locked
Windows Vista Business Validation Errors RRS feed

  • Question

  • A user in our organization is having a validation prompt that is preventing him from logging in.  Basically as far as I can tell this is because the software licensing service is not started and will NOT start (net start nor from services.msc). 
    His product key is valid and is not the issue at play here.  I believe that like many users' problem it is potentially a Disk Mod-Auth tamper to some critical windows file but I can't determine which file/windows update.  To even get explorer to run I have to use IE, %windir% and run explorer.exe. 

    However, once I am able to actually getting explorer.exe running I can't get his machine to display all the Windows Updates so I can remove any recently installed updates that may be causing the Disk Mod-Autho tamper. 
    It will not allow me to open the control panel nor installed programs even though the rest of the OS seems to be operating.  The installed updates do not appear to be displayed in Safe Mode either (which is barely usuable as the CPU runs pegged at about 100% in safe mode now for some reason) so that I can remove any offenders. 

    Below is his log.  Please let me know if additional information is necessary; I am still working on the issue at present so I wrote this in a bit of a hurry.

    Diagnostic Report (1.7.0069.0):
    -----------------------------------------
    WGA Data-->
    Validation Status: Genuine
    Validation Code: 0
    Online Validation Code: 0x80070426
    Cached Validation Code: N/A, hr = 0x80070426
    Windows Product Key: N/A, hr=0x80070005
    Windows Product Key Hash: N/A, hr=0x80070005
    Windows Product ID: 55041-036-7513023-71248
    Windows Product ID Type: 6
    Windows License Type: Volume MAK
    Windows OS version: 6.0.6000.2.00010100.0.0.006
    CSVLK Server: N/A
    CSVLK PID: N/A
    ID: {9189A8EF-E1C9-4CDF-B9D8-BD2599EC9B11}(1)
    Is Admin: Yes
    TestCab: 0x0
    WGA Version: Registered, 1.7.59.1
    Signed By: Microsoft
    Product Name: Windows Vista (TM) Business
    Architecture: 0x00000000
    Build lab: 6000.vista_gdr.070828-1515
    TTS Error: M:20080220090156496-
    Validation Diagnostic:
    Resolution Status: N/A

    WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Notifications Data-->
    Cached Result: N/A
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: FCEE394C-2920-80070002_7E90FEE8-169-80004005_B4D0AA8B-514-80004005_025D1FF3-282-80041010_025D1FF3-170-80041010_025D1FF3-171-1_025D1FF3-434-80040154_025D1FF3-178-80040154_025D1FF3-179-2_025D1FF3-185-80070002_025D1FF3-199-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
    Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{9189A8EF-E1C9-4CDF-B9D8-BD2599EC9B11}</UGUID><Version>1.7.0069.0</Version><OS>6.0.6000.2.00010100.0.0.006</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-BBBBB</PKey><PID>55041-036-7513023-71248</PID><PIDType>6</PIDType><SID>S-1-5-21-2932291486-2640444045-4259435581</SID><SYSTEM><Manufacturer>Dell Inc.                </Manufacturer><Model>OptiPlex 745                 </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.                </Manufacturer><Version>2.2.0 </Version><SMBIOSVersion major="2" minor="3"/><Date>20070329000000.000000+000</Date></BIOS><HWID>CC333507018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL  </OEMID><OEMTableID>B8K    </OEMTableID></OEM><BRT/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0012-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Standard 2007</Name><Ver>12</Ver><Val>94A2212E1C6D586</Val><Hash>KN1hTntEGaaIyLZ9oSwnqcQWtJY=</Hash><Pid>89396-707-0613972-65379</Pid><PidType>14</PidType></Product><Product GUID="{90120000-0051-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Visio Professional 2007</Name><Ver>12</Ver><Val>B0D475EEF156BA</Val><Hash>3+IMsySi1TLwmdBcUDlIj6lCVx8=</Hash><Pid>89405-861-2541466-63328</Pid><PidType>8</PidType></Product></Products></Office></Software></GenuineResults> 

    Spsys.log Content: U1BMRwEAAAAAAQAABAAAADsHAAAAAAAAYWECADAgAADoWDKJY3PIAVMWKYGB4wMcsbz+lAen7WctQqS5QRZgiykuACJ7mzIGRT5mFwUpV3F+nKpynDeDzsShSbpyt8EDSHUE4bJvJRnl3LbdVUFr4nG5iT9WJiWv7vtvjzPGHXAcEQG310OzYXKgOFvGFUg2/eZOCHEzu8ywQaeZHRF4n0qVYImi7Gro8AjAfAdUx+81q5JsW+ZpMGACbXwGR0lMTQQYALCXt1X1L8ZQNh5x48VEoz+V5L3tvE5VWb18gJlSR8d0M1ujvapSphiYCVEk7Tn5ZXWvvTDY7o+X32CpOdJhHiPQVqyFM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAxTFimBgeMDHLG8/pQHp+1n7XGSzbyJWTVkRPbfbxYEwPCP9kZ7Cy/fMtyIEjAf+FrEoUm6crfBA0h1BOGybyUZnJJjlQQk97YU1499uUhrgu77b48zxh1wHBEBt9dDs2FyoDhbxhVINv3mTghxM7vMsEGnmR0ReJ9KlWCJouxq6PAIwHwHVMfvNauSbFvmaTBgAm18BkdJTE0EGACwl7dV9S/GUDYecePFRKM/leS97bxOVVm9fICZUkfHdDNbo72qUqYYmAlRJO05+WV1r70w2O6Pl99gqTnSYR4j0FashTOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMUxYpgYHjAxyxvP6UB6ftZ+1xks28iVk1ZET2328WBMDwj/ZGewsv3zLciBIwH/haxKFJunK3wQNIdQThsm8lGcFs8V8+8ZSezlLZfbFD42bu+2+PM8YdcBwRAbfXQ7NhcqA4W8YVSDb95k4IcTO7zLBBp5kdEXifSpVgiaLsaujwCMB8B1TH7zWrkmxb5mkwYAJtfAZHSUxNBBgAsJe3VfUvxlA2HnHjxUSjP5Xkve28TlVZvXyAmVJHx3QzW6O9qlKmGJgJUSTtOfllda+9MNjuj5ffYKk50mEeI9BWrIUzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDFMWKYGB4wMcsbz+lAen7WftcZLNvIlZNWRE9t9vFgTAHOv4aJHPHyY/pwuJIb5LB2hLdCjuMrRBscVWF/p57Ji89XCR6QuCX45WJDG7UwAEPyjYe80K0dmlX46++IBZyDZzNhxu4vuW5NwJSotJbe+qLLTr7bXpPf7dikez/iJn5Lw8YlXMBNsR5Ka2Ye/bcZpBRSiBoU7vEbBk5meHyZs0pKrOYShnE8yq+B2IYhA5P2+NItX13MX//HgzMeMRFjf2jNy1NFPH2GNrYOwOgEkbzYtbeXe5c1ABmToSvLpEM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAxTFimBgeMDHLG8/pQHp+1nN6MYqo/xDXzZWeMKilXeyVYPPIn8QLM0vFO2ibJSTjBoS3Qo7jK0QbHFVhf6eeyYMulvulOKBMkBSWvstIhv4z8o2HvNCtHZpV+OvviAWcg2czYcbuL7luTcCUqLSW3vqiy06+216T3+3YpHs/4iZ+S8PGJVzATbEeSmtmHv23GaQUUogaFO7xGwZOZnh8mbNKSqzmEoZxPMqvgdiGIQOT9vjSLV9dzF//x4MzHjERY39ozctTRTx9hja2DsDoBJG82LW3l3uXNQAZk6Ery6RDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMUxYpgYHjAxyxvP6UB6ftZwEmg/XXHmH7Iea4t9FSyimQoZnYl7yo7E2St6ybIvpIxKFJunK3wQNIdQThsm8lGRdb/Rw4DeiwQntPWiy6la/u+2+PM8YdcBwRAbfXQ7NhcqA4W8YVSDb95k4IcTO7zLBBp5kdEXifSpVgiaLsaujwCMB8B1TH7zWrkmxb5mkwYAJtfAZHSUxNBBgAsJe3VfUvxlA2HnHjxUSjP5Xkve28TlVZvXyAmVJHx3QzW6O9qlKmGJgJUSTtOfllda+9MNjuj5ffYKk50mEeI9BWrIUzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDFMWKYGB4wMcsbz+lAen7WcBJoP11x5h+yHmuLfRUsopkKGZ2Je8qOxNkresmyL6SMShSbpyt8EDSHUE4bJvJRnOdQKxJqGFncreNJ19YYjR7vtvjzPGHXAcEQG310OzYXKgOFvGFUg2/eZOCHEzu8ywQaeZHRF4n0qVYImi7Gro8AjAfAdUx+81q5JsW+ZpMGACbXwGR0lMTQQYALCXt1X1L8ZQNh5x48VEoz+V5L3tvE5VWb18gJlSR8d0M1ujvapSphiYCVEk7Tn5ZXWvvTDY7o+X32CpOdJhHiPQVqyFM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAw=


    Wednesday, February 20, 2008 7:20 PM

Answers

  •  

    Hello Pirivan,

     

      You are correct in most of your diagnosis of the issue:

     

    a) Validation Code: 0x80070426 does mean the Software Licensing Service has stopped.

     

    b) The Software Licensing Service has stopped (most likely) because Vista is suffering from a Mod-Auth tamper.

     

     There are 2 types of Mod-Auth tampers:

     

    1) A critical system file was modified On Disk - What this means is that the file, located on the hard drive, was modified in some way. This can be caused by random file corruption, a malicious program (spyware, malware, virus) or by manual file modification (by a user of the system). There is also a very small chance that an Update may fail in mid-update and cause this type of issue. 

     

    2) A critical system file was modified In Memory - What this means is the file itself (on the hard drive) is un-modified, but the code, from that file, running in the system, was modified in some way. and is usually caused by a running program that is incompatible with Vista.

     

      Because the Diagnostic Report does not show any Mismatched files (i.e. No file, itself, have been modified or have become corrupt on disk) The Mod-Auth tamper is an In Memory type, not an On Disk type.  So this Mod-Auth tamper is being caused by an Incompatible program trying to Hook into or Shim (i.e. tamper) a File or Process that is protected by Vista.

     

      Unfortunately, I do not have any way to tell you what program is causing the tamper. All I can do is provide tips in identifying the program.

     

     Firstly, go to http://support.microsoft.com/kb/931699/ and confirm that none of the programs, known to cause this type of issue, are installed on the computer.  (in addition to this list, I have found that in some cases, Kaspersky Anti-Virus may cause this type of issue. Kaspersky Anti-Virus v.7 is Not actually incompatible with Vista, instead it was found, on the Kaspersky forums, that if Kaspersky Anti-Virus was set to load later in the boot process, it would stop causing the tamper event)

     

    Secondly, it is important to understand how Vista detects a Tamper event. There is a Service that runs, in Vista, that detects a Tamper to a Critical System file. But this Service runs randomly, so if you were to install an incompatible program and run it, Vista (most likely) would not immediately enter a Tamper State and it could take some time for the Tamper to be detected. The important point to note is that the moment Vista detects the Tamper, you know that the program that caused the tamper, is currently running.

     

      Lastly, the TTS (Tamper Time Stamp) of the this Mod-Auth event was M:20080220090156496 (Feb 20, 2008 at 9:01am and 56496 milliseconds). This is the Last time Vista detected the tamper. So if the tamper has only occured once, that that TTS would be the first time Vista detected the program and that would be (most likely) around the same time the program was installed. But if the Tamper has been occuring for some time or if the program was installed some time in the past, but was only recently has it actually been launched, the TTS will not be as useful. 

     

     

    Thank you,

    Darin Smith

    WGA Forum Manager

    Wednesday, February 20, 2008 8:19 PM

All replies

  •  

    Hello Pirivan,

     

      You are correct in most of your diagnosis of the issue:

     

    a) Validation Code: 0x80070426 does mean the Software Licensing Service has stopped.

     

    b) The Software Licensing Service has stopped (most likely) because Vista is suffering from a Mod-Auth tamper.

     

     There are 2 types of Mod-Auth tampers:

     

    1) A critical system file was modified On Disk - What this means is that the file, located on the hard drive, was modified in some way. This can be caused by random file corruption, a malicious program (spyware, malware, virus) or by manual file modification (by a user of the system). There is also a very small chance that an Update may fail in mid-update and cause this type of issue. 

     

    2) A critical system file was modified In Memory - What this means is the file itself (on the hard drive) is un-modified, but the code, from that file, running in the system, was modified in some way. and is usually caused by a running program that is incompatible with Vista.

     

      Because the Diagnostic Report does not show any Mismatched files (i.e. No file, itself, have been modified or have become corrupt on disk) The Mod-Auth tamper is an In Memory type, not an On Disk type.  So this Mod-Auth tamper is being caused by an Incompatible program trying to Hook into or Shim (i.e. tamper) a File or Process that is protected by Vista.

     

      Unfortunately, I do not have any way to tell you what program is causing the tamper. All I can do is provide tips in identifying the program.

     

     Firstly, go to http://support.microsoft.com/kb/931699/ and confirm that none of the programs, known to cause this type of issue, are installed on the computer.  (in addition to this list, I have found that in some cases, Kaspersky Anti-Virus may cause this type of issue. Kaspersky Anti-Virus v.7 is Not actually incompatible with Vista, instead it was found, on the Kaspersky forums, that if Kaspersky Anti-Virus was set to load later in the boot process, it would stop causing the tamper event)

     

    Secondly, it is important to understand how Vista detects a Tamper event. There is a Service that runs, in Vista, that detects a Tamper to a Critical System file. But this Service runs randomly, so if you were to install an incompatible program and run it, Vista (most likely) would not immediately enter a Tamper State and it could take some time for the Tamper to be detected. The important point to note is that the moment Vista detects the Tamper, you know that the program that caused the tamper, is currently running.

     

      Lastly, the TTS (Tamper Time Stamp) of the this Mod-Auth event was M:20080220090156496 (Feb 20, 2008 at 9:01am and 56496 milliseconds). This is the Last time Vista detected the tamper. So if the tamper has only occured once, that that TTS would be the first time Vista detected the program and that would be (most likely) around the same time the program was installed. But if the Tamper has been occuring for some time or if the program was installed some time in the past, but was only recently has it actually been launched, the TTS will not be as useful. 

     

     

    Thank you,

    Darin Smith

    WGA Forum Manager

    Wednesday, February 20, 2008 8:19 PM
  • Hi Darin,

    I appreciate your assistance.  As the user had installed any number of programs over the last few days, combined with the fact that we had already spent several hours working on this issue, compounded by the fact that safe mode was even hanging trying to boot to remove offending programs (it was impossible to open programs and features in reduced functionality mode), we simply decided to do a fresh install on the machine.  In the end it felt like wasting anymore time with it to determine the root cause was less important than getting the user a working machine.  In any case I appreciate your help, at least in the future I will have a better understanding should the issue crop up again.

    Thanks,

    Peter
    Thursday, February 21, 2008 12:05 AM