locked
Validation failure after modifying system32 RRS feed

  • Question

  • I recently removed two files under the system32 directory, in safe mode:

    7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

    because I think they are quite suspicious.

    After that the windows prompt that there are unauthorized change and require me to validate; 
    the problem exist even if I restore the original files back to system32.

    The point is: my computer is an R61 Lenovo with pre-installed vista, coming with 3 recovery disks and no Serial Number as far as I know. What should I do then?

    Thanks,
    Kelvin

     

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->
    Validation Status: Invalid License
    Validation Code: 50
    Cached Online Validation Code: 0xc004c4a8
    Windows Product Key: *****-*****-WWR7C-QF2M7-2TB37
    Windows Product Key Hash: YqRmTj4qWYwTYqB/WJzBj8/adyc=
    Windows Product ID: 89578-OEM-7332157-00056
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.0.6002.2.00010300.2.0.003
    ID: {102964D7-1545-46DB-B201-3532C59FB87F}(1)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: Registered, 1.9.42.0
    Signed By: Microsoft
    Product Name: Windows Vista (TM) Home Premium
    Architecture: 0x00000000
    Build lab: 6002.vistasp2_gdr.100218-0019
    TTS Error: T:20100728220351314-
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80004005
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: 100
    Version: 2.0.48.0
    OGAExec.exe Signed By: Microsoft
    OGAAddin.dll Signed By: Microsoft

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Professional Plus 2007 - 100 Genuine
    OGA Version: Registered, 2.0.48.0
    Signed By: Microsoft
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{102964D7-1545-46DB-B201-3532C59FB87F}</UGUID><Version>1.9.0027.0</Version><OS>6.0.6002.2.00010300.2.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-2TB37</PKey><PID>89578-OEM-7332157-00056</PID><PIDType>2</PIDType><SID>S-1-5-21-2565344019-3210064640-532782302</SID><SYSTEM><Manufacturer>LENOVO</Manufacturer><Model>7733A91</Model></SYSTEM><BIOS><Manufacturer>LENOVO</Manufacturer><Version>7LET44WW (1.14 )</Version><SMBIOSVersion major="2" minor="4"/><Date>20070627000000.000000+000</Date></BIOS><HWID>AF313507018400FA</HWID><UserLCID>0C04</UserLCID><SystemLCID>0C04</SystemLCID><TimeZone>中國標準時間(GMT+08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>LENOVO</OEMID><OEMTableID>TP-7L </OEMTableID></OEM><GANotification><File Name="OGAAddin.dll" Version="2.0.48.0"/></GANotification></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120000-0011-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional Plus 2007</Name><Ver>12</Ver><Val>3699AF29B833F75</Val><Hash>1ybDTknKsu27gwv3hWS9VbUOF+4=</Hash><Pid>89446-954-0196937-65615</Pid><PidType>1</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

    Spsys.log Content: U1BMRwEAAAAAAQAABAAAAE4IAAAAAAAAYWECAASgPoeIwT38Vi7LASPvOhE4aiPWkIrToHXwxdqHE2P6E7RolPAHuGUFG0YIS24OdfK86Qyd9u2NKTI6OjOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAw2LChCixnhclyLKxemNGWeyr+pKbOoYajJM1xllt1+98xIQKA/5D9QofrTkMh7NwczkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMn0uChveAIr5osX5/caCrk24eKR9uSQovaibsXSsDDZIQ5fKhKkpKWmzUcHnSqMhKM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDYsKEKLGeFyXIsrF6Y0ZZ4DCob7AapNl0F5Q1iD+Z/RuphC9eBnM65pUSRFnOCPbzOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAw=

    Licensing Data-->
    Software licensing service version: 6.0.6002.18005

    Windows Activation Technologies-->
    N/A

    HWID Data-->
    HWID Hash Current: RAAAAAIABgABAAIAAgABAAAABQABAAEAJJSKHDPQv+2AhbBULgganwAtRoOScBJt9nCN7/L0bLUQF+QYrFZyir5BKoU=

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20000
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
    ACPI Table Name OEMID Value OEMTableID Value
    APIC LENOVO TP-7L
    FACP LENOVO TP-7L
    HPET LENOVO TP-7L
    BOOT LENOVO TP-7L
    MCFG LENOVO TP-7L
    SSDT LENOVO TP-7L
    ECDT LENOVO TP-7L
    TCPA LENOVO TP-7L
    SLIC LENOVO TP-7L
    ASF! LENOVO TP-7L
    SSDT LENOVO TP-7L
    SSDT LENOVO TP-7L
    SSDT LENOVO TP-7L
    SSDT LENOVO TP-7L



    Wednesday, July 28, 2010 6:03 PM

Answers

  • Hello Kelvin201007,

    TTS Error: T:20100728220351314-

     Your Diagnostic Report is telling me that your Windows is suffering from a Trusted Store Tamper.   In Windows, there are files that have, what is known as, a Digital Signature. A Digital Signature is an industry standard that ensures that a file is, in fact, from the specified source. If a file is modified, in any way, the Diagital Signature is broken. 

    Example: lets say you get a Printer Driver that is Digitally Signed from HP. Since the Digital Signature was created by a Trusted Source (HP) a Certificate is created within Window's Trusted Store. The Digital Signature is dependent on the file's Hash (think fingerprint) so if the file is changed in any way, it's Digital Signature is broken and becomes invalid.  So lets say that the HP Driver got modified by some sort of Malware. The File's Hash would no longer match the hash listed in the Digitally Signature (or the Signature may not even be readable at that point). The Digital Signature become invalid because windows now don't know what has been done to that file, so the file can no longer be trusted. This in turn invalidates the corresponding Certificate within the Trusted Store.

      What I have described in the above example is basically what is happening with your Windows.  Some Digitally Signed file has been modified in some way (in this case, most likely Removed) and the Certificate within Windows's Trusted Store has become invalid (i.e. no longer trusted) which invalidates the Certificate in the Trusted Store and that is what has triggered the Non-Genuine messaging. I am not completly sure, but it could be that when a certificate breaks, it stays that way even when you returned the digitaly signed files.

      Unfortunatly, none of my tools are able to pinpoint which file/signature/certificate is causing the problem (But I think we can guess). However there are a few thing you can try that may correct the issue.


      1) First off not all Digitally Signed files are Drivers, but from experience we have found that this issue seems to occure the most with Drivers.  So my first suggestion is to confirm that all your hardware drivers are up to date. Note: Figuring out id a Driver is up to date and/or replacing a driver with a more current one can sometimes take semi-advanced computer knowledge and me explaining the process is outside the scope of this forum. If you do not know how to work with Drivers seak assistance or skip down to #2 or #3 below

      2) Restore Windows back to a past System Restore Point.

    1) Boot into Windows
    2) Click the ‘Start’ button
    3) In the Start Search field, type: System Restore and hit “Enter” keyboard key
    4) Select "Choose Different Restore Point", Put a check in the box that says "Show restore points older than 5 days", select the restore point that corresponds to a date Before you first noticed the issue.
    5) Click the "Next" button.
    6) Reboot

      3) Repair Windows using the 'sfc /scannow' command

    The Scan Now will look for any bad Windows files and attempt to repair them, if possible (it isn't always able to)

    1) Login to Windows
    2) Click the Start button
    3) Type: cmd.exe in the search field
    4) Right-click the cmd.exe file and select Run as Administrator
    5) In the CMD window, type: sfc /scannow
    6) Reboot and see if that resolves the issue.

    If none of my suggestions resolves the issue, then the only other thing I can suggest is to either create a (no cost) support request at http://support.microsoft.com/gp/contactwga or reinstall Windows.

    Thank you,


    Darin MS
    Wednesday, July 28, 2010 9:19 PM