locked
Vista tells me I'm not Genuine again & again ! RRS feed

  • Question

  •  

    Hello,

     

    Since vista has updated using the reccomended updates I keep getting the above if power up from scratch, if I then restart I do not get the message. I have tried the various methods on here to resolve this but to no avail. I have used the validation tool and I post the results below.

     

    Hope we can resolve this once and for all.

     

    Regards

     

    Keith

     

    Diagnostic Report (1.7.0066.0):
    -----------------------------------------
    WGA Data-->
    Validation Status: Invalid License
    Validation Code: 50
    Online Validation Code: 0xc004d401
    Cached Validation Code: N/A, hr = 0xc004d401
    Windows Product Key: *****-*****-F4GJK-KG77H-B9HD2
    Windows Product Key Hash: iJAth4TbScMi8HdcPurlASXdEkw=
    Windows Product ID: 89578-OEM-7332157-00204
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.0.6000.2.00010300.0.0.003
    CSVLK Server: N/A
    CSVLK PID: N/A
    ID: {B0C3F237-333E-4E3D-AA70-AD3ACC323D77}(3)
    Is Admin: Yes
    TestCab: 0x0
    WGA Version: Registered, 1.7.59.1
    Signed By: Microsoft
    Product Name: Windows Vista (TM) Home Premium
    Architecture: 0x00000000
    Build lab: 6000.vista_gdr.071009-1548
    TTS Error: K:20071218210708065-M:20071218210055792-
    Validation Diagnostic:
    Resolution Status: N/A

    Notifications Data-->
    Cached Result: N/A
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    OGA Version: Registered, 1.6.21.0
    Signed By: Microsoft
    Office Diagnostics: 025D1FF3-282-80041010_025D1FF3-170-80041010_025D1FF3-171-1_025D1FF3-434-80040154_025D1FF3-178-80040154_025D1FF3-179-2_025D1FF3-185-80070002_025D1FF3-199-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
    Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{B0C3F237-333E-4E3D-AA70-AD3ACC323D77}</UGUID><Version>1.7.0066.0</Version><OS>6.0.6000.2.00010300.0.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-B9HD2</PKey><PID>89578-OEM-7332157-00204</PID><PIDType>2</PIDType><SID>S-1-5-21-1565104736-2397283059-2796717524</SID><SYSTEM><Manufacturer>Dell Inc.                </Manufacturer><Model>Dell DXP061                  </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.                </Manufacturer><Version>2.5.2 </Version><SMBIOSVersion major="2" minor="3"/><Date>20070929000000.000000+000</Date></BIOS><HWID>C9323507018400FA</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL  </OEMID><OEMTableID>B8K    </OEMTableID></OEM><BRT/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120000-0011-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional Plus 2007</Name><Ver>12</Ver><Val>5CF7BC9F22DBF73</Val><Hash>lQkDAebs+wSdsgP6sX4fsbvsjGI=</Hash><Pid>89446-953-2251657-65974</Pid><PidType>1</PidType></Product></Products></Office></Software></GenuineResults> 

    Spsys.log Content: U1BMRwEAAAAAAQAABAAAANggAAAAAAAAYWECADAgAACi/1Yb3CbIARhDs/4hWdo7Xkl9D+HKpnjawS4Ag43BZ7EeC3HmyHJXW21D/gDygNfKMND+L6txGDxmIhnxJS6W2ohsCzadr0L42Qhcx0ttVvsuxFojawQ3BtU6zyz3v9Z2MrIHa9x3W3cNP6YJJRzZ3sGPZMdauCpvUa8NEuzOPx0Q6zx5xlMAUHxhcf38akJWjrTFmdio3G4MbsZdJFBl6ID8Z6PgzOE3ppKHhVqCwkvaDzBS7RRf801+h+MsTFkRlJ2ZAjRAiDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwYQ7P+IVnaO15JfQ/hyqZ4ehZqyaca+1ThBgKFa8cv7fsQonjE9AEaWU29VpRaMERRdB/TofoSRMO1ykgEoUW3xUI9Fmj1C4ZeMWZxYHNRv9Zo5I814XKveJuPHHiahjj7tVLwe28YiH1BLYCERqYZDkmvhBlGHDl+f1L5AB51cVBXvwmqwITu96CcGEyoMpKbGyYrHLwGFoM8hWdM+/ctDipudwcPOu4RzRON1r2alCNEX9TKgNw+bFnxMO1njX8zkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMGEOz/iFZ2jteSX0P4cqmeGmhKLgJMpImY8DN370uoItFybL4T8l/1c/Nl6/5l7KmUXQf06H6EkTDtcpIBKFFt+HEIHWYaMp0px5AZxNArQTWaOSPNeFyr3ibjxx4moY4+7VS8HtvGIh9QS2AhEamGQ5Jr4QZRhw5fn9S+QAedXFQV78JqsCE7vegnBhMqDKSmxsmKxy8BhaDPIVnTPv3LQ4qbncHDzruEc0Tjda9mpQjRF/UyoDcPmxZ8TDtZ41/M5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDBhDs/4hWdo7Xkl9D+HKpnixy6HqUx4BcFB8/cFnVavtbY8eCK993CXoudGeaKKh7jxmIhnxJS6W2ohsCzadr0KXWTOVLE7tvUMvH6EBDt3pBtU6zyz3v9Z2MrIHa9x3W3cNP6YJJRzZ3sGPZMdauCpvUa8NEuzOPx0Q6zx5xlMAUHxhcf38akJWjrTFmdio3G4MbsZdJFBl6ID8Z6PgzOE3ppKHhVqCwkvaDzBS7RRf801+h+MsTFkRlJ2ZAjRAiDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwYQ7P+IVnaO15JfQ/hyqZ4XVTSOxtWXey+dLUDmCWjnT2WILwXL3dUXkE5xFrQts5RdB/TofoSRMO1ykgEoUW31PgIT946JPHoL7nTzX9NK9Zo5I814XKveJuPHHiahjj7tVLwe28YiH1BLYCERqYZDkmvhBlGHDl+f1L5AB51cVBXvwmqwITu96CcGEyoMpKbGyYrHLwGFoM8hWdM+/ctDipudwcPOu4RzRON1r2alCNEX9TKgNw+bFnxMO1njX8zkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMGEOz/iFZ2jteSX0P4cqmeEUuID3Z3Fj5+RxgvvZOaSHn2Q2CVWfmPJ6E4MuD0v7RPGYiGfElLpbaiGwLNp2vQkGEoVbTCjA8TIh/DCmrLpgG1TrPLPe/1nYysgdr3Hdbdw0/pgklHNnewY9kx1q4Km9Rrw0S7M4/HRDrPHnGUwBQfGFx/fxqQlaOtMWZ2Kjcbgxuxl0kUGXogPxno+DM4TemkoeFWoLCS9oPMFLtFF/zTX6H4yxMWRGUnZkCNECIM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDBhDs/4hWdo7Xkl9D+HKpnjIZ05g+bAuadXO3KPI/Zw/hicQRSIZxVQxALjCKncb2lF0H9Oh+hJEw7XKSAShRbdmjc6s+kfQsG+SOBo0FkF41mjkjzXhcq94m48ceJqGOPu1UvB7bxiIfUEtgIRGphkOSa+EGUYcOX5/UvkAHnVxUFe/CarAhO73oJwYTKgykpsbJiscvAYWgzyFZ0z79y0OKm53Bw867hHNE43WvZqUI0Rf1MqA3D5sWfEw7WeNfzOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwYQ7P+IVnaO15JfQ/hyqZ4YYVVs/CeQR67nkIB239Uz383eC+RlF1961/DX4OcFOlRdB/TofoSRMO1ykgEoUW3PcG+NobYjjeyyOixw9pRdtZo5I814XKveJuPHHiahjj7tVLwe28YiH1BLYCERqYZDkmvhBlGHDl+f1L5AB51cVBXvwmqwITu96CcGEyoMpKbGyYrHLwGFoM8hWdM+/ctDipudwcPOu4RzRON1r2alCNEX9TKgNw+bFnxMO1njX8zkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMGEOz/iFZ2jteSX0P4cqmeGNYYHxDCgN2WNGKyFMrGov3HQIdtqTwkfg5aG45dOIuUXQf06H6EkTDtcpIBKFFtyj8j1wNEgFN4pt3bb3RIGXWaOSPNeFyr3ibjxx4moY4+7VS8HtvGIh9QS2AhEamGQ5Jr4QZRhw5fn9S+QAedXFQV78JqsCE7vegnBhMqDKSmxsmKxy8BhaDPIVnTPv3LQ4qbncHDzruEc0Tjda9mpQjRF/UyoDcPmxZ8TDtZ41/M5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDBhDs/4hWdo7Xkl9D+HKpni9i7DGK2jSC/IF4ckf93HPLpwc9V2haTo1HtV5lhiwlVF0H9Oh+hJEw7XKSAShRbdgj5aA0RX2j+MAeJAeFR+b1mjkjzXhcq94m48ceJqGOPu1UvB7bxiIfUEtgIRGphkOSa+EGUYcOX5/UvkAHnVxUFe/CarAhO73oJwYTKgykpsbJiscvAYWgzyFZ0z79y0OKm53Bw867hHNE43WvZqUI0Rf1MqA3D5sWfEw7WeNfzOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwYQ7P+IVnaO15JfQ/hyqZ431qSHgq+pQ391PvZlQQQzAZ4XmDoQxOVShcBjM94jXQ8ZiIZ8SUultqIbAs2na9CL0+PQujpyBbWjYIirQroSgbVOs8s97/WdjKyB2vcd1t3DT+mCSUc2d7Bj2THWrgqb1GvDRLszj8dEOs8ecZTAFB8YXH9/GpCVo60xZnYqNxuDG7GXSRQZeiA/Gej4MzhN6aSh4VagsJL2g8wUu0UX/NNfofjLExZEZSdmQI0QIgzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMGEOz/iFZ2jteSX0P4cqmeIIQ0DqsbEO3H0KM6dEr3c7Y/Fs97kgJiN+Q2JP6WOKMPGYiGfElLpbaiGwLNp2vQktEEknxRwJVdZmC7AvC6MMG1TrPLPe/1nYysgdr3Hdbdw0/pgklHNnewY9kx1q4Km9Rrw0S7M4/HRDrPHnGUwBQfGFx/fxqQlaOtMWZ2Kjcbgxuxl0kUGXogPxno+DM4TemkoeFWoLCS9oPMFLtFF/zTX6H4yxMWRGUnZkCNECIM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDBhDs/4hWdo7Xkl9D+HKpng5iz/97GOWGNWhQBN52wk3y0TdJd2rrxBm9zOKmKvax1F0H9Oh+hJEw7XKSAShRbdgj5aA0RX2j+MAeJAeFR+b1mjkjzXhcq94m48ceJqGOPu1UvB7bxiIfUEtgIRGphkOSa+EGUYcOX5/UvkAHnVxUFe/CarAhO73oJwYTKgykpsbJiscvAYWgzyFZ0z79y0OKm53Bw867hHNE43WvZqUI0Rf1MqA3D5sWfEw7WeNfzOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwYQ7P+IVnaO15JfQ/hyqZ46yUjlVkIKHke5WZX4m5uquZVbkRbsNyUaH7tRChF1eE8ZiIZ8SUultqIbAs2na9C8SNKLsfbUenykwkjV1exWwbVOs8s97/WdjKyB2vcd1t3DT+mCSUc2d7Bj2THWrgqb1GvDRLszj8dEOs8ecZTAFB8YXH9/GpCVo60xZnYqNxuDG7GXSRQZeiA/Gej4MzhN6aSh4VagsJL2g8wUu0UX/NNfofjLExZEZSdmQI0QIgzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMGEOz/iFZ2jteSX0P4cqmeMpDv45x2+3Ti77sqc36UO1rTDmLfMuLTw7449aDTTHFPGYiGfElLpbaiGwLNp2vQlgwgUNQ9Kc1sPVh8ceDSNUG1TrPLPe/1nYysgdr3Hdbdw0/pgklHNnewY9kx1q4Km9Rrw0S7M4/HRDrPHnGUwBQfGFx/fxqQlaOtMWZ2Kjcbgxuxl0kUGXogPxno+DM4TemkoeFWoLCS9oPMFLtFF/zTX6H4yxMWRGUnZkCNECIM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDBhDs/4hWdo7Xkl9D+HKpnghdbGNGoDFwB34ArewvYeKy6I5B5poCxbY9GAo6B8wjTxmIhnxJS6W2ohsCzadr0Jq6MGSdu6tkjQQxChmnwHEBtU6zyz3v9Z2MrIHa9x3W3cNP6YJJRzZ3sGPZMdauCpvUa8NEuzOPx0Q6zx5xlMAUHxhcf38akJWjrTFmdio3G4MbsZdJFBl6ID8Z6PgzOE3ppKHhVqCwkvaDzBS7RRf801+h+MsTFkRlJ2ZAjRAiDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwYQ7P+IVnaO15JfQ/hyqZ42arB9R2nKBm/YU3rkz2BlDC+9Rq2LKukzGTojksGaYw8ZiIZ8SUultqIbAs2na9CIpN8Mze9QovctAozrhu7xgbVOs8s97/WdjKyB2vcd1t3DT+mCSUc2d7Bj2THWrgqb1GvDRLszj8dEOs8ecZTAFB8YXH9/GpCVo60xZnYqNxuDG7GXSRQZeiA/Gej4MzhN6aSh4VagsJL2g8wUu0UX/NNfofjLExZEZSdmQI0QIgzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMGEOz/iFZ2jteSX0P4cqmeBAUJ1fnQCTvFY5KSk3wNtOp9tXQWqEdIaDYxzVWO/9IPGYiGfElLpbaiGwLNp2vQqxseYFby86DCaAoPKNeKhIG1TrPLPe/1nYysgdr3Hdbdw0/pgklHNnewY9kx1q4Km9Rrw0S7M4/HRDrPHnGUwBQfGFx/fxqQlaOtMWZ2Kjcbgxuxl0kUGXogPxno+DM4TemkoeFWoLCS9oPMFLtFF/zTX6H4yxMWRGUnZkCNECIM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDBhDs/4hWdo7Xkl9D+HKpnhGHnDM7t/V8AjcXF26msw+H2f2ZQhEzekIKri6S6kqwVF0H9Oh+hJEw7XKSAShRbdNc5SYckB9aZfmzMUTjbBy1mjkjzXhcq94m48ceJqGOPu1UvB7bxiIfUEtgIRGphkOSa+EGUYcOX5/UvkAHnVxUFe/CarAhO73oJwYTKgykpsbJiscvAYWgzyFZ0z79y0OKm53Bw867hHNE43WvZqUI0Rf1MqA3D5sWfEw7WeNfzOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwYQ7P+IVnaO15JfQ/hyqZ4sKLbFsudztRcRRVnAONdcUJ4SuhKTjY59t1kacs8NBk8ZiIZ8SUultqIbAs2na9C5llfnNYi4q9ENY7LHw8bwAbVOs8s97/WdjKyB2vcd1t3DT+mCSUc2d7Bj2THWrgqb1GvDRLszj8dEOs8ecZTAFB8YXH9/GpCVo60xZnYqNxuDG7GXSRQZeiA/Gej4MzhN6aSh4VagsJL2g8wUu0UX/NNfofjLExZEZSdmQI0QIgzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMGEOz/iFZ2jteSX0P4cqmeMp8L5P2pXXoyCmcqV5aKaU2LRsMAmp0h7UsxEks6lUzUXQf06H6EkTDtcpIBKFFtyoimGrUJIej0a8DDzcmZ9XWaOSPNeFyr3ibjxx4moY4+7VS8HtvGIh9QS2AhEamGQ5Jr4QZRhw5fn9S+QAedXFQV78JqsCE7vegnBhMqDKSmxsmKxy8BhaDPIVnTPv3LQ4qbncHDzruEc0Tjda9mpQjRF/UyoDcPmxZ8TDtZ41/M5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDBhDs/4hWdo7Xkl9D+HKpng3oGNoYzq0UFV8Ch897uZQAYZGenhqpQeX2NNXD4OInFF0H9Oh+hJEw7XKSAShRbf+IEPXz/4NEsbcke2Kk9vd1mjkjzXhcq94m48ceJqGOPu1UvB7bxiIfUEtgIRGphkOSa+EGUYcOX5/UvkAHnVxUFe/CarAhO73oJwYTKgykpsbJiscvAYWgzyFZ0z79y0OKm53Bw867hHNE43WvZqUI0Rf1MqA3D5sWfEw7WeNfzOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwYQ7P+IVnaO15JfQ/hyqZ4HO69a8XjMDNasexB7pm+eImWCyexpd4XNqDaggzbKgk8ZiIZ8SUultqIbAs2na9C6ynasoHuNJlQg4GKv3VabgbVOs8s97/WdjKyB2vcd1t3DT+mCSUc2d7Bj2THWrgqb1GvDRLszj8dEOs8ecZTAFB8YXH9/GpCVo60xZnYqNxuDG7GXSRQZeiA/Gej4MzhN6aSh4VagsJL2g8wUu0UX/NNfofjLExZEZSdmQI0QIgzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMGEOz/iFZ2jteSX0P4cqmeFBnWaeHP/PTzo6vVGCXKu5ljBMERQ3M5vJpskVfPuCtPGYiGfElLpbaiGwLNp2vQp2InUwoQN98P99qzfk7MFoG1TrPLPe/1nYysgdr3Hdbdw0/pgklHNnewY9kx1q4Km9Rrw0S7M4/HRDrPHnGUwBQfGFx/fxqQlaOtMWZ2Kj

     

    Tuesday, December 18, 2007 11:14 PM

Answers

  • Hi KJS,

     

    What is happening is called a Tamper State. A Tamper State occurs in Vista when an unauthorized change/modification was made to a Critical System file, in memory or on disk. There are 3 know ways that this could happen.
     
    1) A legitimate program was installed on the computer, which is incompatible with Vista (such as a Game or an Anti-Virus program). <-Most Common

    2)  A non-legitimate program was installed on the computer, which is incompatible with Vista (such as a Spyware or Malware program).

    3) Manual manipulation of the Critical System file by either one of the users of the computer or a Pirate that changed the files, burned them to a disk and sold it as Genuine Windows Vista.
     

      In your situation, your Diagnostic report does not show any Mismatched files. Therefore, you Mod-Auth Tamper could only be caused by an incompatible program, installed and running, on your computer.

     
     In addition to why a Tamper occurs, we need to also understand how Vista detects the Tamper event. There is a Service that runs in Vista that detects a Tamper to a Critical System file. But this Service runs randomly, so if you were to install an incompatible program and run it, Vista (most likely) would not immediately enter a Tamper State and it could take some time for the Tamper to be detected. The important point to note is that the moment Vista detects the Tamper, you know that the program that caused the tamper, is currently running.

    Below I have provided a number of steps to help you identify the program that is causing the tamper:
     
      First, go to http://support.microsoft.com/kb/931699/ and confirm that you do not have any of the programs known to cause this type of issue.
     
      Second, in your Diagnostic report above, you can see the line that starts with 'TTS Error:' followed by a bunch numbers: M:xxxxxxxxxxxxxxxxx- This is the Tamper Time Stamp and it breaks down like this:

        (year)  (month) (day) (time in 24format) (millisecond)
    M: 2007     12        18           2100               55792

     

    In your case, you also have a K:xxxxxxxxxxxxxxxxx- Tamper Time Stamp. The K stands for Kernel Mode tamper and is most likely a result of the Mod-Auth tamper and should go away once you uninstall the incompatible program that is causing the Mode-Auth.


    Now that you know the time of the tamper, you can now try to connect that time with a program.

    1) Login to Vista and select the option that launches an Internet Browser

    2) Type into the browser address bar: %windir%\system32\perfmon.msc and hit Enter

    3) When asked if you want to Open or Save this file, select Open

    4) In the left hand panel, click Reliability Monitor

    5) Click on the “System Stability Chart” above the date 12/18

    6) Below the chart, in the “System Stability Report” section look at the report titled "Software (Un)Installs for 12/18/2007"

    7) Look for any program that shows "Application Install" in the 'Activity' column.

    8) Since the process that detects Tampers runs randomly, it can take up to 3 days for the process to detect the tamper and set Vista to a Tamper State. Because of this, please repeat steps 5) thru 7) for the dates 12/17/2007, 12/16/2007 and 12/15/2007

      This could tell us what programs were installed on or around the Tamper date and should help you  narrow down the possible programs that could be causing the issue . Unfortunately, if you installed the program (say) on 09/01/2007, but you didn't run (and, hence, prompted the tamper state)  till 012/18/2007, this process may not be helpful.  The removal of any application you may have installed recently could go a long way to troubleshooting this issues as well since it may fall outside of the 3 day time frame described above.

     

    Thank you,

    Darin Smith

    WGA Forum Manager

    Wednesday, December 19, 2007 1:45 AM
  • Hello Keith,

     

      There are only two ways a Mod-Auths can occur:

     

    1) Where a Critical System file has been modified On Disk

    2) Where a Critical System file has been modified In Memory

     

    On Disk Mod-Auth:

      The only time I have seen a On Disk Mod-Auth is a rare issue in which a Windows Update fails in such a way that it updated a critical system file, but did not update the System Catalog with the updated critical system file's new Signature Hash.

      I can tell immediately if an On Disk Mod-Auth has occurred because in the Diagnostic Report, it shows a 'M' type Tamper Time Stamp (such as: M:20071216033720371-) and under line "File Scan Data-->" there would be a listing such as below:


    File Mismatch: C:\Windows\system32\user32.dll[6.0.6000.16438]

    or

    File Mismatch: C:\Windows\system32\slc.dll[6.0.6000.16509]

    or

    any other .dll file that may be updated by an Update

     

    File Mismatch means that the .dll file's Signature Hash doesn't match with what the System Catalog has listed and that is why the Vista is in a Mod-Auth tamper because since the Signature Hash doen't match, Vista believes the file has been tampered.

     

    Note: In your case, there is No File Mismatch in your Diagnostic Report. which means that all your critical system files (On Disk) are good. Therefore the only other way for your Mod-Auth to occur is for a Critical System file to be modified In Memory

     

    In Memory Mod-Auth:

      Another name for an "In Memory Mod-Auth" is "AppCompat". We call it 'AppCompat' because the only way it can occur is when a Running application is actively modifying the critical system files that have been loaded into memory, which by definition, means that program is incompatible with Vista.

     

      I can tell immediately if an In Memory Mod-Auth has occurred because in the Diagnostic Report, it shows a 'M' type Tamper Time Stamp (such as: M:20071216033720371-) and under line "File Scan Data-->" there are NO listings.

     

      Your issue has been ongoing (since the 14th you have said). Since a program must be Running to cause your Mod-Auth and since Updates, generally, only run once, I do not believe your issue is related to Windows Updates.

     

    Eventhough you do not have any of the Known incompatible programs, installed on your computer, this does not mean you do not have a incompatible program that we are not yet aware of.  I highly recommend that you go thru the steps that I provided above to try to track down the incompatible program that is causing your issue.

     

    You may also open a support request at http://go.microsoft.com/fwlink/?linkid=52029 but I believe they will come to the same conclusion.

     

    Thank you,

    Darin Smith

    WGA Forum Manager

     

    Thursday, December 20, 2007 9:02 PM
  • Hello Darin,

     

    I may have found the problem here - PC Tools Firewall Plus. I found lots of entries regarding a failure of a driver for the above program, I unistalled it and the validation problem has not re-appeared.

     

    I have since installed Comodo Firewall pro and have had no more validation alerts, hopefully I have not spoken too soon !

     

    Also having visited the PC Tools forum there appears to have been a problem with one of the updates to the program which seems to have caused the same problem I was having to other users, they now seem to have cured this.

     

    Kind Regards & Happy New Year

     

    Keith

     

    A Link to PC tools forum thread on this http://www.pctools.com/forum/showthread.php?t=49501

    Wednesday, December 26, 2007 3:05 PM

All replies

  • Hi KJS,

     

    What is happening is called a Tamper State. A Tamper State occurs in Vista when an unauthorized change/modification was made to a Critical System file, in memory or on disk. There are 3 know ways that this could happen.
     
    1) A legitimate program was installed on the computer, which is incompatible with Vista (such as a Game or an Anti-Virus program). <-Most Common

    2)  A non-legitimate program was installed on the computer, which is incompatible with Vista (such as a Spyware or Malware program).

    3) Manual manipulation of the Critical System file by either one of the users of the computer or a Pirate that changed the files, burned them to a disk and sold it as Genuine Windows Vista.
     

      In your situation, your Diagnostic report does not show any Mismatched files. Therefore, you Mod-Auth Tamper could only be caused by an incompatible program, installed and running, on your computer.

     
     In addition to why a Tamper occurs, we need to also understand how Vista detects the Tamper event. There is a Service that runs in Vista that detects a Tamper to a Critical System file. But this Service runs randomly, so if you were to install an incompatible program and run it, Vista (most likely) would not immediately enter a Tamper State and it could take some time for the Tamper to be detected. The important point to note is that the moment Vista detects the Tamper, you know that the program that caused the tamper, is currently running.

    Below I have provided a number of steps to help you identify the program that is causing the tamper:
     
      First, go to http://support.microsoft.com/kb/931699/ and confirm that you do not have any of the programs known to cause this type of issue.
     
      Second, in your Diagnostic report above, you can see the line that starts with 'TTS Error:' followed by a bunch numbers: M:xxxxxxxxxxxxxxxxx- This is the Tamper Time Stamp and it breaks down like this:

        (year)  (month) (day) (time in 24format) (millisecond)
    M: 2007     12        18           2100               55792

     

    In your case, you also have a K:xxxxxxxxxxxxxxxxx- Tamper Time Stamp. The K stands for Kernel Mode tamper and is most likely a result of the Mod-Auth tamper and should go away once you uninstall the incompatible program that is causing the Mode-Auth.


    Now that you know the time of the tamper, you can now try to connect that time with a program.

    1) Login to Vista and select the option that launches an Internet Browser

    2) Type into the browser address bar: %windir%\system32\perfmon.msc and hit Enter

    3) When asked if you want to Open or Save this file, select Open

    4) In the left hand panel, click Reliability Monitor

    5) Click on the “System Stability Chart” above the date 12/18

    6) Below the chart, in the “System Stability Report” section look at the report titled "Software (Un)Installs for 12/18/2007"

    7) Look for any program that shows "Application Install" in the 'Activity' column.

    8) Since the process that detects Tampers runs randomly, it can take up to 3 days for the process to detect the tamper and set Vista to a Tamper State. Because of this, please repeat steps 5) thru 7) for the dates 12/17/2007, 12/16/2007 and 12/15/2007

      This could tell us what programs were installed on or around the Tamper date and should help you  narrow down the possible programs that could be causing the issue . Unfortunately, if you installed the program (say) on 09/01/2007, but you didn't run (and, hence, prompted the tamper state)  till 012/18/2007, this process may not be helpful.  The removal of any application you may have installed recently could go a long way to troubleshooting this issues as well since it may fall outside of the 3 day time frame described above.

     

    Thank you,

    Darin Smith

    WGA Forum Manager

    Wednesday, December 19, 2007 1:45 AM
  •  

    Darin,

     

    Thank you for your reply.

     

    I can confirm I have none of the programs listed in KB931699. This all started on about 14th Nov when some updates were  tried to be installed, I have listed them below.

     

     

    Update for Windows Mail Junk E-mail Filter [November 2007] (KB9 101 System Update Install Failure 14/11/2007
    Update for Windows Mail Junk E-mail Filter [November 2007] (KB9 101 System Update Install Failure 14/11/2007
    Update for Windows Vista (KB941649) 101 System Update Install Failure 14/11/2007
    Update for Windows Vista (KB941649) 101 System Update Install Failure 14/11/2007
    Windows Malicious Software Removal Tool - November 2007 (KB8908 100 System Update Install Success 14/11/2007

     

     

    Since that time I have tried uninstalling them and reinstalling them but my problem persists, looking at other entries the most common is this - there are numerous entries on most dates for this.

     

    winlogon.exe 6.0.6000.16386      Stopped working

     

    Then included are these.

     

    svchost.exe 6.0.6000.16386 Stopped working 30/11/2007
    winlogon.exe 6.0.6000.16386 Stopped working 30/11/2007

     

    These are the only common items that I can find within the logs.

     

    Thank you for your help.

     

    Regards

     

    Keith

    Wednesday, December 19, 2007 3:17 PM
  • Hello Keith,

     

      There are only two ways a Mod-Auths can occur:

     

    1) Where a Critical System file has been modified On Disk

    2) Where a Critical System file has been modified In Memory

     

    On Disk Mod-Auth:

      The only time I have seen a On Disk Mod-Auth is a rare issue in which a Windows Update fails in such a way that it updated a critical system file, but did not update the System Catalog with the updated critical system file's new Signature Hash.

      I can tell immediately if an On Disk Mod-Auth has occurred because in the Diagnostic Report, it shows a 'M' type Tamper Time Stamp (such as: M:20071216033720371-) and under line "File Scan Data-->" there would be a listing such as below:


    File Mismatch: C:\Windows\system32\user32.dll[6.0.6000.16438]

    or

    File Mismatch: C:\Windows\system32\slc.dll[6.0.6000.16509]

    or

    any other .dll file that may be updated by an Update

     

    File Mismatch means that the .dll file's Signature Hash doesn't match with what the System Catalog has listed and that is why the Vista is in a Mod-Auth tamper because since the Signature Hash doen't match, Vista believes the file has been tampered.

     

    Note: In your case, there is No File Mismatch in your Diagnostic Report. which means that all your critical system files (On Disk) are good. Therefore the only other way for your Mod-Auth to occur is for a Critical System file to be modified In Memory

     

    In Memory Mod-Auth:

      Another name for an "In Memory Mod-Auth" is "AppCompat". We call it 'AppCompat' because the only way it can occur is when a Running application is actively modifying the critical system files that have been loaded into memory, which by definition, means that program is incompatible with Vista.

     

      I can tell immediately if an In Memory Mod-Auth has occurred because in the Diagnostic Report, it shows a 'M' type Tamper Time Stamp (such as: M:20071216033720371-) and under line "File Scan Data-->" there are NO listings.

     

      Your issue has been ongoing (since the 14th you have said). Since a program must be Running to cause your Mod-Auth and since Updates, generally, only run once, I do not believe your issue is related to Windows Updates.

     

    Eventhough you do not have any of the Known incompatible programs, installed on your computer, this does not mean you do not have a incompatible program that we are not yet aware of.  I highly recommend that you go thru the steps that I provided above to try to track down the incompatible program that is causing your issue.

     

    You may also open a support request at http://go.microsoft.com/fwlink/?linkid=52029 but I believe they will come to the same conclusion.

     

    Thank you,

    Darin Smith

    WGA Forum Manager

     

    Thursday, December 20, 2007 9:02 PM
  • Hello Darin,

     

    Thank you for your reply, such a clear and reasoned explanation.

     

    I will work my way back through the logs and also the program installations (if any) and try a process of elimination. I will do this about 5 days prior to the problems and work up to the present time.

     

    I will post back with any solution I may find, not being that technically minded this may take me some time though.

     

    Have a very good christmas.

     

    Kind Regards

     

    Keith

     

     

     

     

    Friday, December 21, 2007 11:12 AM
  • Hello Darin,

     

    I may have found the problem here - PC Tools Firewall Plus. I found lots of entries regarding a failure of a driver for the above program, I unistalled it and the validation problem has not re-appeared.

     

    I have since installed Comodo Firewall pro and have had no more validation alerts, hopefully I have not spoken too soon !

     

    Also having visited the PC Tools forum there appears to have been a problem with one of the updates to the program which seems to have caused the same problem I was having to other users, they now seem to have cured this.

     

    Kind Regards & Happy New Year

     

    Keith

     

    A Link to PC tools forum thread on this http://www.pctools.com/forum/showthread.php?t=49501

    Wednesday, December 26, 2007 3:05 PM
  • Hi KJS,

     

      Thank you very much!!!  This is great information and should be helpful to other users in similare situations.

     

      I have requested that Support Document KB931699 (http://support.microsoft.com/kb/931699/en-us) be updated based on the information that you have provided.

     

    Thank you again for your help,

    Darin

    Wednesday, December 26, 2007 7:48 PM