows Activation Technologies-->
    N/A
    
    HWID Data-->
    N/A
    
    OEM Activation 1.0 Data-->
    BIOS string matches: yes
    Marker string from BIOS: 1071:Microsoft Corporation
    Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005
    
    OEM Activation 2.0 Data-->
    N/A
    
    


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth


    Sunday, June 3, 2012 11:33 PM
    Moderator
  • Okay I got to her pc and did the checking and the report.

    1) OS installed on her pc is WinXP Pro.  This matches the CD she gave me and the CoA sticker ("Windows XP Prof. OEM Software")

    2) I looked at the CD contents and her windows XP Pro install disk's setupp.ini file has:
    Pid=76487OEM

    3) The Windows XP Pro CD does have an embedded hologram within the disk (no label on top)

    4) The CoA label:
    - has 2 holes that are rough (feathered I guess you could say),
    - the metallic strip is indeed interwoven within the label, and
    - I can see text on the metallic strip that looks like it says "Our Passion" (I don't have a magnifying glass, but I am near sighted :D).

    5) The WGADiag report has Windows Product Key of *****-*****-GM23Q-9X4HW-W2FMM.  The CoA matches the values shown.

    6) AND,

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->
    Validation Status: Genuine
    Validation Code: 0
    Cached Validation Code: N/A
    Windows Product Key: *****-*****-GM23Q-9X4HW-W2FMM
    Windows Product Key Hash: YFkqXSmDSXLtxvZabtPbPapOXYY=
    Windows Product ID: 76487-OEM-2227697-38436
    Windows Product ID Type: 3
    Windows License Type: OEM System Builder
    Windows OS version: 5.1.2600.2.00010100.3.0.pro
    ID: {B89F7FEC-DA91-4CD8-96F1-1771EEBFB98A}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: Registered, 1.9.40.0
    Signed By: Microsoft
    Product Name: N/A
    Architecture: N/A
    Build lab: N/A
    TTS Error: N/A
    Validation Diagnostic: 025D1FF3-230-1
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A
    Version: N/A

    Windows XP Notifications Data-->
    Cached Result: 0
    File Exists: Yes
    Version: 1.9.40.0
    WgaTray.exe Signed By: Microsoft
    WgaLogon.dll Signed By: Microsoft

    So is everything fine? 

    If so, why did she get a not genuine notificiation?

    OH, I did notice these things:

    7) The Clock in XP was off by about 20 minutes.
    8) Windows Update install history (using I.E.) shows that KB2833880 FAILED to install once ("Windows XP Security Update for Microsoft .NET Framework 2.0 SP2 on Windows Server 2003 and Windows XP x86 (KB2633880)  Tuesday, May 22, 2012 Automatic Updates"), but later that day it installed correctly.

    So any ideas what is going on?  Has MSE been updated recently, and maybe a WGA bug was introduced?  This is her current MSE version info, but not sure what version she had last weekend:

    MSE Version Info:
    Security Essentials Version: 4.0.1526.0
    Antimalware Client Version: 4.0.1526.0
    Engine Version: 1.1.8403.0
    Antivirus definition: 1.127.1284.0
    Antispyware definition: 1.127.1284.0

    Seems to me like alot of info was provided Noel (but I ~am~ biased :D ). 

    Unfortunately I only copied the data that was shown on the 'Windows' tabs of the MGADiag tool, as the rest of the data seemed irrelevant (the additional data you show from your VM machine shows: Office info, Browser info, and alot of N/As - same as her report did, so I did not copy it as it didn't refer to windows XP Pro).  But I know she uses OpenOffice instead of Word, if that matters.

    But is the info above sufficient, especially since the tool says her xp install is  Genuine? 
    I am just trying to figure out why [hopefully] a false positive was reported to her, and if something needs to be done about it.  I am guessing here, but looks like something may have gone wrong with windows update / MSE sometime between May 22 and May 29, 2012 if this truely was a false postive warning (based on windows update failure and when she told me about this issue).




    • Edited by TonyL1l1 Monday, June 4, 2012 3:37 AM editted for readability
    Monday, June 4, 2012 12:27 AM
  • "TonyL1l1" wrote in message news:7e09243e-761e-439c-95a7-e464e4befbb1...

     

    Seems to me like alot of info was provided Noel (but I ~am~ biased :D ). 

    Unfortunately I only copied the data that was shown on the 'Windows' tabs of the MGADiag tool, as the rest of the data seemed irrelevant (the additional data you show from your VM machine shows: Office info, Browser info, and alot of N/As - same as her report did, so I did not copy it as it didn't refer to windows XP Pro).  But I know she uses OpenOffice instead of Word, if that matters.

    But is the info above sufficient, especially since the tool says her xp install is  Genuine? 
    I am just trying to figure out why [hopefully] a false positive was reported to her, and if something needs to be done about it.  I am guessing here, but looks like something may have gone wrong with windows update / MSE sometime between May 22 and May 29, 2012 if this truely was a false postive warning (based on windows update failure and when she told me about this issue).




     
     
    There was an awful lot missing as well even the N/A's in the report, and the 'File not found' error codes can be critical in diagnosing a problem.- which is why we ask for the full report as produced from the Copy/paste function, not just copied from the screen.
     
     
    It's distinctly possible that the problem was caused by a temporary 'block' either from mild corruption or from internal activity, which updating fixed.
     
    Assuming that the installation now shows as genuine (i.e. no notification), and the report seems to agree, then it should be OK.
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Monday, June 4, 2012 7:51 AM
    Moderator
  • We need to review the entire MGA Report.  Please run the MGA Tool again and post the entire output, thank you!

    Carey Frisch

    Thursday, June 7, 2012 9:21 PM
    Moderator
  • No further reply from the original Poster.

    Issue is assumed to be resolved.


    Darin MS

    Tuesday, June 12, 2012 12:53 AM
  • 167w ago - Microsoft Corp., tacitly acknowledging the continued popularity of Windows XP, said recently that it was updating the operating system's antipiracy technology to detect illegal copies installed with newlystolen or faked product keys, or with new activation cracks. In an entry to a company blog , Alex Kochis , director of Microsoft's Genuine Windows group, spelled out the update to WGA Notifications. That's the antipiracy component that provides the messages and other on-screen prompts when the other half of WGA, dubbed Validations, detects an illegal copy of the operating system. "This update includes the latest validation information, including recently stolen or misused product keys and other information," said Kochis, who elsewhere in the blog noted that the "other" category included "attempts to circumvent product activation." Such circumvention methods, called "cracks," are popular downloads on file-sharing sites that also feature pirated software. The update applies only to Windows XP Professional, added Kochis. Although Microsoft tried to put a stop to Windows XP sales last year -- and will be shifting it into a more limited support plan next month -- it has relaxed its rules several times since then as customers have continued to demand new PCs with XP rather than Vista. Windows XP Professional is the only version that Microsoft allows users and computer sellers to "downgrade" from Vista. The company has also acknowledged that Windows XP Professional is preferred by pirates over Vista by wide margins, and last year, Microsoft promised that it would roll out a campaigns during 2009 to warn people that XP is widely counterfeited . Kochis touted installation changes to WGA Notifications, although he wasn't clear on what those changes were. "Once the update has been downloaded by Automatic Updates, completely in line with your existing AU settings, after the next log-in or reboot the install wizard will be presented to the user and they will be able to choose whether to install the update in the same way as in past releases," Kochis said. That description, however, is essentially the same as the one he offered in August 2008 , when Microsoft last updated WGA Notification for Windows XP ststreet view Professional. At that time, Kochis said that users who installed the August update would receive future updates automatically once they had approved WGA's installation. In a reply to questions about what, if anything, has changed in WGA, a Microsoft spokeswoman confirmed that there have been no alterations in how WGA Notifications installs and updates. "The Notifications experience will be the same as the previous release of WGA Notifications Update for Windows XP that began deployment in August of 2008," she said via instant message. Last August was also when Microsoft brought Windows XP's counterfeit nagging into line with Vista's. Counterfeit copies of XP Professional display an initial black desktop, which reverts back to black after an hour if the user changes the background. Pirated copies also show a permanent notice in the bottom-right corner of the screen, and additional notices appear regularly in the system tray.Those characteristics of WGA Notifications haven't changed, said Kochis. P 
    Monday, June 18, 2012 8:05 AM
  • ...and your point is?

    That was written over three years ago .


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Monday, June 18, 2012 9:05 AM
    Moderator