Answered by:
Problems with Windows not genuine messages - solved - thanks to Noel

Question
-
Hi All,
We are having problems with 3PC's we believed to be correctly activated by our dealer and which are showing Windows not genuine messages (Windows 7 Build 7601). The COA stickers are for Vista but were originally to have been supplied with W7Pro . Our dealer upgraded these to W7 and we have no reason to doubt his bona-fides.
Attached is the WGADiag output for one of the PC's .We are anxious to sort the matter out - hopefully you can advise ?
Diagnostic Report (1.9.0027.0): ----------------------------------------- Windows Validation Data--> Validation Code: 0x8004FE22 Cached Online Validation Code: N/A, hr = 0xc004f012 Windows Product Key: *****-*****-7H8D7-KWVYB-MYMTD Windows Product Key Hash: wx5ndMFQm0AcZ8nMxSw8aUrnxQM= Windows Product ID: 00371-OEM-9309167-93223 Windows Product ID Type: 8 Windows License Type: COA SLP Windows OS version: 6.1.7601.2.00010100.1.0.048 ID: {30CC2299-FCF3-4C23-B8CA-77390FD52CF5}(3) Is Admin: Yes TestCab: 0x0 LegitcheckControl ActiveX: N/A, hr = 0x80070002 Signed By: N/A, hr = 0x80070002 Product Name: Windows 7 Professional Architecture: 0x00000000 Build lab: 7601.win7sp1_ldr.160408-2045 TTS Error: Validation Diagnostic: Resolution Status: N/A Vista WgaER Data--> ThreatID(s): N/A, hr = 0x80070002 Version: N/A, hr = 0x80070002 Windows XP Notifications Data--> Cached Result: N/A, hr = 0x80070002 File Exists: No Version: N/A, hr = 0x80070002 WgaTray.exe Signed By: N/A, hr = 0x80070002 WgaLogon.dll Signed By: N/A, hr = 0x80070002 OGA Notifications Data--> Cached Result: N/A, hr = 0x80070002 Version: N/A, hr = 0x80070002 OGAExec.exe Signed By: N/A, hr = 0x80070002 OGAAddin.dll Signed By: N/A, hr = 0x80070002 OGA Data--> Office Status: 100 Genuine Microsoft Office Access Runtime (English) 2007 - 121 Microsoft Office Enterprise 2007 - 100 Genuine OGA Version: N/A, 0x80070002 Signed By: N/A, hr = 0x80070002 Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-b01a_E2AD56EA-766-0_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005 Browser Data--> Proxy settings: N/A User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32) Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe Download signed ActiveX controls: Prompt Download unsigned ActiveX controls: Disabled Run ActiveX controls and plug-ins: Allowed Initialize and script ActiveX controls not marked as safe: Disabled Allow scripting of Internet Explorer Webbrowser control: Disabled Active scripting: Allowed Script ActiveX controls marked as safe for scripting: Allowed File Scan Data--> Other data--> Office Details: <GenuineResults><MachineData><UGUID>{30CC2299-FCF3-4C23-B8CA-77390FD52CF5}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-MYMTD</PKey><PID>00371-OEM-9309167-93223</PID><PIDType>8</PIDType><SID>S-1-5-21-4111501717-913575102-347679128</SID><SYSTEM><Manufacturer>LENOVO</Manufacturer><Model>7303WHR</Model></SYSTEM><BIOS><Manufacturer>LENOVO</Manufacturer><Version>5HKT43AUS</Version><SMBIOSVersion major="2" minor="5"/><Date>20090907000000.000000+000</Date></BIOS><HWID>55BB3C07018400F8</HWID><UserLCID>1809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>LENOVO</OEMID><OEMTableID>TC-5H </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-001C-0409-0000-0000000FF1CE}"><LegitResult>121</LegitResult><Name>Microsoft Office Access Runtime (English) 2007</Name><Ver>12</Ver><Val>A6DF1BF2503CD6C</Val><Hash>dTTDvXHN4cR0t+IYAOhhFudJX58=</Hash><Pid>00000-694-0010114-62972</Pid><PidType>2</PidType></Product><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>1765CA03E677D8A</Val><Hash>oP+DZrDE1T6e5vY3TRMZLHw3dBw=</Hash><Pid>89388-709-7325542-65158</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults> Spsys.log Content: 0x80070002 Licensing Data--> Software licensing service version: 6.1.7601.17514 Name: Windows(R) 7, Professional edition Description: Windows Operating System - Windows(R) 7, OEM_COA_SLP channel Activation ID: da22eadd-46dc-4056-a287-f5041c852470 Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f Extended PID: 00371-00186-091-693223-02-6153-7600.0000-1782013 Installation ID: 004395621015640686693182471614756334889122783983946414 Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338 Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339 Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341 Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340 Partial Product Key: MYMTD License Status: Notification Notification Reason: 0xC004F009 (grace time expired). Remaining Windows rearm count: 4 Trusted time: 27/05/2016 20:44:37 Windows Activation Technologies--> HrOffline: 0x8004FE22 HrOnline: N/A HealthStatus: 0x0000000000000800 Event Time Stamp: 5:25:2016 20:02 ActiveX: Registered, Version: 7.1.7600.16395 Admin Service: Registered, Version: 7.1.7600.16395 HealthStatus Bitmask Output: Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration HWID Data--> HWID Hash Current: MAAAAAEABAABAAEAAAABAAAAAQABAAEAJJSsBQS9SOSqdspgmkUwZAKaYi/YHkbK OEM Activation 1.0 Data--> N/A OEM Activation 2.0 Data--> BIOS valid for OA 2.0: yes Windows marker version: 0x20001 OEMID and OEMTableID Consistent: yes BIOS Information: ACPI Table Name OEMID Value OEMTableID Value APIC LENOVO TC-5H FACP LENOVO TC-5H HPET LENOVO TC-5H MCFG LENOVO TC-5H SLIC LENOVO TC-5H OEMB LENOVO TC-5H SSDT LENOVO TC-5H
Thanks in advance
- Edited by Padr78 Monday, June 6, 2016 11:34 AM
Friday, May 27, 2016 8:53 PM
Answers
-
Update:
I went ahead and removed the Everyone DENY ( I actually removed Everyone altogether) on slui.exe. Tried running slui 3 - yes asks for product key rather than previous no access)
Didn't enter the key as I took it that my previous slmgr /ato success had already done so
Tried an online genuine verification - come back as verified ( or at least offers MS Security Essentials because Windows is Genuine)
Hopefully won't get any genuine popups but don't want to count my chickens .... just yet
Here is latest WGADiag output:
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-7H8D7-KWVYB-MYMTD
Windows Product Key Hash: wx5ndMFQm0AcZ8nMxSw8aUrnxQM=
Windows Product ID: 00371-OEM-9309167-93223
Windows Product ID Type: 8
Windows License Type: COA SLP
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {30CC2299-FCF3-4C23-B8CA-77390FD52CF5}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Professional
Architecture: 0x00000000
Build lab: 7601.win7sp1_ldr.160408-2045
TTS Error:
Validation Diagnostic:
Resolution Status: N/A
Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 100 Genuine
Microsoft Office Access Runtime (English) 2007 - 121
Microsoft Office Enterprise 2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-b01a_E2AD56EA-766-0_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{30CC2299-FCF3-4C23-B8CA-77390FD52CF5}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-MYMTD</PKey><PID>00371-OEM-9309167-93223</PID><PIDType>8</PIDType><SID>S-1-5-21-4111501717-913575102-347679128</SID><SYSTEM><Manufacturer>LENOVO</Manufacturer><Model>7303WHR</Model></SYSTEM><BIOS><Manufacturer>LENOVO</Manufacturer><Version>5HKT43AUS</Version><SMBIOSVersion major="2" minor="5"/><Date>20090907000000.000000+000</Date></BIOS><HWID>55133207018400F8</HWID><UserLCID>1809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>LENOVO</OEMID><OEMTableID>TC-5H </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-001C-0409-0000-0000000FF1CE}"><LegitResult>121</LegitResult><Name>Microsoft Office Access Runtime (English) 2007</Name><Ver>12</Ver><Val>A6DF1BF2503CD6C</Val><Hash>dTTDvXHN4cR0t+IYAOhhFudJX58=</Hash><Pid>00000-694-0010114-62972</Pid><PidType>2</PidType></Product><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>1765CA03E677D8A</Val><Hash>oP+DZrDE1T6e5vY3TRMZLHw3dBw=</Hash><Pid>89388-709-7325542-65158</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>
Spsys.log Content: 0x80070002
Licensing Data-->
Software licensing service version: 6.1.7601.17514
Name: Windows(R) 7, Professional edition
Description: Windows Operating System - Windows(R) 7, OEM_COA_SLP channel
Activation ID: da22eadd-46dc-4056-a287-f5041c852470
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00371-00186-091-693223-02-6153-7600.0000-1782013
Installation ID: 004395621015640686693182471614756334889122783983946414
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: MYMTD
License Status: Licensed
Remaining Windows rearm count: 4
Trusted time: 04/06/2016 22:05:19
Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x00000000
HealthStatus: 0x0000000000000000
Event Time Stamp: 6:4:2016 22:04
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
HWID Data-->
HWID Hash Current: MAAAAAEABAABAAEAAAABAAAAAQABAAEAJJSsBQS9SOSqdspgmkUwZAKaYi/YHkbK
OEM Activation 1.0 Data-->
N/A
OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC LENOVO TC-5H
FACP LENOVO TC-5H
HPET LENOVO TC-5H
MCFG LENOVO TC-5H
SLIC LENOVO TC-5H
OEMB LENOVO TC-5H
SSDT LENOVO TC-5H
Tamper is gone . Does this report look Ok to you - licence type etc ?
Not sure if I should change the other permissions ? incl the specific user permissions ?
- Proposed as answer by Noel D PatonModerator Tuesday, June 7, 2016 1:53 PM
- Marked as answer by Noel D PatonModerator Sunday, June 19, 2016 11:36 AM
Saturday, June 4, 2016 9:29 PM
All replies
-
Further update. I had already run SFC /SCANNOW as suggested elsewhere in these forums and didn't realise that this had detected errors and replaced various files.
Although slui.exe is still not allowing access I was able to run slmgr /ato which validated windows ( at least in so far as the non -genuine message is gone from the desktop and a section for activation is now back on the system properties screen with a genuine windows logo).
However I still cannot get the web verification to give me a genuine windows result - the answer is always Windows could not be validated both on IE and also Firefox using legit.hta.Maybe related to the tampered file message ? I also attach an updated MGADiag output although I cant see any change
Diagnostic Report (1.9.0027.0): ----------------------------------------- Windows Validation Data--> Validation Code: 0x8004FE22 Cached Online Validation Code: N/A, hr = 0xc004f012 Windows Product Key: *****-*****-7H8D7-KWVYB-MYMTD Windows Product Key Hash: wx5ndMFQm0AcZ8nMxSw8aUrnxQM= Windows Product ID: 00371-OEM-9309167-93223 Windows Product ID Type: 8 Windows License Type: COA SLP Windows OS version: 6.1.7601.2.00010100.1.0.048 ID: {30CC2299-FCF3-4C23-B8CA-77390FD52CF5}(3) Is Admin: Yes TestCab: 0x0 LegitcheckControl ActiveX: N/A, hr = 0x80070002 Signed By: N/A, hr = 0x80070002 Product Name: Windows 7 Professional Architecture: 0x00000000 Build lab: 7601.win7sp1_ldr.160408-2045 TTS Error: Validation Diagnostic: Resolution Status: N/A Vista WgaER Data--> ThreatID(s): N/A, hr = 0x80070002 Version: N/A, hr = 0x80070002 Windows XP Notifications Data--> Cached Result: N/A, hr = 0x80070002 File Exists: No Version: N/A, hr = 0x80070002 WgaTray.exe Signed By: N/A, hr = 0x80070002 WgaLogon.dll Signed By: N/A, hr = 0x80070002 OGA Notifications Data--> Cached Result: N/A, hr = 0x80070002 Version: N/A, hr = 0x80070002 OGAExec.exe Signed By: N/A, hr = 0x80070002 OGAAddin.dll Signed By: N/A, hr = 0x80070002 OGA Data--> Office Status: 100 Genuine Microsoft Office Access Runtime (English) 2007 - 121 Microsoft Office Enterprise 2007 - 100 Genuine OGA Version: N/A, 0x80070002 Signed By: N/A, hr = 0x80070002 Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-b01a_E2AD56EA-766-0_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005 Browser Data--> Proxy settings: N/A User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32) Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe Download signed ActiveX controls: Prompt Download unsigned ActiveX controls: Disabled Run ActiveX controls and plug-ins: Allowed Initialize and script ActiveX controls not marked as safe: Disabled Allow scripting of Internet Explorer Webbrowser control: Disabled Active scripting: Allowed Script ActiveX controls marked as safe for scripting: Allowed File Scan Data--> Other data--> Office Details: <GenuineResults><MachineData><UGUID>{30CC2299-FCF3-4C23-B8CA-77390FD52CF5}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-MYMTD</PKey><PID>00371-OEM-9309167-93223</PID><PIDType>8</PIDType><SID>S-1-5-21-4111501717-913575102-347679128</SID><SYSTEM><Manufacturer>LENOVO</Manufacturer><Model>7303WHR</Model></SYSTEM><BIOS><Manufacturer>LENOVO</Manufacturer><Version>5HKT43AUS</Version><SMBIOSVersion major="2" minor="5"/><Date>20090907000000.000000+000</Date></BIOS><HWID>55E73F07018400F8</HWID><UserLCID>1809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>LENOVO</OEMID><OEMTableID>TC-5H </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-001C-0409-0000-0000000FF1CE}"><LegitResult>121</LegitResult><Name>Microsoft Office Access Runtime (English) 2007</Name><Ver>12</Ver><Val>A6DF1BF2503CD6C</Val><Hash>dTTDvXHN4cR0t+IYAOhhFudJX58=</Hash><Pid>00000-694-0010114-62972</Pid><PidType>2</PidType></Product><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>1765CA03E677D8A</Val><Hash>oP+DZrDE1T6e5vY3TRMZLHw3dBw=</Hash><Pid>89388-709-7325542-65158</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults> Spsys.log Content: 0x80070002 Licensing Data--> Software licensing service version: 6.1.7601.17514 Name: Windows(R) 7, Professional edition Description: Windows Operating System - Windows(R) 7, OEM_COA_SLP channel Activation ID: da22eadd-46dc-4056-a287-f5041c852470 Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f Extended PID: 00371-00186-091-693223-02-6153-7600.0000-1782013 Installation ID: 004395621015640686693182471614756334889122783983946414 Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338 Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339 Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341 Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340 Partial Product Key: MYMTD License Status: Licensed Remaining Windows rearm count: 4 Trusted time: 29/05/2016 21:42:11 Windows Activation Technologies--> HrOffline: 0x8004FE22 HrOnline: N/A HealthStatus: 0x0000000000000800 Event Time Stamp: 5:29:2016 20:40 ActiveX: Registered, Version: 7.1.7600.16395 Admin Service: Registered, Version: 7.1.7600.16395 HealthStatus Bitmask Output: Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration HWID Data--> HWID Hash Current: MAAAAAEABAABAAEAAAABAAAAAQABAAEAJJSsBQS9SOSqdspgmkUwZAKaYi/YHkbK OEM Activation 1.0 Data--> N/A OEM Activation 2.0 Data--> BIOS valid for OA 2.0: yes Windows marker version: 0x20001 OEMID and OEMTableID Consistent: yes BIOS Information: ACPI Table Name OEMID Value OEMTableID Value APIC LENOVO TC-5H FACP LENOVO TC-5H HPET LENOVO TC-5H MCFG LENOVO TC-5H SLIC LENOVO TC-5H OEMB LENOVO TC-5H SSDT LENOVO TC-5H
Sunday, May 29, 2016 9:47 PM -
To confirm that the problem is what I think it is, please run the following commands in an Elevated Command Prompt window and post the results.
REG QUERY HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S
REG QUERY HKLM\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S
REG QUERY HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S
Here are some instructions to make life easier :)
1) To open an Elevated Command Prompt Window (the ECP window), click on Start, All Programs, Accessories – then right-click on Command Prompt, and select Run as Administrator. Accept the UAC prompt.
2) To run the commands easier, highlight the block of commands, and right-click on the highlight – select Copy. In the CP Window, click on the black/white icon at top left – select Paste. The commands will run but may not complete the last command, so hit the Enter Key once.
3) To copy the results... click on the Black/White icon in the top left, and select Edit... 'Select All', and hit the Enter key - then use Ctrl+V or r-click+Paste to paste it into your response.
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. Tuesday, May 31, 2016 7:28 AMModerator -
Hi Noel and thanks for the reply
Output of commands:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{EE57495
7-4077-4AD6-8658-327C2C86C5AA} /S
ERROR: The system was unable to find the specified registry key or value.
C:\Windows\system32>
C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-
8658-327C2C86C5AA} /S
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5A
A}\1.0
(Default) REG_SZ SPPUI 1.0 Type Library
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5A
A}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5A
A}\1.0\0\win32
(Default) REG_EXPAND_SZ %SystemRoot%\System32\slui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5A
A}\1.0\FLAGS
(Default) REG_SZ 0
C:\Windows\system32>
C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{EE57495
7-4077-4AD6-8658-327C2C86C5AA} /SAlso if it helps to diagnose the "not genuine - resolve online" windows has re-appeared although
the message at the bottom right hand corner of the desktop is still not there and the windows activation detail
at the bottom of the system properties screen is still showing activated and the genuine logo
Tuesday, May 31, 2016 8:36 AM -
Thanks for that - the above output seems OK, so the problem may be a little deeper into the registry (or somewhere else altogether!)
Please post the output from these commands...
REG QUERY HKLM\SOFTWARE\Classes\CLSID\{A6C13C9D-54E1-44FC-82F0-DBE2C843E51A}\TypeLib /S
REG QUERY HKLM\SOFTWARE\Classes\CLSID\{F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}\TypeLib /S
REG QUERY HKLM\SOFTWARE\Classes\Interface\{76D90824-E735-4844-B26F-AA1235B6E76B}\TypeLib /S
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. Tuesday, May 31, 2016 9:45 AMModerator -
Output follows:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Classes\CLSID\{A6C13C9D-54E1-44FC-82
F0-DBE2C843E51A}\TypeLib /S
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A6C13C9D-54E1-44FC-82F0-DBE2C843E51A}
\TypeLib
(Default) REG_SZ {EE574957-4077-4AD6-8658-327C2C86C5AA}
C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Classes\CLSID\{F87B28F1-DA9A-4F35-8E
C0-800EFCF26B83}\TypeLib /S
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}
\TypeLib
(Default) REG_SZ {EE574957-4077-4AD6-8658-327C2C86C5AA}
C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Classes\Interface\{76D90824-E735-484
4-B26F-AA1235B6E76B}\TypeLib /S
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{76D90824-E735-4844-B26F-AA1235B6E
76B}\TypeLib
(Default) REG_SZ {EE574957-4077-4AD6-8658-327C2C86C5AA}
Version REG_SZ 1.0
C:\Windows\system32>Also I notice the last reply I made for some reason did not have output for the third command on you last
post. Follows now:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{EE57495
7-4077-4AD6-8658-327C2C86C5AA} /S
ERROR: The system was unable to find the specified registry key or value.
C:\Windows\system32>Thanks for taking the time to help with this - hopefully we can track it down ?
Tuesday, May 31, 2016 1:23 PM -
We have a pretty good record of fixing this problem in 64-bit Windows - but this is the first case that I can recall where the problem has occurred in 32-bit Windows
The above steps almost always demonstrate the problem sufficiently to define the required fix, but such is obviously not he case here.
Have you been using any kind of Registry Cleaner software? (DON'T!!) Any software from the WISE or IOBits stable?
How long ago did the problem start? Have you tried a System Restore back to before the problem arose?
Let's have a look at the data that the SFC generated - it may help....
Please copy the C:\Windows\Logs\CBS\CBS.log file to the desktop - then compress it, and upload it to your favourite fileshare site and post a link.
Also upload the other CBSPersistxxxxxxxxx.CAB files - post links.
They may give me a clue to what's happening.
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. Tuesday, May 31, 2016 5:01 PMModerator -
Hi Noel
It is possible that CCleaner might at some stage have been used but i cannot say with certainty.
The problem has been there for some considerable time but when the dealer was asked about it he simply said that the windows was definitely genuine.
As noted before there was no reason to doubt him as other PCs purchased through him have had no such issues and he has otherwise been reputable.
It is only now when trying to upgrade to W10 that the problem has become an issue
I had saved the [SR] output of the SFC scan (as per Microsoft advice on the SFC explanatory page) and luckily kept it :
https://onedrive.live.com/redir?resid=788AE715C469108A!268&authkey=!AIU2lIIoGGkq_es&ithint=file%2ctxt ( I cant post a physical link as the forum wont let me)
I am a little reluctant to post a public link to the other files as I am in fact helping a family member to try to sort this problem and the PC's concerned are at her workplace ( she deals with IT procurement although she is not an IT person herself)
I am afraid that identifiable information might be in the CBS logs and data protection issues / regs might be breached?
- Edited by Padr78 Tuesday, May 31, 2016 9:59 PM
Tuesday, May 31, 2016 9:36 PM -
CCleaner is usually OK - but it's still a good idea to avoid the Registry Cleaner part of it!
There are no file replacements shown in the SFC scan - which means that I really need to see the CBSPersist files. There is no Personally Identifiable Information in these logs, they are simply a record of any files which are causing recordable events. Sometimes these event can give us vital information on what's happening to cause these problems. It's possible that if the SFC was run more than once, then the file uploaded is the later one, while the first one had possibly a number of file recorded - this log should still be visible in the Persist files.
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. Wednesday, June 1, 2016 8:19 AMModerator -
Morning Noel,
I double checked the uploaded file sfcdetails file - I can see some entries between lines 246 and 347 which seem to be about repaired files ?
I'll need to get the OK to upload the other files - later today.
Thanks
Wednesday, June 1, 2016 9:22 AM -
Noel,
CBS and CBS Persist logs ( all in one zipped file ) are at:
https://onedrive.live.com/redir?resid=788AE715C469108A!269&authkey=!AM4YTtyNID0cpBE&ithint=file%2czip
Hope this helps.
Wednesday, June 1, 2016 12:08 PM -
Noel,
CBS and CBS Persist logs ( all in one zipped file ) are at:
https://onedrive.live.com/redir?resid=788AE715C469108A!269&authkey=!AM4YTtyNID0cpBE&ithint=file%2czip
Hope this helps.
The Persist files make interesting reading!
There is at least one update that's stuck somewhere in the middle of installing - and that's blocking others.
It's a while since I dealt with anything similar so I'll have to research it - but here are some of the error messages being thrown up at every shutdown/boot... (just so I don't lose it!)
Line 840624: 2016-05-31 08:02:23, Error CBS Failed to process single phase execution. [HRESULT = 0x800f0816 - CBS_E_DPX_JOB_STATE_SAVED] Line 840754: 2016-05-31 08:05:00, Error CBS Failed to process single phase execution. [HRESULT = 0x800f0816 - CBS_E_DPX_JOB_STATE_SAVED] Line 840852: 2016-05-31 08:05:04, Error CBS Failed to process single phase execution. [HRESULT = 0x800f0816 - CBS_E_DPX_JOB_STATE_SAVED] Line 840950: 2016-05-31 08:05:08, Error CBS Failed to process single phase execution. [HRESULT = 0x800f0816 - CBS_E_DPX_JOB_STATE_SAVED] Line 841572: 2016-05-31 09:17:02, Error CBS Failed to process single phase execution. [HRESULT = 0x800f0816 - CBS_E_DPX_JOB_STATE_SAVED] Line 843608: 2016-05-31 09:17:56, Error CSI 0000025f (F) A previous transaction requested a reboot, so you cannot commit any transactions until you reboot. Line 843610: 2016-05-31 09:17:56, Error CSI 00000260 (F) STATUS_REQUEST_OUT_OF_SEQUENCE #1651274# from Windows::COM::CComponentStore::ApplyTransactionNow(...)[gle=0xd000042a] Line 843611: 2016-05-31 09:17:56, Error CSI 00000261@2016/5/31:09:17:56.941 (F) d:\win7sp1_gdr\base\wcp\componentstore\com\store_transaction.cpp(1841): Error STATUS_REQUEST_OUT_OF_SEQUENCE originated in function Windows::COM::CComponentStore::ApplyTransactionNow expression: (null) Line 843613: 2016-05-31 09:18:27, Error CSI 00000262 (F) HRESULT_FROM_WIN32(ERROR_REQUEST_OUT_OF_SEQUENCE) #1651135# from Windows::COM::CPendingTransaction::IStorePendingTransaction_Apply(...)[gle=0x80070308] Line 843614: 2016-05-31 09:18:27, Error CSI 00000263 (F) HRESULT_FROM_WIN32(ERROR_REQUEST_OUT_OF_SEQUENCE) #1648279# from Windows::ServicingAPI::CCSITransaction::ICSITransaction2_AddFiles(Flags = 1, a = @0x64ba008, fn = @0x64ba408, fp = @0x64ba808, disp = 0, op = 0)[gle=0x80070308] Line 843616: 2016-05-31 09:18:27, Error CBS Failed to stage execution package: Package_58_for_KB2923545~31bf3856ad364e35~x86~~6.1.1.1 [HRESULT = 0x80070308 - ERROR_REQUEST_OUT_OF_SEQUENCE] Line 843620: 2016-05-31 09:18:27, Error CBS Failed to process single phase execution. [HRESULT = 0x80070308 - ERROR_REQUEST_OUT_OF_SEQUENCE] Line 843758: 2016-05-31 09:18:43, Error CSI 0000026d (F) A previous transaction requested a reboot, so you cannot commit any transactions until you reboot. Line 843760: 2016-05-31 09:18:43, Error CSI 0000026e (F) STATUS_REQUEST_OUT_OF_SEQUENCE #1662919# from Windows::COM::CComponentStore::ApplyTransactionNow(...)[gle=0xd000042a] Line 843761: 2016-05-31 09:18:43, Error CSI 0000026f@2016/5/31:09:18:43.132 (F) d:\win7sp1_gdr\base\wcp\componentstore\com\store_transaction.cpp(1841): Error STATUS_REQUEST_OUT_OF_SEQUENCE originated in function Windows::COM::CComponentStore::ApplyTransactionNow expression: (null) Line 843763: 2016-05-31 09:18:46, Error CSI 00000270 (F) HRESULT_FROM_WIN32(ERROR_REQUEST_OUT_OF_SEQUENCE) #1662780# from Windows::COM::CPendingTransaction::IStorePendingTransaction_Apply(...)[gle=0x80070308] Line 843764: 2016-05-31 09:18:47, Error CSI 00000271 (F) HRESULT_FROM_WIN32(ERROR_REQUEST_OUT_OF_SEQUENCE) #1658933# from Windows::ServicingAPI::CCSITransaction::ICSITransaction2_AddFiles(Flags = 1, a = @0x64ba008, fn = @0x64ba408, fp = @0x64ba808, disp = 0, op = 0)[gle=0x80070308] Line 843766: 2016-05-31 09:18:47, Error CBS Failed to stage execution package: Package_2_for_KB3075226~31bf3856ad364e35~x86~~6.1.1.1 [HRESULT = 0x80070308 - ERROR_REQUEST_OUT_OF_SEQUENCE] Line 843770: 2016-05-31 09:18:47, Error CBS Failed to process single phase execution. [HRESULT = 0x80070308 - ERROR_REQUEST_OUT_OF_SEQUENCE] Line 843869: 2016-05-31 09:18:54, Error CSI 0000027b (F) A previous transaction requested a reboot, so you cannot commit any transactions until you reboot. Line 843871: 2016-05-31 09:18:54, Error CSI 0000027c (F) STATUS_REQUEST_OUT_OF_SEQUENCE #1668246# from Windows::COM::CComponentStore::ApplyTransactionNow(...)[gle=0xd000042a] Line 843872: 2016-05-31 09:18:54, Error CSI 0000027d@2016/5/31:09:18:54.06 (F) d:\win7sp1_gdr\base\wcp\componentstore\com\store_transaction.cpp(1841): Error STATUS_REQUEST_OUT_OF_SEQUENCE originated in function Windows::COM::CComponentStore::ApplyTransactionNow expression: (null) Line 843874: 2016-05-31 09:19:00, Error CSI 0000027e (F) HRESULT_FROM_WIN32(ERROR_REQUEST_OUT_OF_SEQUENCE) #1668107# from Windows::COM::CPendingTransaction::IStorePendingTransaction_Apply(...)[gle=0x80070308] Line 843875: 2016-05-31 09:19:00, Error CSI 0000027f (F) HRESULT_FROM_WIN32(ERROR_REQUEST_OUT_OF_SEQUENCE) #1666990# from Windows::ServicingAPI::CCSITransaction::ICSITransaction2_AddFiles(Flags = 1, a = @0x64ba008, fn = @0x64ba408, fp = @0x64ba808, disp = 0, op = 0)[gle=0x80070308] Line 843877: 2016-05-31 09:19:00, Error CBS Failed to stage execution package: Package_2_for_KB3020388~31bf3856ad364e35~x86~~6.1.1.1 [HRESULT = 0x80070308 - ERROR_REQUEST_OUT_OF_SEQUENCE] Line 843881: 2016-05-31 09:19:00, Error CBS Failed to process single phase execution. [HRESULT = 0x80070308 - ERROR_REQUEST_OUT_OF_SEQUENCE] Line 843985: 2016-05-31 09:19:09, Error CSI 00000289 (F) A previous transaction requested a reboot, so you cannot commit any transactions until you reboot. Line 843987: 2016-05-31 09:19:09, Error CSI 0000028a (F) STATUS_REQUEST_OUT_OF_SEQUENCE #1675514# from Windows::COM::CComponentStore::ApplyTransactionNow(...)[gle=0xd000042a] Line 843988: 2016-05-31 09:19:09, Error CSI 0000028b@2016/5/31:09:19:09.434 (F) d:\win7sp1_gdr\base\wcp\componentstore\com\store_transaction.cpp(1841): Error STATUS_REQUEST_OUT_OF_SEQUENCE originated in function Windows::COM::CComponentStore::ApplyTransactionNow expression: (null) Line 843990: 2016-05-31 09:19:17, Error CSI 0000028c (F) HRESULT_FROM_WIN32(ERROR_REQUEST_OUT_OF_SEQUENCE) #1675375# from Windows::COM::CPendingTransaction::IStorePendingTransaction_Apply(...)[gle=0x80070308] Line 843991: 2016-05-31 09:19:17, Error CSI 0000028d (F) HRESULT_FROM_WIN32(ERROR_REQUEST_OUT_OF_SEQUENCE) #1673182# from Windows::ServicingAPI::CCSITransaction::ICSITransaction2_AddFiles(Flags = 1, a = @0x64ba008, fn = @0x64ba408, fp = @0x64ba808, disp = 0, op = 0)[gle=0x80070308] Line 843993: 2016-05-31 09:19:17, Error CBS Failed to stage execution package: Package_2_for_KB3126446~31bf3856ad364e35~x86~~6.1.1.0 [HRESULT = 0x80070308 - ERROR_REQUEST_OUT_OF_SEQUENCE] Line 843997: 2016-05-31 09:19:17, Error CBS Failed to process single phase execution. [HRESULT = 0x80070308 - ERROR_REQUEST_OUT_OF_SEQUENCE]
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. Wednesday, June 1, 2016 3:51 PMModerator -
...I found on old resolution of mine that worked - but I need to check it first...
Please do a Search in your Windows folder (and subfolders) for any files 'pending.xml', and compress and upload all found - post a link
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. Wednesday, June 1, 2016 3:54 PMModerator -
only one pending file - https://onedrive.live.com/redir?resid=788AE715C469108A!270&authkey=!AKNRmDUCgKLlR2E&ithint=file%2cxml
The email notifications and the reply/post listing here seem a little out of sync so i hope i am replying to the correct post
Wednesday, June 1, 2016 7:35 PM -
try this...
Open an Elevated Command Prompt, and run the following commands
REG LOAD HKLM\COMPONENTS C:\Windows\System32\config\COMPONENTS
REG DELETE HKLM\COMPONENTS /V PendingRequired
then reboot, and try Windows Update - do a Check for updates and see what happens (it may take a few hours!)Also run a new MGADiag report and post it.
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. Thursday, June 2, 2016 7:13 AMModerator -
Ran those commands but second one threw an error:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>REG LOAD HKLM\COMPONENTS C:\Windows\System32\config\COMPONEN
TS
The operation completed successfully.
C:\Windows\system32>REG DELETE HKLM\COMPONENTS /V PendingRequired
Delete the registry value PendingRequired (Yes/No)? y
ERROR: The system was unable to find the specified registry key or value.
C:\Windows\system32>REG DELETE HKLM\COMPONENTS /V PendingRequired
Delete the registry value PendingRequired (Yes/No)? Y
ERROR: The system was unable to find the specified registry key or value.
C:\Windows\system32>Also did a windows update - for the record it had not been misbehaving. There were a few failed updates a couple of daays ago but they subsequently
went through OK. The update history looks fully populated.
As requested up-to-date MGADiag report but I don't think anything is changed
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Code: 0x8004FE22
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-7H8D7-KWVYB-MYMTD
Windows Product Key Hash: wx5ndMFQm0AcZ8nMxSw8aUrnxQM=
Windows Product ID: 00371-OEM-9309167-93223
Windows Product ID Type: 8
Windows License Type: COA SLP
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {30CC2299-FCF3-4C23-B8CA-77390FD52CF5}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Professional
Architecture: 0x00000000
Build lab: 7601.win7sp1_ldr.160408-2045
TTS Error:
Validation Diagnostic:
Resolution Status: N/A
Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 100 Genuine
Microsoft Office Access Runtime (English) 2007 - 121
Microsoft Office Enterprise 2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-b01a_E2AD56EA-766-0_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{30CC2299-FCF3-4C23-B8CA-77390FD52CF5}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-MYMTD</PKey><PID>00371-OEM-9309167-93223</PID><PIDType>8</PIDType><SID>S-1-5-21-4111501717-913575102-347679128</SID><SYSTEM><Manufacturer>LENOVO</Manufacturer><Model>7303WHR</Model></SYSTEM><BIOS><Manufacturer>LENOVO</Manufacturer><Version>5HKT43AUS</Version><SMBIOSVersion major="2" minor="5"/><Date>20090907000000.000000+000</Date></BIOS><HWID>559B3E07018400F8</HWID><UserLCID>1809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>LENOVO</OEMID><OEMTableID>TC-5H </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-001C-0409-0000-0000000FF1CE}"><LegitResult>121</LegitResult><Name>Microsoft Office Access Runtime (English) 2007</Name><Ver>12</Ver><Val>A6DF1BF2503CD6C</Val><Hash>dTTDvXHN4cR0t+IYAOhhFudJX58=</Hash><Pid>00000-694-0010114-62972</Pid><PidType>2</PidType></Product><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>1765CA03E677D8A</Val><Hash>oP+DZrDE1T6e5vY3TRMZLHw3dBw=</Hash><Pid>89388-709-7325542-65158</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>
Spsys.log Content: 0x80070002
Licensing Data-->
Software licensing service version: 6.1.7601.17514
Name: Windows(R) 7, Professional edition
Description: Windows Operating System - Windows(R) 7, OEM_COA_SLP channel
Activation ID: da22eadd-46dc-4056-a287-f5041c852470
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00371-00186-091-693223-02-6153-7600.0000-1782013
Installation ID: 004395621015640686693182471614756334889122783983946414
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: MYMTD
License Status: Licensed
Remaining Windows rearm count: 4
Trusted time: 02/06/2016 10:27:11
Windows Activation Technologies-->
HrOffline: 0x8004FE22
HrOnline: N/A
HealthStatus: 0x0000000000000800
Event Time Stamp: 6:2:2016 09:44
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
HWID Data-->
HWID Hash Current: MAAAAAEABAABAAEAAAABAAAAAQABAAEAJJSsBQS9SOSqdspgmkUwZAKaYi/YHkbK
OEM Activation 1.0 Data-->
N/A
OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC LENOVO TC-5H
FACP LENOVO TC-5H
HPET LENOVO TC-5H
MCFG LENOVO TC-5H
SLIC LENOVO TC-5H
OEMB LENOVO TC-5H
SSDT LENOVO TC-5H
Thursday, June 2, 2016 9:35 AM -
Hmmm - the error message you got would tend to back up the fact that updates are installing OK.
Let's go back a step to the SFC scan results...
Those corrupted files are interesting, as they are often ones corrupted when using a particular hacker's Activation Exploit.
It does open up the possibility of using the 'cure' for that hack as a possible repair for this problem...
Download WATFix - make sure that you UNTICK the box for the 'download manager, AND UNCHECK the 'use
download manager' option greyed out on the left under the Download button.Click on the Download button on the left of the page, not the big shiny button on the right
(which is an ad for the download manager!!) - and use that - extract the .exe file, and run it, then reboot.The downloaded file should be named 'Wat Fix.zip' rather than anything else - the extracted file is 'Wat Fix.exe'
Post back with another MGADiag report, and we'll then see what we can do.
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. - Proposed as answer by Noel D PatonModerator Tuesday, June 7, 2016 1:52 PM
Thursday, June 2, 2016 3:43 PMModerator -
Hi Noel,
I have been doing a bit of reading around about watfix etc. I can see two files in Windows/system32 which look "fishy".
There is a file slmgr.vbs.removewat as well as slmgr.vbs -the latter being the file the SFC scan replaced back to good ?
There is also slwga.dll.bak and a slwga.dll -the slwga.dll again being the fixed by SFC ?
There is only one slui.exe which is not allowing access - maybe changed in some way by removewat ?
I nor the family member I am helping certainly did not use removewat but it looks as if somebody ( at some point) did ?
I have also tried to research Wat Fix and I am very uncertain about using it. I have not yet downloaded it but apparently nearly a half of the Virustotal scanners are flagging
it as malware ? I can also see some comments over in sevenforums.com by I presume yourself (didn't realise you posted in both forums - busy man !!) about avoiding the download button and the tickbox
possibly being dangerous. Does this not ,by association at least , not call into question the integrity of watfix ? who is the author of watfix and can we really know everything it is doing ? Who placed it on datafilehost.com ?
Is there no other tool available to counteract/cleanout the effects of removewat - even a list of manual instructions ?
Please do not take any of this to in any way be questioning your integrity. Based on your forum posts and also on the lengths you have gone to help many people including myself
it is clear that your bona-fides is not for discussion . I am just being super-careful/paranoid about security - I don't want to get "out of the frying pan into the fire"
Thursday, June 2, 2016 7:23 PM -
Understand absolutely where you're coming from - but I have been recommending that download for over 5 years now, and no-one who has avoided using the download manager has had any problems with it ;)
I check the site whenever I haven't recommended it for a while to see what new wrinkles they've added in an attempt to foist whatever their flavour-of-the-month wrapper for the base upload is - and modify my script accordingly.
I also check the download itself to make sure that it hasn't changed (this one has been run in a VM for the past 24 hours without causing any problems - and has been scanned with Malwarebytes and MSE - neither of which complained)
I'm not enough of a programmer to be able to say with any certainty exactly what either RemoveWAT or WatFix do - except that WatFix DOES undo everything that RemoveWat did, and also runs SFC to do the file replacements necessary, rather than attempting to do it itself.
WatFix is NOT a virus. For some reason, the AV's which do detect it appear to have classified it as a Trojan (which it also isn't) because they claim it attempts to send data out - I just checked it (again) and could find no evidence of any attempt to reach any network.
What it does do is modify some registry entries, and permissions, and replace (via SFC) files which were deleted/modified by RemoveWat.
The author of WatFix is actually one of the more notorious hackers - who also authored the most successful of the Windows Vista and 7 hacks for bypassing activation requirements, and who released WatFix in order to reset systems corrupted by RemoveWat, so that they could then install his own hack!
I don't much like his ethics, but in this case at least, he has produce what historically has been a very useful and beneficial repair tool (and I certainly don't have the chops to create a similar tool!)
Let's have a look at your slui.exe file and see what we can see about it...
Open an Elevated Command Prompt, and run the following commands.
post the results - they may make interesting reading.DIR C:\Windows\system32\slui.exe /AL /S ATTRIB C:\Windows\system32\slui.exe /S ICACLS C:\Windows\system32\slui.exe /T DIR C:\Windows\winsxs\slui.exe /AL /S ATTRIB C:\Windows\winsxs\slui.exe /S ICACLS C:\Windows\winsxs\slui.exe /T
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. - Edited by Noel D PatonModerator Friday, June 3, 2016 9:49 AM complete code box
Friday, June 3, 2016 9:41 AMModerator -
Hi Noel - thanks. Output requested:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>DIR C:\Windows\system32\slui.exe /AL /S
Volume in drive C is Preload
Volume Serial Number is xxxx-xxxx
File Not Found
C:\Windows\system32>ATTRIB C:\Windows\system32\slui.exe /S
A C:\Windows\system32\slui.exe
C:\Windows\system32>ICACLS C:\Windows\system32\slui.exe /T
C:\Windows\system32\slui.exe Everyone:(DENY)(S,X)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
xxxxxxx\xxxxxxx:(I)(F)
C:\Windows\system32\LogFiles\WMI\RtBackup\*: Access is denied.
Successfully processed 1 files; Failed processing 1 files
C:\Windows\system32>DIR C:\Windows\winsxs\slui.exe /AL /S
Volume in drive C is Preload
Volume Serial Number is xxxx-xxxx
File Not Found
C:\Windows\system32>ATTRIB C:\Windows\winsxs\slui.exe /S
A C:\Windows\winsxs\x86_microsoft-windows-security-spp-ux_31bf3856ad3
64e35_6.1.7600.16385_none_5b97f4df0025c6e9\slui.exe
A C:\Windows\winsxs\x86_microsoft-windows-security-spp-ux_31bf3856ad3
64e35_6.1.7601.17514_none_5dc908a6fd144a83\slui.exe
C:\Windows\system32>ICACLS C:\Windows\winsxs\slui.exe /T
C:\Windows\winsxs\x86_microsoft-windows-security-spp-ux_31bf3856ad364e35_6.1.760
0.16385_none_5b97f4df0025c6e9\slui.exe Everyone:(DENY)(S,X)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
xxxxxxx\xxxxxxx:(I)(F)
C:\Windows\winsxs\x86_microsoft-windows-security-spp-ux_31bf3856ad364e35_6.1.760
1.17514_none_5dc908a6fd144a83\slui.exe Everyone:(DENY)(S,X)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
xxxxxxx\xxxxxxx:(I)(F)
Successfully processed 2 files; Failed processing 0 files
C:\Windows\system32>The xxxx items are where I have redacted , for privacy reasons, the volume serial number and the user account I am logged on as (it is a valid account)
The DENY permission is very strange and clearly part of the "tamper"
Also the file not found is odd - when I can see the file on screen in explorer.
The bit in the middle about WMI logs may be coincidental - the machine was only switched on
but could be related to the not genuine as a not genuine screen popped up around the same time
Friday, June 3, 2016 3:09 PM -
The DENY permissions should certainly not bepresent.
Neither should the Allow permissions for individual user accounts!They open up the system rather a lot to the possibility of a hack.
The File not found is normal - I was looing for a reparse point which may have been created by RemoveWat. There doesn'tappear to have been one.
Is there any particular reason why there are user-specific permissions are present on all versions of the file?
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. - Proposed as answer by Noel D PatonModerator Tuesday, June 7, 2016 1:52 PM
Saturday, June 4, 2016 6:25 AMModerator -
Should I remove the DENY permissions ?
I notice that the other files within system32 seem to have permissions only for System/Administrator/Users/TrustedInstaller.
The slui and slmgr.* files have TrustedInstaller removed and Everyone + the individual user account added. I am thinking to replace these permissions with the "correct"
permissions based on other W7 PC's not exhibiting problems ? Maybe when SFC replaced the files the permissions were not also changed ?
As to the reason for the individual account - I don't know. It shows its permissions as inherited for Windows/System32 although it is not specifically included in that folders permissions
setup ? Must be the inheritance is through the Administrators group. I should mention also - the user account concerned is a domain account rather than a local account - a domain is in use.
Saturday, June 4, 2016 11:12 AM -
Update:
I went ahead and removed the Everyone DENY ( I actually removed Everyone altogether) on slui.exe. Tried running slui 3 - yes asks for product key rather than previous no access)
Didn't enter the key as I took it that my previous slmgr /ato success had already done so
Tried an online genuine verification - come back as verified ( or at least offers MS Security Essentials because Windows is Genuine)
Hopefully won't get any genuine popups but don't want to count my chickens .... just yet
Here is latest WGADiag output:
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-7H8D7-KWVYB-MYMTD
Windows Product Key Hash: wx5ndMFQm0AcZ8nMxSw8aUrnxQM=
Windows Product ID: 00371-OEM-9309167-93223
Windows Product ID Type: 8
Windows License Type: COA SLP
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {30CC2299-FCF3-4C23-B8CA-77390FD52CF5}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Professional
Architecture: 0x00000000
Build lab: 7601.win7sp1_ldr.160408-2045
TTS Error:
Validation Diagnostic:
Resolution Status: N/A
Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 100 Genuine
Microsoft Office Access Runtime (English) 2007 - 121
Microsoft Office Enterprise 2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-b01a_E2AD56EA-766-0_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{30CC2299-FCF3-4C23-B8CA-77390FD52CF5}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-MYMTD</PKey><PID>00371-OEM-9309167-93223</PID><PIDType>8</PIDType><SID>S-1-5-21-4111501717-913575102-347679128</SID><SYSTEM><Manufacturer>LENOVO</Manufacturer><Model>7303WHR</Model></SYSTEM><BIOS><Manufacturer>LENOVO</Manufacturer><Version>5HKT43AUS</Version><SMBIOSVersion major="2" minor="5"/><Date>20090907000000.000000+000</Date></BIOS><HWID>55133207018400F8</HWID><UserLCID>1809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>LENOVO</OEMID><OEMTableID>TC-5H </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-001C-0409-0000-0000000FF1CE}"><LegitResult>121</LegitResult><Name>Microsoft Office Access Runtime (English) 2007</Name><Ver>12</Ver><Val>A6DF1BF2503CD6C</Val><Hash>dTTDvXHN4cR0t+IYAOhhFudJX58=</Hash><Pid>00000-694-0010114-62972</Pid><PidType>2</PidType></Product><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>1765CA03E677D8A</Val><Hash>oP+DZrDE1T6e5vY3TRMZLHw3dBw=</Hash><Pid>89388-709-7325542-65158</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>
Spsys.log Content: 0x80070002
Licensing Data-->
Software licensing service version: 6.1.7601.17514
Name: Windows(R) 7, Professional edition
Description: Windows Operating System - Windows(R) 7, OEM_COA_SLP channel
Activation ID: da22eadd-46dc-4056-a287-f5041c852470
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00371-00186-091-693223-02-6153-7600.0000-1782013
Installation ID: 004395621015640686693182471614756334889122783983946414
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: MYMTD
License Status: Licensed
Remaining Windows rearm count: 4
Trusted time: 04/06/2016 22:05:19
Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x00000000
HealthStatus: 0x0000000000000000
Event Time Stamp: 6:4:2016 22:04
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
HWID Data-->
HWID Hash Current: MAAAAAEABAABAAEAAAABAAAAAQABAAEAJJSsBQS9SOSqdspgmkUwZAKaYi/YHkbK
OEM Activation 1.0 Data-->
N/A
OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC LENOVO TC-5H
FACP LENOVO TC-5H
HPET LENOVO TC-5H
MCFG LENOVO TC-5H
SLIC LENOVO TC-5H
OEMB LENOVO TC-5H
SSDT LENOVO TC-5H
Tamper is gone . Does this report look Ok to you - licence type etc ?
Not sure if I should change the other permissions ? incl the specific user permissions ?
- Proposed as answer by Noel D PatonModerator Tuesday, June 7, 2016 1:53 PM
- Marked as answer by Noel D PatonModerator Sunday, June 19, 2016 11:36 AM
Saturday, June 4, 2016 9:29 PM -
That looks fine now - you should also remove the user-specific permissions to reduce the potential attack-surface.
FYI, here's what the permissions are on my system...
C:\Windows\system32>ICACLS C:\Windows\system32\slui.exe /T
C:\Windows\system32\slui.exe NT SERVICE\TrustedInstaller:(F)
BUILTIN\Administrators:(RX)
NT AUTHORITY\SYSTEM:(RX)
BUILTIN\Users:(RX)C:\Windows\system32>ICACLS C:\Windows\winsxs\slui.exe /T
C:\Windows\winsxs\amd64_microsoft-windows-security-spp-ux_31bf3856ad364e35_6.1.7600.16385_none_b7b69062b883381f\slui.exe NT SERVICE\TrustedInstaller:(F)
BUILTIN\Administrators:(RX)
NT AUTHORITY\SYSTEM:(RX)
BUILTIN\Users:(RX)C:\Windows\winsxs\amd64_microsoft-windows-security-spp-ux_31bf3856ad364e35_6.1.7601.17514_none_b9e7a42ab571bbb9\slui.exe NT SERVICE\TrustedInstaller:(F)
BUILTIN\Administrators:(RX)
NT AUTHORITY\SYSTEM:(RX)
BUILTIN\Users:(RX)(this is an old system - and I don't so the possible file cleanup - which is why I have both versions available in the winsxs folder)
Good luck!
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. Monday, June 6, 2016 7:46 AMModerator -
Thanks Noel - I'll tidy up the permissions. I/we very much appreciate your help on this.Monday, June 6, 2016 11:33 AM
-
No problem ;)
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. Monday, June 6, 2016 11:39 AMModerator