Problems with Windows not genuine messages - solved - thanks to Noel

All replies

• 

  

  0

  Sign in to vote

  Further update. I had already run SFC /SCANNOW as suggested elsewhere in these forums and didn't realise that this had detected errors and replaced various files.

  Although slui.exe is still not allowing access I was able to run slmgr /ato which validated windows ( at least in so far as the non -genuine message is gone from the desktop and a section for activation is now back on the system properties screen with a genuine windows logo).

  However I still cannot get the web verification  to give me a genuine windows result - the answer is always Windows could not be validated both on IE and also Firefox using legit.hta.Maybe related to the tampered file message ? I also attach an updated MGADiag output although I cant see any change

  Diagnostic Report (1.9.0027.0):
  -----------------------------------------
  Windows Validation Data-->
  
  Validation Code: 0x8004FE22
  Cached Online Validation Code: N/A, hr = 0xc004f012
  Windows Product Key: *****-*****-7H8D7-KWVYB-MYMTD
  Windows Product Key Hash: wx5ndMFQm0AcZ8nMxSw8aUrnxQM=
  Windows Product ID: 00371-OEM-9309167-93223
  Windows Product ID Type: 8
  Windows License Type: COA SLP
  Windows OS version: 6.1.7601.2.00010100.1.0.048
  ID: {30CC2299-FCF3-4C23-B8CA-77390FD52CF5}(3)
  Is Admin: Yes
  TestCab: 0x0
  LegitcheckControl ActiveX: N/A, hr = 0x80070002
  Signed By: N/A, hr = 0x80070002
  Product Name: Windows 7 Professional
  Architecture: 0x00000000
  Build lab: 7601.win7sp1_ldr.160408-2045
  TTS Error: 
  Validation Diagnostic: 
  Resolution Status: N/A
  
  Vista WgaER Data-->
  ThreatID(s): N/A, hr = 0x80070002
  Version: N/A, hr = 0x80070002
  
  Windows XP Notifications Data-->
  Cached Result: N/A, hr = 0x80070002
  File Exists: No
  Version: N/A, hr = 0x80070002
  WgaTray.exe Signed By: N/A, hr = 0x80070002
  WgaLogon.dll Signed By: N/A, hr = 0x80070002
  
  OGA Notifications Data-->
  Cached Result: N/A, hr = 0x80070002
  Version: N/A, hr = 0x80070002
  OGAExec.exe Signed By: N/A, hr = 0x80070002
  OGAAddin.dll Signed By: N/A, hr = 0x80070002
  
  OGA Data-->
  Office Status: 100 Genuine
  Microsoft Office Access Runtime (English) 2007 - 121
  Microsoft Office Enterprise 2007 - 100 Genuine
  OGA Version: N/A, 0x80070002
  Signed By: N/A, hr = 0x80070002
  Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-b01a_E2AD56EA-766-0_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005
  
  Browser Data-->
  Proxy settings: N/A
  User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
  Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
  Download signed ActiveX controls: Prompt
  Download unsigned ActiveX controls: Disabled
  Run ActiveX controls and plug-ins: Allowed
  Initialize and script ActiveX controls not marked as safe: Disabled
  Allow scripting of Internet Explorer Webbrowser control: Disabled
  Active scripting: Allowed
  Script ActiveX controls marked as safe for scripting: Allowed
  
  File Scan Data-->
  
  Other data-->
  Office Details: <GenuineResults><MachineData><UGUID>{30CC2299-FCF3-4C23-B8CA-77390FD52CF5}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-MYMTD</PKey><PID>00371-OEM-9309167-93223</PID><PIDType>8</PIDType><SID>S-1-5-21-4111501717-913575102-347679128</SID><SYSTEM><Manufacturer>LENOVO</Manufacturer><Model>7303WHR</Model></SYSTEM><BIOS><Manufacturer>LENOVO</Manufacturer><Version>5HKT43AUS</Version><SMBIOSVersion major="2" minor="5"/><Date>20090907000000.000000+000</Date></BIOS><HWID>55E73F07018400F8</HWID><UserLCID>1809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>LENOVO</OEMID><OEMTableID>TC-5H   </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-001C-0409-0000-0000000FF1CE}"><LegitResult>121</LegitResult><Name>Microsoft Office Access Runtime (English) 2007</Name><Ver>12</Ver><Val>A6DF1BF2503CD6C</Val><Hash>dTTDvXHN4cR0t+IYAOhhFudJX58=</Hash><Pid>00000-694-0010114-62972</Pid><PidType>2</PidType></Product><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>1765CA03E677D8A</Val><Hash>oP+DZrDE1T6e5vY3TRMZLHw3dBw=</Hash><Pid>89388-709-7325542-65158</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>  
  
  Spsys.log Content: 0x80070002
  
  Licensing Data-->
  Software licensing service version: 6.1.7601.17514
  
  Name: Windows(R) 7, Professional edition
  Description: Windows Operating System - Windows(R) 7, OEM_COA_SLP channel
  Activation ID: da22eadd-46dc-4056-a287-f5041c852470
  Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
  Extended PID: 00371-00186-091-693223-02-6153-7600.0000-1782013
  Installation ID: 004395621015640686693182471614756334889122783983946414
  Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
  Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
  Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
  Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
  Partial Product Key: MYMTD
  License Status: Licensed
  Remaining Windows rearm count: 4
  Trusted time: 29/05/2016 21:42:11
  
  Windows Activation Technologies-->
  HrOffline: 0x8004FE22
  HrOnline: N/A
  HealthStatus: 0x0000000000000800
  Event Time Stamp: 5:29:2016 20:40
  ActiveX: Registered, Version: 7.1.7600.16395
  Admin Service: Registered, Version: 7.1.7600.16395
  HealthStatus Bitmask Output:
  Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
  
  
  HWID Data-->
  HWID Hash Current: MAAAAAEABAABAAEAAAABAAAAAQABAAEAJJSsBQS9SOSqdspgmkUwZAKaYi/YHkbK
  
  OEM Activation 1.0 Data-->
  N/A
  
  OEM Activation 2.0 Data-->
  BIOS valid for OA 2.0: yes
  Windows marker version: 0x20001
  OEMID and OEMTableID Consistent: yes
  BIOS Information: 
    ACPI Table Name	OEMID Value	OEMTableID Value
    APIC			LENOVO		TC-5H   
    FACP			LENOVO		TC-5H   
    HPET			LENOVO		TC-5H   
    MCFG			LENOVO		TC-5H   
    SLIC			LENOVO		TC-5H   
    OEMB			LENOVO		TC-5H   
    SSDT			LENOVO		TC-5H   
  
  
  

  
  

  
  

  Sunday, May 29, 2016 9:47 PM
• 

  

  0

  Sign in to vote

  To confirm that the problem is what I think it is, please run the following commands in an Elevated Command Prompt window and post the results.

   

  REG QUERY HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S

  REG QUERY HKLM\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S              

  REG QUERY HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S

   

    Here are some instructions to make life easier :)

  1) To open an Elevated Command Prompt Window (the ECP window), click on Start, All Programs, Accessories – then right-click on Command Prompt, and select Run as Administrator. Accept the UAC prompt. 

  2) To run the commands easier, highlight the block of commands, and right-click on the highlight – select Copy. In the CP Window, click on the black/white icon at top left – select Paste. The commands will run but may not complete the last command, so hit the Enter Key once. 

  3) To copy the results... click on the Black/White icon in the top left, and select Edit... 'Select All', and hit the Enter key - then use Ctrl+V or r-click+Paste to paste it into your response.     

  ---

  Noel Paton | Nil Carborundum Illegitemi

  CrashFixPC | The Three-toed Sloth

  No - I do not work for Microsoft, or any of its contractors.

  Tuesday, May 31, 2016 7:28 AM

  Moderator
• 

  

  0

  Sign in to vote

  Hi Noel and thanks for the reply

  Output of commands:

  Microsoft Windows [Version 6.1.7601]
  Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
  
  C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{EE57495
  7-4077-4AD6-8658-327C2C86C5AA} /S
  ERROR: The system was unable to find the specified registry key or value.
  
  C:\Windows\system32>
  C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-
  8658-327C2C86C5AA} /S
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5A
  A}\1.0
      (Default)    REG_SZ    SPPUI 1.0 Type Library
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5A
  A}\1.0\0
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5A
  A}\1.0\0\win32
      (Default)    REG_EXPAND_SZ    %SystemRoot%\System32\slui.exe
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5A
  A}\1.0\FLAGS
      (Default)    REG_SZ    0
  
  
  C:\Windows\system32>
  C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{EE57495
  7-4077-4AD6-8658-327C2C86C5AA} /S

  Also if it helps to diagnose the "not genuine - resolve online" windows has re-appeared although

  the message at the bottom right hand corner of the desktop  is still not there and the windows activation detail

  at the bottom of the system properties screen is still showing activated and the genuine logo

  Tuesday, May 31, 2016 8:36 AM
• 

  

  0

  Sign in to vote

  Thanks for that - the above output seems OK, so the problem may be a little deeper into the registry (or somewhere else altogether!)

  Please post the output from these commands...

  REG QUERY HKLM\SOFTWARE\Classes\CLSID\{A6C13C9D-54E1-44FC-82F0-DBE2C843E51A}\TypeLib /S

  REG QUERY HKLM\SOFTWARE\Classes\CLSID\{F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}\TypeLib /S

  REG QUERY HKLM\SOFTWARE\Classes\Interface\{76D90824-E735-4844-B26F-AA1235B6E76B}\TypeLib /S

  ---

  Noel Paton | Nil Carborundum Illegitemi

  CrashFixPC | The Three-toed Sloth

  No - I do not work for Microsoft, or any of its contractors.

  Tuesday, May 31, 2016 9:45 AM

  Moderator
• 

  

  0

  Sign in to vote

  Output follows:

  Microsoft Windows [Version 6.1.7601]
  Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
  
  C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Classes\CLSID\{A6C13C9D-54E1-44FC-82
  F0-DBE2C843E51A}\TypeLib /S
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A6C13C9D-54E1-44FC-82F0-DBE2C843E51A}
  \TypeLib
      (Default)    REG_SZ    {EE574957-4077-4AD6-8658-327C2C86C5AA}
  
  
  C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Classes\CLSID\{F87B28F1-DA9A-4F35-8E
  C0-800EFCF26B83}\TypeLib /S
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}
  \TypeLib
      (Default)    REG_SZ    {EE574957-4077-4AD6-8658-327C2C86C5AA}
  
  
  C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Classes\Interface\{76D90824-E735-484
  4-B26F-AA1235B6E76B}\TypeLib /S
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{76D90824-E735-4844-B26F-AA1235B6E
  76B}\TypeLib
      (Default)    REG_SZ    {EE574957-4077-4AD6-8658-327C2C86C5AA}
      Version    REG_SZ    1.0
  
  
  C:\Windows\system32>

  Also I notice the last reply I made for some reason did not have output for the third command on you last

  post. Follows now:

  Microsoft Windows [Version 6.1.7601]
  Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
  
  C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{EE57495
  7-4077-4AD6-8658-327C2C86C5AA} /S
  ERROR: The system was unable to find the specified registry key or value.
  
  C:\Windows\system32>

  Thanks for taking the time to help with this - hopefully we can track it down ?

  Tuesday, May 31, 2016 1:23 PM
• 

  

  0

  Sign in to vote

  We have a pretty good record of fixing this problem in 64-bit Windows - but this is the first case that I can recall where the problem has occurred in 32-bit Windows

  The above steps almost always demonstrate the problem sufficiently to define the required fix, but such is obviously not he case here.

  Have you been using any kind of Registry Cleaner software? (DON'T!!) Any software from the WISE or IOBits stable?

  How long ago did the problem start? Have you tried a System Restore back to before the problem arose?

  Let's have a look at the data that the SFC generated - it may help....

  Please copy the C:\Windows\Logs\CBS\CBS.log file to the desktop - then compress it, and upload it to your favourite fileshare site and post a link.

  Also upload the other CBSPersistxxxxxxxxx.CAB files - post links.

  They may give  me a clue to what's happening.

  ---

  Noel Paton | Nil Carborundum Illegitemi

  CrashFixPC | The Three-toed Sloth

  No - I do not work for Microsoft, or any of its contractors.

  Tuesday, May 31, 2016 5:01 PM

  Moderator
• 

  

  0

  Sign in to vote

  Hi Noel

  It is possible that CCleaner might at some stage have been used but i cannot say with certainty.

  The problem has been there for some considerable time but when the dealer was asked about it he simply said that the windows was definitely genuine.

  As noted before there was no reason to doubt him as other PCs purchased through him have had no such issues and he has otherwise been reputable.

  It is only now when trying to upgrade to W10 that the problem has become an issue

  I had saved the [SR] output of the SFC scan (as per Microsoft advice on the SFC explanatory page) and luckily kept it :

  https://onedrive.live.com/redir?resid=788AE715C469108A!268&authkey=!AIU2lIIoGGkq_es&ithint=file%2ctxt ( I cant post a physical link as the forum wont let me)
  

  I am a little reluctant to post a public link to the other files as I am in fact helping a family member to try to sort this problem and the PC's concerned are at her workplace ( she deals with IT procurement although she is not an IT person herself)
  

  I am afraid that identifiable information might be in the CBS logs and data protection issues / regs might be breached?

  
  

  • Edited by Padr78 Tuesday, May 31, 2016 9:59 PM

  Tuesday, May 31, 2016 9:36 PM
• 

  

  0

  Sign in to vote

  CCleaner is usually  OK - but it's still a good idea to avoid the Registry Cleaner part of it!

  There are no file replacements shown in the SFC scan - which means that I really need to see the CBSPersist files. There is no Personally Identifiable  Information in these logs, they are simply a record of any files which are causing recordable events. Sometimes these event can give us vital information on what's happening to cause these problems. It's possible that if the SFC was run more than once, then the file uploaded is the later one, while the first one had possibly a number of file recorded - this log should still be visible in the Persist files.

  ---

  Noel Paton | Nil Carborundum Illegitemi

  CrashFixPC | The Three-toed Sloth

  No - I do not work for Microsoft, or any of its contractors.

  Wednesday, June 1, 2016 8:19 AM

  Moderator
• 

  

  0

  Sign in to vote

  Morning Noel,

  I double checked the uploaded file sfcdetails file - I can see some entries between lines 246 and 347 which seem to be about repaired files ?

  I'll need to get the OK to upload the other files - later today.

  Thanks

  Wednesday, June 1, 2016 9:22 AM
• 

  

  0

  Sign in to vote

  Noel,

  CBS and CBS Persist logs ( all in one zipped file ) are at:

  https://onedrive.live.com/redir?resid=788AE715C469108A!269&authkey=!AM4YTtyNID0cpBE&ithint=file%2czip

  Hope this helps.

  Wednesday, June 1, 2016 12:08 PM
• 

  

  0

  Sign in to vote

  Noel,

  CBS and CBS Persist logs ( all in one zipped file ) are at:

  https://onedrive.live.com/redir?resid=788AE715C469108A!269&authkey=!AM4YTtyNID0cpBE&ithint=file%2czip

  Hope this helps.

  The Persist files make interesting reading!

  There is at least one update that's stuck somewhere in the middle of installing - and that's blocking others.

  It's a while since I dealt with anything similar so I'll have to research it - but here are some of the error messages being thrown up at every shutdown/boot...  (just so I don't lose it!)

  	Line 840624: 2016-05-31 08:02:23, Error                 CBS    Failed to process single phase execution. [HRESULT = 0x800f0816 - CBS_E_DPX_JOB_STATE_SAVED]
  	Line 840754: 2016-05-31 08:05:00, Error                 CBS    Failed to process single phase execution. [HRESULT = 0x800f0816 - CBS_E_DPX_JOB_STATE_SAVED]
  	Line 840852: 2016-05-31 08:05:04, Error                 CBS    Failed to process single phase execution. [HRESULT = 0x800f0816 - CBS_E_DPX_JOB_STATE_SAVED]
  	Line 840950: 2016-05-31 08:05:08, Error                 CBS    Failed to process single phase execution. [HRESULT = 0x800f0816 - CBS_E_DPX_JOB_STATE_SAVED]
  	Line 841572: 2016-05-31 09:17:02, Error                 CBS    Failed to process single phase execution. [HRESULT = 0x800f0816 - CBS_E_DPX_JOB_STATE_SAVED]
  	Line 843608: 2016-05-31 09:17:56, Error                 CSI    0000025f (F) A previous transaction requested a reboot, so you cannot commit any transactions until you reboot.
  	Line 843610: 2016-05-31 09:17:56, Error                 CSI    00000260 (F) STATUS_REQUEST_OUT_OF_SEQUENCE #1651274# from Windows::COM::CComponentStore::ApplyTransactionNow(...)[gle=0xd000042a]
  	Line 843611: 2016-05-31 09:17:56, Error                 CSI    00000261@2016/5/31:09:17:56.941 (F) d:\win7sp1_gdr\base\wcp\componentstore\com\store_transaction.cpp(1841): Error STATUS_REQUEST_OUT_OF_SEQUENCE originated in function Windows::COM::CComponentStore::ApplyTransactionNow expression: (null)
  	Line 843613: 2016-05-31 09:18:27, Error                 CSI    00000262 (F) HRESULT_FROM_WIN32(ERROR_REQUEST_OUT_OF_SEQUENCE) #1651135# from Windows::COM::CPendingTransaction::IStorePendingTransaction_Apply(...)[gle=0x80070308]
  	Line 843614: 2016-05-31 09:18:27, Error                 CSI    00000263 (F) HRESULT_FROM_WIN32(ERROR_REQUEST_OUT_OF_SEQUENCE) #1648279# from Windows::ServicingAPI::CCSITransaction::ICSITransaction2_AddFiles(Flags = 1, a = @0x64ba008, fn = @0x64ba408, fp = @0x64ba808, disp = 0, op = 0)[gle=0x80070308]
  	Line 843616: 2016-05-31 09:18:27, Error                 CBS    Failed to stage execution package: Package_58_for_KB2923545~31bf3856ad364e35~x86~~6.1.1.1 [HRESULT = 0x80070308 - ERROR_REQUEST_OUT_OF_SEQUENCE]
  	Line 843620: 2016-05-31 09:18:27, Error                 CBS    Failed to process single phase execution. [HRESULT = 0x80070308 - ERROR_REQUEST_OUT_OF_SEQUENCE]
  	Line 843758: 2016-05-31 09:18:43, Error                 CSI    0000026d (F) A previous transaction requested a reboot, so you cannot commit any transactions until you reboot.
  	Line 843760: 2016-05-31 09:18:43, Error                 CSI    0000026e (F) STATUS_REQUEST_OUT_OF_SEQUENCE #1662919# from Windows::COM::CComponentStore::ApplyTransactionNow(...)[gle=0xd000042a]
  	Line 843761: 2016-05-31 09:18:43, Error                 CSI    0000026f@2016/5/31:09:18:43.132 (F) d:\win7sp1_gdr\base\wcp\componentstore\com\store_transaction.cpp(1841): Error STATUS_REQUEST_OUT_OF_SEQUENCE originated in function Windows::COM::CComponentStore::ApplyTransactionNow expression: (null)
  	Line 843763: 2016-05-31 09:18:46, Error                 CSI    00000270 (F) HRESULT_FROM_WIN32(ERROR_REQUEST_OUT_OF_SEQUENCE) #1662780# from Windows::COM::CPendingTransaction::IStorePendingTransaction_Apply(...)[gle=0x80070308]
  	Line 843764: 2016-05-31 09:18:47, Error                 CSI    00000271 (F) HRESULT_FROM_WIN32(ERROR_REQUEST_OUT_OF_SEQUENCE) #1658933# from Windows::ServicingAPI::CCSITransaction::ICSITransaction2_AddFiles(Flags = 1, a = @0x64ba008, fn = @0x64ba408, fp = @0x64ba808, disp = 0, op = 0)[gle=0x80070308]
  	Line 843766: 2016-05-31 09:18:47, Error                 CBS    Failed to stage execution package: Package_2_for_KB3075226~31bf3856ad364e35~x86~~6.1.1.1 [HRESULT = 0x80070308 - ERROR_REQUEST_OUT_OF_SEQUENCE]
  	Line 843770: 2016-05-31 09:18:47, Error                 CBS    Failed to process single phase execution. [HRESULT = 0x80070308 - ERROR_REQUEST_OUT_OF_SEQUENCE]
  	Line 843869: 2016-05-31 09:18:54, Error                 CSI    0000027b (F) A previous transaction requested a reboot, so you cannot commit any transactions until you reboot.
  	Line 843871: 2016-05-31 09:18:54, Error                 CSI    0000027c (F) STATUS_REQUEST_OUT_OF_SEQUENCE #1668246# from Windows::COM::CComponentStore::ApplyTransactionNow(...)[gle=0xd000042a]
  	Line 843872: 2016-05-31 09:18:54, Error                 CSI    0000027d@2016/5/31:09:18:54.06 (F) d:\win7sp1_gdr\base\wcp\componentstore\com\store_transaction.cpp(1841): Error STATUS_REQUEST_OUT_OF_SEQUENCE originated in function Windows::COM::CComponentStore::ApplyTransactionNow expression: (null)
  	Line 843874: 2016-05-31 09:19:00, Error                 CSI    0000027e (F) HRESULT_FROM_WIN32(ERROR_REQUEST_OUT_OF_SEQUENCE) #1668107# from Windows::COM::CPendingTransaction::IStorePendingTransaction_Apply(...)[gle=0x80070308]
  	Line 843875: 2016-05-31 09:19:00, Error                 CSI    0000027f (F) HRESULT_FROM_WIN32(ERROR_REQUEST_OUT_OF_SEQUENCE) #1666990# from Windows::ServicingAPI::CCSITransaction::ICSITransaction2_AddFiles(Flags = 1, a = @0x64ba008, fn = @0x64ba408, fp = @0x64ba808, disp = 0, op = 0)[gle=0x80070308]
  	Line 843877: 2016-05-31 09:19:00, Error                 CBS    Failed to stage execution package: Package_2_for_KB3020388~31bf3856ad364e35~x86~~6.1.1.1 [HRESULT = 0x80070308 - ERROR_REQUEST_OUT_OF_SEQUENCE]
  	Line 843881: 2016-05-31 09:19:00, Error                 CBS    Failed to process single phase execution. [HRESULT = 0x80070308 - ERROR_REQUEST_OUT_OF_SEQUENCE]
  	Line 843985: 2016-05-31 09:19:09, Error                 CSI    00000289 (F) A previous transaction requested a reboot, so you cannot commit any transactions until you reboot.
  	Line 843987: 2016-05-31 09:19:09, Error                 CSI    0000028a (F) STATUS_REQUEST_OUT_OF_SEQUENCE #1675514# from Windows::COM::CComponentStore::ApplyTransactionNow(...)[gle=0xd000042a]
  	Line 843988: 2016-05-31 09:19:09, Error                 CSI    0000028b@2016/5/31:09:19:09.434 (F) d:\win7sp1_gdr\base\wcp\componentstore\com\store_transaction.cpp(1841): Error STATUS_REQUEST_OUT_OF_SEQUENCE originated in function Windows::COM::CComponentStore::ApplyTransactionNow expression: (null)
  	Line 843990: 2016-05-31 09:19:17, Error                 CSI    0000028c (F) HRESULT_FROM_WIN32(ERROR_REQUEST_OUT_OF_SEQUENCE) #1675375# from Windows::COM::CPendingTransaction::IStorePendingTransaction_Apply(...)[gle=0x80070308]
  	Line 843991: 2016-05-31 09:19:17, Error                 CSI    0000028d (F) HRESULT_FROM_WIN32(ERROR_REQUEST_OUT_OF_SEQUENCE) #1673182# from Windows::ServicingAPI::CCSITransaction::ICSITransaction2_AddFiles(Flags = 1, a = @0x64ba008, fn = @0x64ba408, fp = @0x64ba808, disp = 0, op = 0)[gle=0x80070308]
  	Line 843993: 2016-05-31 09:19:17, Error                 CBS    Failed to stage execution package: Package_2_for_KB3126446~31bf3856ad364e35~x86~~6.1.1.0 [HRESULT = 0x80070308 - ERROR_REQUEST_OUT_OF_SEQUENCE]
  	Line 843997: 2016-05-31 09:19:17, Error                 CBS    Failed to process single phase execution. [HRESULT = 0x80070308 - ERROR_REQUEST_OUT_OF_SEQUENCE]
  

  
  

  ---

  Noel Paton | Nil Carborundum Illegitemi

  CrashFixPC | The Three-toed Sloth

  No - I do not work for Microsoft, or any of its contractors.

  Wednesday, June 1, 2016 3:51 PM

  Moderator
• 

  

  0

  Sign in to vote

  ...I found on old resolution of mine that worked - but I need to check it first...

  Please do a Search in your Windows folder (and subfolders) for any files 'pending.xml', and compress and upload all found - post a link

  ---

  Noel Paton | Nil Carborundum Illegitemi

  CrashFixPC | The Three-toed Sloth

  No - I do not work for Microsoft, or any of its contractors.

  Wednesday, June 1, 2016 3:54 PM

  Moderator
• 

  

  0

  Sign in to vote

   only one pending file - https://onedrive.live.com/redir?resid=788AE715C469108A!270&authkey=!AKNRmDUCgKLlR2E&ithint=file%2cxml

  The email notifications and the reply/post listing here seem a little out of sync so i hope i am replying to the correct post

  Wednesday, June 1, 2016 7:35 PM
• 

  

  0

  Sign in to vote

  try this...
  Open an Elevated Command Prompt, and run the following commands
  
  
  REG LOAD HKLM\COMPONENTS C:\Windows\System32\config\COMPONENTS
  REG DELETE HKLM\COMPONENTS /V PendingRequired
  
  then reboot, and try Windows Update - do a Check for updates and see what happens (it may take a few hours!)

  Also run a new MGADiag report and post it.

  ---

  Noel Paton | Nil Carborundum Illegitemi

  CrashFixPC | The Three-toed Sloth

  No - I do not work for Microsoft, or any of its contractors.

  Thursday, June 2, 2016 7:13 AM

  Moderator
• 

  

  0

  Sign in to vote

  Ran those commands but second one threw an error:

  Microsoft Windows [Version 6.1.7601]
  Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
  
  C:\Windows\system32>REG LOAD HKLM\COMPONENTS C:\Windows\System32\config\COMPONEN
  TS
  The operation completed successfully.
  
  C:\Windows\system32>REG DELETE HKLM\COMPONENTS /V PendingRequired
  Delete the registry value PendingRequired (Yes/No)? y
  ERROR: The system was unable to find the specified registry key or value.
  
  C:\Windows\system32>REG DELETE HKLM\COMPONENTS /V PendingRequired
  Delete the registry value PendingRequired (Yes/No)? Y
  ERROR: The system was unable to find the specified registry key or value.
  
  C:\Windows\system32>

  Also did a windows update - for the record it had not been misbehaving. There were a few failed updates a couple of daays ago but they subsequently

  went through OK. The update history looks fully populated.

  As requested up-to-date MGADiag report but I don't think anything is changed

  Diagnostic Report (1.9.0027.0):
  -----------------------------------------
  Windows Validation Data-->
  
  Validation Code: 0x8004FE22
  Cached Online Validation Code: 0x0
  Windows Product Key: *****-*****-7H8D7-KWVYB-MYMTD
  Windows Product Key Hash: wx5ndMFQm0AcZ8nMxSw8aUrnxQM=
  Windows Product ID: 00371-OEM-9309167-93223
  Windows Product ID Type: 8
  Windows License Type: COA SLP
  Windows OS version: 6.1.7601.2.00010100.1.0.048
  ID: {30CC2299-FCF3-4C23-B8CA-77390FD52CF5}(3)
  Is Admin: Yes
  TestCab: 0x0
  LegitcheckControl ActiveX: N/A, hr = 0x80070002
  Signed By: N/A, hr = 0x80070002
  Product Name: Windows 7 Professional
  Architecture: 0x00000000
  Build lab: 7601.win7sp1_ldr.160408-2045
  TTS Error:
  Validation Diagnostic:
  Resolution Status: N/A
  
  Vista WgaER Data-->
  ThreatID(s): N/A, hr = 0x80070002
  Version: N/A, hr = 0x80070002
  
  Windows XP Notifications Data-->
  Cached Result: N/A, hr = 0x80070002
  File Exists: No
  Version: N/A, hr = 0x80070002
  WgaTray.exe Signed By: N/A, hr = 0x80070002
  WgaLogon.dll Signed By: N/A, hr = 0x80070002
  
  OGA Notifications Data-->
  Cached Result: N/A, hr = 0x80070002
  Version: N/A, hr = 0x80070002
  OGAExec.exe Signed By: N/A, hr = 0x80070002
  OGAAddin.dll Signed By: N/A, hr = 0x80070002
  
  OGA Data-->
  Office Status: 100 Genuine
  Microsoft Office Access Runtime (English) 2007 - 121
  Microsoft Office Enterprise 2007 - 100 Genuine
  OGA Version: N/A, 0x80070002
  Signed By: N/A, hr = 0x80070002
  Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-b01a_E2AD56EA-766-0_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005
  
  Browser Data-->
  Proxy settings: N/A
  User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
  Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
  Download signed ActiveX controls: Prompt
  Download unsigned ActiveX controls: Disabled
  Run ActiveX controls and plug-ins: Allowed
  Initialize and script ActiveX controls not marked as safe: Disabled
  Allow scripting of Internet Explorer Webbrowser control: Disabled
  Active scripting: Allowed
  Script ActiveX controls marked as safe for scripting: Allowed
  
  File Scan Data-->
  
  Other data-->
  Office Details: <GenuineResults><MachineData><UGUID>{30CC2299-FCF3-4C23-B8CA-77390FD52CF5}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-MYMTD</PKey><PID>00371-OEM-9309167-93223</PID><PIDType>8</PIDType><SID>S-1-5-21-4111501717-913575102-347679128</SID><SYSTEM><Manufacturer>LENOVO</Manufacturer><Model>7303WHR</Model></SYSTEM><BIOS><Manufacturer>LENOVO</Manufacturer><Version>5HKT43AUS</Version><SMBIOSVersion major="2" minor="5"/><Date>20090907000000.000000+000</Date></BIOS><HWID>559B3E07018400F8</HWID><UserLCID>1809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>LENOVO</OEMID><OEMTableID>TC-5H   </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-001C-0409-0000-0000000FF1CE}"><LegitResult>121</LegitResult><Name>Microsoft Office Access Runtime (English) 2007</Name><Ver>12</Ver><Val>A6DF1BF2503CD6C</Val><Hash>dTTDvXHN4cR0t+IYAOhhFudJX58=</Hash><Pid>00000-694-0010114-62972</Pid><PidType>2</PidType></Product><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>1765CA03E677D8A</Val><Hash>oP+DZrDE1T6e5vY3TRMZLHw3dBw=</Hash><Pid>89388-709-7325542-65158</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>  
  
  Spsys.log Content: 0x80070002
  
  Licensing Data-->
  Software licensing service version: 6.1.7601.17514
  
  Name: Windows(R) 7, Professional edition
  Description: Windows Operating System - Windows(R) 7, OEM_COA_SLP channel
  Activation ID: da22eadd-46dc-4056-a287-f5041c852470
  Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
  Extended PID: 00371-00186-091-693223-02-6153-7600.0000-1782013
  Installation ID: 004395621015640686693182471614756334889122783983946414
  Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
  Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
  Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
  Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
  Partial Product Key: MYMTD
  License Status: Licensed
  Remaining Windows rearm count: 4
  Trusted time: 02/06/2016 10:27:11
  
  Windows Activation Technologies-->
  HrOffline: 0x8004FE22
  HrOnline: N/A
  HealthStatus: 0x0000000000000800
  Event Time Stamp: 6:2:2016 09:44
  ActiveX: Registered, Version: 7.1.7600.16395
  Admin Service: Registered, Version: 7.1.7600.16395
  HealthStatus Bitmask Output:
  Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
  
  
  HWID Data-->
  HWID Hash Current: MAAAAAEABAABAAEAAAABAAAAAQABAAEAJJSsBQS9SOSqdspgmkUwZAKaYi/YHkbK
  
  OEM Activation 1.0 Data-->
  N/A
  
  OEM Activation 2.0 Data-->
  BIOS valid for OA 2.0: yes
  Windows marker version: 0x20001
  OEMID and OEMTableID Consistent: yes
  BIOS Information:
    ACPI Table Name    OEMID Value    OEMTableID Value
    APIC            LENOVO        TC-5H   
    FACP            LENOVO        TC-5H   
    HPET            LENOVO        TC-5H   
    MCFG            LENOVO        TC-5H   
    SLIC            LENOVO        TC-5H   
    OEMB            LENOVO        TC-5H   
    SSDT            LENOVO        TC-5H   
  
  

  Thursday, June 2, 2016 9:35 AM
• 

  

  0

  Sign in to vote

  Hmmm - the error message you got would tend to back up the fact that updates are installing OK.

  Let's go back a step to the SFC scan results...

  Those corrupted files are interesting, as they are often ones corrupted when using a particular hacker's Activation Exploit.

  It does open up the possibility of using the 'cure' for that hack as a possible repair for this problem...

  Download WATFix - make sure that you UNTICK the box for the 'download manager, AND UNCHECK the 'use
  download manager' option greyed out on the left under the Download button.

  Click on the Download button on the left of the page, not the big shiny button on the right
  (which is an ad for the download manager!!) - and use that - extract the .exe file, and run it, then reboot.  

   

  The downloaded file should be named 'Wat Fix.zip' rather than anything else - the extracted file is 'Wat Fix.exe'

  
  

   Post back with another MGADiag report, and we'll then see what we can do.

  ---

  Noel Paton | Nil Carborundum Illegitemi

  CrashFixPC | The Three-toed Sloth

  No - I do not work for Microsoft, or any of its contractors.

  • Proposed as answer by Noel D PatonModerator Tuesday, June 7, 2016 1:52 PM

  Thursday, June 2, 2016 3:43 PM

  Moderator
• 

  

  0

  Sign in to vote

  Hi Noel,

  I have been doing a bit of reading around about watfix etc. I can see two files in Windows/system32 which look "fishy".

  There is a file slmgr.vbs.removewat as well as slmgr.vbs -the latter being the file the SFC scan replaced back to good ?

  There is also slwga.dll.bak and a slwga.dll -the slwga.dll again being the fixed by SFC ?

  There is only one slui.exe which is not allowing access - maybe changed in some way by removewat ?

  I nor the family member I am helping certainly did not use removewat but it looks as if somebody ( at some point) did  ?

  I have also tried to research Wat Fix and I am very uncertain about using it. I have not yet downloaded it but apparently nearly a half of the Virustotal scanners are flagging

  it as malware ? I can also see some comments over in sevenforums.com by I presume yourself (didn't realise you posted in both forums - busy man !!) about avoiding the download button and the tickbox

  possibly being dangerous. Does this not ,by association at least , not call into question the integrity of watfix ? who is the author of watfix and can we really know everything it is doing ? Who placed it on datafilehost.com ?

  Is there no other tool available to counteract/cleanout the effects of removewat - even a list of manual instructions ?

  Please do not take any of this to in any way be questioning your integrity. Based on your forum posts and also on the lengths you have gone to help many people including myself

  it is clear that your  bona-fides is not for discussion . I am just being super-careful/paranoid about security - I don't want to get "out of the frying pan into the fire"

  Thursday, June 2, 2016 7:23 PM
• 

  

  0

  Sign in to vote

  Understand absolutely where you're  coming from - but I have been recommending that download for over 5 years now, and no-one who has avoided using the download manager has had any problems with it ;)

  I check the site whenever I haven't recommended it for a while to see what new wrinkles they've added in an attempt to foist whatever their flavour-of-the-month wrapper for the base upload is - and modify my script accordingly.

  I also check the download itself to make sure that it hasn't changed (this one has been run in a VM for the past 24 hours without causing any problems - and has been scanned with Malwarebytes and MSE - neither of which complained)

  I'm not enough of a programmer to be able to say with any certainty exactly what either RemoveWAT or WatFix do - except that WatFix DOES undo everything that RemoveWat did, and also runs SFC to do the file replacements necessary, rather than attempting to do it itself.

  WatFix is NOT a virus. For some reason, the AV's which do detect it appear to have classified it as a Trojan (which it also isn't) because they claim it attempts to send data out - I just checked it (again) and could find no evidence of any attempt to reach any network.

  What it does do is modify some registry entries, and permissions, and replace (via SFC) files which were deleted/modified by RemoveWat.

  The author of WatFix is actually one of the more notorious hackers - who also authored the most successful of the Windows Vista and 7 hacks for bypassing activation requirements, and who released WatFix in order to reset systems corrupted by RemoveWat, so that they could then install his own hack!

  I don't much like his ethics, but in this case at least, he has produce what historically has been a very useful and beneficial repair tool (and I certainly don't have the chops to create a similar tool!)

  Let's have a look at your slui.exe file and see what we can see about it...

  Open an Elevated Command Prompt, and run the following commands.

  DIR C:\Windows\system32\slui.exe /AL /S
  ATTRIB C:\Windows\system32\slui.exe /S
  ICACLS C:\Windows\system32\slui.exe /T
  DIR C:\Windows\winsxs\slui.exe /AL /S
  ATTRIB C:\Windows\winsxs\slui.exe /S
  ICACLS C:\Windows\winsxs\slui.exe /T
  

  post the results - they may make interesting reading.
  

  ---

  Noel Paton | Nil Carborundum Illegitemi

  CrashFixPC | The Three-toed Sloth

  No - I do not work for Microsoft, or any of its contractors.

  
  

  • Edited by Noel D PatonModerator Friday, June 3, 2016 9:49 AM complete code box

  Friday, June 3, 2016 9:41 AM

  Moderator
• 

  

  0

  Sign in to vote

  Hi Noel - thanks. Output requested:

  Microsoft Windows [Version 6.1.7601]
  Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
  
  C:\Windows\system32>DIR C:\Windows\system32\slui.exe /AL /S
   Volume in drive C is Preload
   Volume Serial Number is xxxx-xxxx
  File Not Found
  
  C:\Windows\system32>ATTRIB C:\Windows\system32\slui.exe /S
  A            C:\Windows\system32\slui.exe
  
  C:\Windows\system32>ICACLS C:\Windows\system32\slui.exe /T
  C:\Windows\system32\slui.exe Everyone:(DENY)(S,X)
                               NT AUTHORITY\SYSTEM:(I)(F)
                               BUILTIN\Administrators:(I)(F)
                               BUILTIN\Users:(I)(RX)
                               xxxxxxx\xxxxxxx:(I)(F)
  
  C:\Windows\system32\LogFiles\WMI\RtBackup\*: Access is denied.
  Successfully processed 1 files; Failed processing 1 files
  
  C:\Windows\system32>DIR C:\Windows\winsxs\slui.exe /AL /S
   Volume in drive C is Preload
   Volume Serial Number is xxxx-xxxx
  File Not Found
  
  C:\Windows\system32>ATTRIB C:\Windows\winsxs\slui.exe /S
  A            C:\Windows\winsxs\x86_microsoft-windows-security-spp-ux_31bf3856ad3
  64e35_6.1.7600.16385_none_5b97f4df0025c6e9\slui.exe
  A            C:\Windows\winsxs\x86_microsoft-windows-security-spp-ux_31bf3856ad3
  64e35_6.1.7601.17514_none_5dc908a6fd144a83\slui.exe
  
  C:\Windows\system32>ICACLS C:\Windows\winsxs\slui.exe /T
  C:\Windows\winsxs\x86_microsoft-windows-security-spp-ux_31bf3856ad364e35_6.1.760
  0.16385_none_5b97f4df0025c6e9\slui.exe Everyone:(DENY)(S,X)
  
                                         NT AUTHORITY\SYSTEM:(I)(F)
  
                                         BUILTIN\Administrators:(I)(F)
  
                                         BUILTIN\Users:(I)(RX)
  
                                         xxxxxxx\xxxxxxx:(I)(F)
  
  C:\Windows\winsxs\x86_microsoft-windows-security-spp-ux_31bf3856ad364e35_6.1.760
  1.17514_none_5dc908a6fd144a83\slui.exe Everyone:(DENY)(S,X)
  
                                         NT AUTHORITY\SYSTEM:(I)(F)
  
                                         BUILTIN\Administrators:(I)(F)
  
                                         BUILTIN\Users:(I)(RX)
  
                                         xxxxxxx\xxxxxxx:(I)(F)
  
  Successfully processed 2 files; Failed processing 0 files
  
  C:\Windows\system32>

  The xxxx items are where I have redacted , for privacy reasons, the volume serial number and the user account I am logged on as (it is a valid account)

  The DENY permission is very strange and clearly part of the "tamper"

  Also the file not found is odd - when I can see the file on screen in explorer.

  The bit in the middle about WMI logs may be coincidental - the machine was only switched on

  but could be related to the not genuine as a not genuine screen popped up around the same time

  Friday, June 3, 2016 3:09 PM
• 

  

  0

  Sign in to vote

  The DENY permissions should certainly not bepresent.

  Neither should the Allow permissions for individual user accounts!They open up the system rather a lot to the possibility of a hack.

  The File not found is normal - I was looing for a reparse point which may have been created by RemoveWat. There doesn'tappear to have been one.

  Is there any particular reason why there are user-specific permissions are present on all versions of the file?

  ---

  Noel Paton | Nil Carborundum Illegitemi

  CrashFixPC | The Three-toed Sloth

  No - I do not work for Microsoft, or any of its contractors.

  • Proposed as answer by Noel D PatonModerator Tuesday, June 7, 2016 1:52 PM

  Saturday, June 4, 2016 6:25 AM

  Moderator
• 

  

  0

  Sign in to vote

  Should I remove the DENY permissions ?

  I notice that the other files within system32 seem to have permissions only for System/Administrator/Users/TrustedInstaller.

  The slui and slmgr.* files have TrustedInstaller removed and Everyone + the individual user account added. I am thinking to replace these permissions with the "correct"

  permissions based on other W7 PC's not exhibiting problems ? Maybe when SFC replaced the files the permissions were not also changed ?

  As to the reason for the individual account - I don't know. It shows its permissions as inherited for Windows/System32 although it is not specifically included in that folders permissions

  setup ? Must be the inheritance is through the Administrators group. I should mention also - the user account concerned is a domain account rather than a local account - a domain is in use.

  Saturday, June 4, 2016 11:12 AM
• 

  

  0

  Sign in to vote

  Update:

  I went ahead and removed the Everyone DENY ( I actually removed Everyone altogether) on slui.exe. Tried running slui 3 - yes asks for product key rather than previous no access)

  Didn't enter the key as I took it that my previous slmgr /ato success had already done so

  Tried an online genuine verification - come back as verified ( or at least offers MS Security Essentials because Windows is Genuine)

  Hopefully won't get any genuine popups but don't want to count my chickens .... just yet

  Here is latest WGADiag output:

  Diagnostic Report (1.9.0027.0):
  -----------------------------------------
  Windows Validation Data-->
  
  Validation Code: 0
  Cached Online Validation Code: 0x0
  Windows Product Key: *****-*****-7H8D7-KWVYB-MYMTD
  Windows Product Key Hash: wx5ndMFQm0AcZ8nMxSw8aUrnxQM=
  Windows Product ID: 00371-OEM-9309167-93223
  Windows Product ID Type: 8
  Windows License Type: COA SLP
  Windows OS version: 6.1.7601.2.00010100.1.0.048
  ID: {30CC2299-FCF3-4C23-B8CA-77390FD52CF5}(3)
  Is Admin: Yes
  TestCab: 0x0
  LegitcheckControl ActiveX: N/A, hr = 0x80070002
  Signed By: N/A, hr = 0x80070002
  Product Name: Windows 7 Professional
  Architecture: 0x00000000
  Build lab: 7601.win7sp1_ldr.160408-2045
  TTS Error:
  Validation Diagnostic:
  Resolution Status: N/A
  
  Vista WgaER Data-->
  ThreatID(s): N/A, hr = 0x80070002
  Version: N/A, hr = 0x80070002
  
  Windows XP Notifications Data-->
  Cached Result: N/A, hr = 0x80070002
  File Exists: No
  Version: N/A, hr = 0x80070002
  WgaTray.exe Signed By: N/A, hr = 0x80070002
  WgaLogon.dll Signed By: N/A, hr = 0x80070002
  
  OGA Notifications Data-->
  Cached Result: N/A, hr = 0x80070002
  Version: N/A, hr = 0x80070002
  OGAExec.exe Signed By: N/A, hr = 0x80070002
  OGAAddin.dll Signed By: N/A, hr = 0x80070002
  
  OGA Data-->
  Office Status: 100 Genuine
  Microsoft Office Access Runtime (English) 2007 - 121
  Microsoft Office Enterprise 2007 - 100 Genuine
  OGA Version: N/A, 0x80070002
  Signed By: N/A, hr = 0x80070002
  Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-b01a_E2AD56EA-766-0_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005
  
  Browser Data-->
  Proxy settings: N/A
  User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
  Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
  Download signed ActiveX controls: Prompt
  Download unsigned ActiveX controls: Disabled
  Run ActiveX controls and plug-ins: Allowed
  Initialize and script ActiveX controls not marked as safe: Disabled
  Allow scripting of Internet Explorer Webbrowser control: Disabled
  Active scripting: Allowed
  Script ActiveX controls marked as safe for scripting: Allowed
  
  File Scan Data-->
  
  Other data-->
  Office Details: <GenuineResults><MachineData><UGUID>{30CC2299-FCF3-4C23-B8CA-77390FD52CF5}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-MYMTD</PKey><PID>00371-OEM-9309167-93223</PID><PIDType>8</PIDType><SID>S-1-5-21-4111501717-913575102-347679128</SID><SYSTEM><Manufacturer>LENOVO</Manufacturer><Model>7303WHR</Model></SYSTEM><BIOS><Manufacturer>LENOVO</Manufacturer><Version>5HKT43AUS</Version><SMBIOSVersion major="2" minor="5"/><Date>20090907000000.000000+000</Date></BIOS><HWID>55133207018400F8</HWID><UserLCID>1809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>LENOVO</OEMID><OEMTableID>TC-5H   </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-001C-0409-0000-0000000FF1CE}"><LegitResult>121</LegitResult><Name>Microsoft Office Access Runtime (English) 2007</Name><Ver>12</Ver><Val>A6DF1BF2503CD6C</Val><Hash>dTTDvXHN4cR0t+IYAOhhFudJX58=</Hash><Pid>00000-694-0010114-62972</Pid><PidType>2</PidType></Product><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>1765CA03E677D8A</Val><Hash>oP+DZrDE1T6e5vY3TRMZLHw3dBw=</Hash><Pid>89388-709-7325542-65158</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>  
  
  Spsys.log Content: 0x80070002
  
  Licensing Data-->
  Software licensing service version: 6.1.7601.17514
  
  Name: Windows(R) 7, Professional edition
  Description: Windows Operating System - Windows(R) 7, OEM_COA_SLP channel
  Activation ID: da22eadd-46dc-4056-a287-f5041c852470
  Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
  Extended PID: 00371-00186-091-693223-02-6153-7600.0000-1782013
  Installation ID: 004395621015640686693182471614756334889122783983946414
  Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
  Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
  Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
  Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
  Partial Product Key: MYMTD
  License Status: Licensed
  Remaining Windows rearm count: 4
  Trusted time: 04/06/2016 22:05:19
  
  Windows Activation Technologies-->
  HrOffline: 0x00000000
  HrOnline: 0x00000000
  HealthStatus: 0x0000000000000000
  Event Time Stamp: 6:4:2016 22:04
  ActiveX: Registered, Version: 7.1.7600.16395
  Admin Service: Registered, Version: 7.1.7600.16395
  HealthStatus Bitmask Output:
  
  
  HWID Data-->
  HWID Hash Current: MAAAAAEABAABAAEAAAABAAAAAQABAAEAJJSsBQS9SOSqdspgmkUwZAKaYi/YHkbK
  
  OEM Activation 1.0 Data-->
  N/A
  
  OEM Activation 2.0 Data-->
  BIOS valid for OA 2.0: yes
  Windows marker version: 0x20001
  OEMID and OEMTableID Consistent: yes
  BIOS Information:
    ACPI Table Name    OEMID Value    OEMTableID Value
    APIC            LENOVO        TC-5H   
    FACP            LENOVO        TC-5H   
    HPET            LENOVO        TC-5H   
    MCFG            LENOVO        TC-5H   
    SLIC            LENOVO        TC-5H   
    OEMB            LENOVO        TC-5H   
    SSDT            LENOVO        TC-5H   
  

  Tamper is gone . Does this report look Ok to you - licence type etc ?

  Not sure if I should change the other permissions ? incl the specific user permissions ?

  • Proposed as answer by Noel D PatonModerator Tuesday, June 7, 2016 1:53 PM
  • Marked as answer by Noel D PatonModerator Sunday, June 19, 2016 11:36 AM

  Saturday, June 4, 2016 9:29 PM
• 

  

  1

  Sign in to vote

  That looks fine now - you should also remove the user-specific permissions to reduce the potential attack-surface.

  FYI, here's what the permissions are on my system...

  C:\Windows\system32>ICACLS C:\Windows\system32\slui.exe /T
  C:\Windows\system32\slui.exe NT SERVICE\TrustedInstaller:(F)
                               BUILTIN\Administrators:(RX)
                               NT AUTHORITY\SYSTEM:(RX)
                               BUILTIN\Users:(RX)

  C:\Windows\system32>ICACLS C:\Windows\winsxs\slui.exe  /T
  C:\Windows\winsxs\amd64_microsoft-windows-security-spp-ux_31bf3856ad364e35_6.1.7600.16385_none_b7b69062b883381f\slui.exe NT SERVICE\TrustedInstaller:(F)
                                           BUILTIN\Administrators:(RX)
                                           NT AUTHORITY\SYSTEM:(RX)
                                           BUILTIN\Users:(RX)

  C:\Windows\winsxs\amd64_microsoft-windows-security-spp-ux_31bf3856ad364e35_6.1.7601.17514_none_b9e7a42ab571bbb9\slui.exe NT SERVICE\TrustedInstaller:(F)
                                           BUILTIN\Administrators:(RX)
                                           NT AUTHORITY\SYSTEM:(RX)
                                           BUILTIN\Users:(RX)

  (this is an old system - and I don't so the possible file cleanup - which is why I have both versions available in the winsxs folder)

  Good luck!

  ---

  Noel Paton | Nil Carborundum Illegitemi

  CrashFixPC | The Three-toed Sloth

  No - I do not work for Microsoft, or any of its contractors.

  Monday, June 6, 2016 7:46 AM

  Moderator
• 

  

  0

  Sign in to vote

  Thanks Noel - I'll tidy up the permissions. I/we very much appreciate your help on this.
  

  Monday, June 6, 2016 11:33 AM
• 

  

  0

  Sign in to vote

  No problem ;)

  ---

  Noel Paton | Nil Carborundum Illegitemi

  CrashFixPC | The Three-toed Sloth

  No - I do not work for Microsoft, or any of its contractors.

  Monday, June 6, 2016 11:39 AM

  Moderator