locked
Vista Ultimate Validation Failure, Control Panel Disappears, "An unauthorized change was made to Windows" RRS feed

  • Question

  • (Preface: I just copied and parsted my narrative of troubles that I'd been saving in Word, but I notice that pictures don't come through.  If anyone would like screen shorts, though, please let me know, and tell me how to send them, and I will forward the many I haev thatt were originally included amongst the text)

    I began experiencing problems with Internet Explorer running very slowly a few weeks ago, and also noticed some performance slowdown during normal operation.  Today I experienced some similar slow performance even when using Firefox.  Then, I twice in the same afternoon received a message stating that there was an IP conflict, with another device on the network having the same IP address as my machine (I don’t know if this is relevant or not, as it “appeared” to resolve itself, and the network icon displayed a connection to local and Internet).  Finally, after receiving several HTTP errors while trying to browse, I received the following pop-up:

    The link took me to the Validation page, which then failed.   I decided to do a system restore, but could not access Control Panel.  At first, Control Panel was simply empty and wouldn’t display icons in any view, no matter how much I refreshed.  Then, after I closed it and tried to reopen Control Panel, each time, the window would briefly flash and then disappear – I could not get the window to remain open.

    I followed a few links from the validation page to find this Microsoft Forum.  I have followed the instructions as directed, and the results follow below.

    Before I close, I’d like to know how this could randomly have happened.  I have not installed any new software recently, so I can’t imagine any new programs that could be causing the change.  I have McAfee VirusScan Enterprise on my machine, and it is up-to-date.  Is it possible a virus has caused this, but then again, why would McAfee miss this?  The only other change that I know of is that I set several processes and services that used to run in the background at startup to manual, or disabled them altogether, in an effort to free up memory needed to watch a Blu-Ray disc on my HDTV the other day.  (I had done this previously, at the direction of Dell when troubleshooting my BD drive playback problems).   I was very careful to exclude any Microsoft processes and services from any changes, however, and I also didn’t change anything I couldn’t tell what it was directly or through a good web search.  Is there a way to reset all of the startup services to default in case I accidentally changed a necessary one (though as you can see below, the main licensing one appears to be working fine)?  Any other recommendations??

     

    I know my copy of Vista Ultimate is genuine – it was factory-installed by Dell – and I have validated it regularly on this machine for as long as I’ve owned it, and have also received all the Windows Updates regularly.   In closing, I notice that some other users have reported the onset of this problem immediately after the installation of a Vista update, so I wonder if this could be the case here?  However, the last Vista update pushed to this machine, to my knowledge, was 2-3 days ago.  Could such an effect be so delayed?

     

     

    Thank you in advance for your help, and I look forward to receiving some assistance and hearing from someone very soon!

    Apparently, the service was already started…

    Then, after trying to post my own thread in the Vista Validation Issues Forum, I tried logging in, and received the following response:

    Incidentally, this is very similar to the issues I first noticed this afternoon using Firefox.  Any webpage that had any kind of login option wouldn’t load, and I received an error.

    I tried to go ahead and run the Genuine Advantage Diagnostic Tool anyway.  I went t to the webpage provided for the tool, selected “Run,” and then “Run” again.  I selected “Continue” and the tool proceeded to lock up.

    I noticed that the processor had been behaving erratically, so I took the following screen shot, which shows CPU usage ranging from 0-100. And then, lest I forget in the middle of it all, Vista decided to remind me again that validation failed.  Lovely.

    After this, though, the Genuine Advantage Tool managed to finish doing its job.  Results follow:

    Diagnostic Report (1.7.0110.1):

    -----------------------------------------

    WGA Data-->

    Validation Status: Invalid License

    Validation Code: 50

    Online Validation Code: 0xc004d401

    Cached Validation Code: N/A, hr = 0xc004d401

    Windows Product Key: *****-*****-9364X-37XGX-24W6P

    Windows Product Key Hash: aA067NOL80NWIZ94L6hWVdZMoIo=

    Windows Product ID: 89580-OEM-7332132-00141

    Windows Product ID Type: 2

    Windows License Type: OEM SLP

    Windows OS version: 6.0.6001.2.00010100.1.0.001

    ID: {07168C65-A358-427C-AD06-41A545BFD803}(1)

    Is Admin: Yes

    TestCab: 0x0

    WGA Version: Registered, 1.7.69.2

    Signed By: Microsoft

    Product Name: Windows Vista (TM) Ultimate

    Architecture: 0x00000000

    Build lab: 6001.vistasp1_gdr.080917-1612

    TTS Error: K:20081103173038369-M:20081103165504440-

    Validation Diagnostic:

    Resolution Status: N/A

     

    WgaER Data-->

    ThreatID(s): N/A, hr = 0x80070002

    Version: 6.0.6002.16398

     

    WGA Notifications Data-->

    Cached Result: N/A, hr = 0x80070002

    File Exists: No

    Version: N/A, hr = 0x80070002

    WgaTray.exe Signed By: N/A, hr = 0x80070002

    WgaLogon.dll Signed By: N/A, hr = 0x80070002

     

    OGA Notifications Data-->

    Cached Result: N/A, hr = 0x80070002

    Version: N/A, hr = 0x80070002

    WGATray.exe Signed By: N/A, hr = 0x80070002

    OGAAddin.dll Signed By: N/A, hr = 0x80070002

     

    OGA Data-->

    Office Status: 100 Genuine

    Microsoft Office Professional 2007 - 100 Genuine

    Microsoft Office Enterprise 2007 - 100 Genuine

    OGA Version: Registered, 1.6.28.0

    Signed By: Microsoft

    Office Diagnostics: 77F760FE-153-80070002_7E90FEE8-203-80070002_025D1FF3-282-80041010_025D1FF3-170-80041010_025D1FF3-171-1_025D1FF3-434-80040154_025D1FF3-178-80040154_025D1FF3-179-2_025D1FF3-185-80070002_025D1FF3-199-3_FA827CE6-153-8007007e_FA827CE6-180-8007007e

     

    Browser Data-->

    Proxy settings: N/A

    User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)

    Default Browser: C:\Program Files\Internet Explorer\iexplore.exe

    Download signed ActiveX controls: Prompt

    Download unsigned ActiveX controls: Disabled

    Run ActiveX controls and plug-ins: Allowed

    Initialize and script ActiveX controls not marked as safe: Disabled

    Allow scripting of Internet Explorer Webbrowser control: Disabled

    Active scripting: Allowed

    Script ActiveX controls marked as safe for scripting: Allowed

     

    File Scan Data-->

     

    Other data-->

    Office Details: <GenuineResults><MachineData><UGUID>{07168C65-A358-427C-AD06-41A545BFD803}</UGUID><Version>1.7.0110.1</Version><OS>6.0.6001.2.00010100.1.0.001</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-24W6P</PKey><PID>89580-OEM-7332132-00141</PID><PIDType>2</PIDType><SID>S-1-5-21-1974829029-2963902209-3712134996</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Inspiron 1720                   </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A08</Version><SMBIOSVersion major="2" minor="4"/><Date>20080421000000.000000+000</Date></BIOS><HWID>E5303507018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL  </OEMID><OEMTableID>M08    </OEMTableID></OEM><BRT/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120000-0014-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional 2007</Name><Ver>12</Ver><Val>D19EBF46A41282</Val><Hash>usGnjYTiWFXs9VrtgJMk8fpOeMQ=</Hash><Pid>81605-321-6524425-65870</Pid><PidType>10</PidType></Product><Product GUID="{91120000-0030-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>50C127D9C76710</Val><Hash>tl51Y09mQficZP/7s13QFwR5XKI=</Hash><Pid>81599-904-5196331-65770</Pid><PidType>1</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults> 

     

    Spsys.log Content: 0x80070002

     

    Licensing Data-->

    C:\Windows\system32\slmgr.vbs(1634, 5) (null): 0xC004D401

     

    HWID Data-->

    HWID Hash Current: PAAAAAEABgABAAEAAQABAAAABAABAAEA6GHQLxLUPIfqxnb/SEWicEaDaiREF/L0mNsZslib/mSsViqF

     

    OEM Activation 1.0 Data-->

    N/A

     

    OEM Activation 2.0 Data-->

    BIOS valid for OA 2.0: yes

    Windows marker version: 0x20000

    OEMID and OEMTableID Consistent: yes

    BIOS Information:

      ACPI Table Name           OEMID Value     OEMTableID Value

      APIC                                    DELL                       M08   

      FACP                                   DELL                       M08   

      HPET                                    DELL                       M08   

      BOOT                                  DELL                       M08   

      MCFG                                 DELL                       M08   

      SLIC                                      DELL                       M08   

      SSDT                                    PmRef                  CpuPm

     

     

    Then our friend visited again:

     

    Lastly, I re-ran the Windows validation tool from www.microsoft.com/genuine to copy the error code that is displayed, which was [0xC004D401]

     

    Tuesday, November 4, 2008 1:39 AM

Answers

  • Hello Brandon,


    Please see in-line answers :-). 


      "The system has been tampered. hr=0xC004D401"  (What is tampering with the system...and how??)


    Windows Vista is in what we call a 'Mod-Auth' Tamper state.  There are 2 types of Mod-Auth tampers. 
     

    1) A critical system file was modified On Disk - What this means is that the file, located on the hard drive, and was modified in some way. This can be caused by a malicious program (malware) or by manual file modification (by a user of the system). There is also a very small chance that an Update may fail in mid-update and cause this type of issue. As a safety mechanism, Updates are made so that if they fail, they roll back any updating that was done before the failure, but there is an off-chance that the roll back did not occur.

     2) A critical system file was modified In Memory - What this means is the file itself (on the hard drive) is un-modified, but the code, from that file, running in the system, was modified in some way and is usually caused by a running program that is incompatible with Windows Vista.



    "License Activation Scheduler (SLUINotify.dll) failed with the following error code:0xC004D401"

    Brandon activation issues do fall outside the support scope for WGA but I would like to redirect you tohttp://social.technet.microsoft.com/Forums/en-US/search/?q=Vista%20Product%20Activation forum. Here you can present what you are experiencing and get an answer :-).  


    Hopefully I was able to answer your questions.


    Take care Brandon,


    Stephen Holm, MS
    WGA Forum Manager


    Stephen Holm
    • Marked as answer by Stephen Holm Thursday, November 6, 2008 10:59 PM
    • Unmarked as answer by B S Hill Tuesday, November 11, 2008 11:37 PM
    • Marked as answer by Stephen Holm Wednesday, November 12, 2008 1:55 AM
    Thursday, November 6, 2008 10:59 PM
  • Hello Brandon


    The difference between Activation and WGA can be found at
    http://www.microsoft.com/genuine.  Please search this area as it can answer your questions. We try our best to explain issues and provide solutions for Windows Genuine Advantage concerns. There are issues which fall outside the support scope so we try our best to provide our customers a location where they may be redirected in order to receive answers.  As far as what exactly caused your problem I am not 100% sure but I did provide you with the 2 types of Mod-Auth tampers and details as what they are. 




    Take care Brandon


    Stephen Holm, MS
    WGA Forum Manager

    Stephen Holm
    • Marked as answer by Stephen Holm Wednesday, November 12, 2008 2:01 AM
    Wednesday, November 12, 2008 2:01 AM

All replies

  • Hi - quick update:  I don't know if the problem is solved by any means; however, I rebooted my machine and returned to the Windows validation site.  This time, Vista Ultimate was validated.  Also, Control Panel seems to work now.

    I've provided some additional information from the Event Viewer below, to aid in troubleshooting.  Most were repeated many times, so I've only inlcuded one of each, which are listed separately bewteen dividing lines.

    -------------------------------------------------------------------------
    Log Name:      Application
    Source:        Microsoft-Windows-Security-Licensing-SLC
    Date:          11/3/2008 4:55:04 PM
    Event ID:      1022
    Task Category: None
    Level:         Warning
    Keywords:      Classic
    User:          N/A
    Computer:      IAS-0001
    Description:
    The system has been tampered. hr=0xC004D401
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Licensing-SLC" Guid="{1FD7C1D2-D037-4620-8D29-B2C7E5FCC13A}" EventSourceName="Software Licensing Service" />
        <EventID Qualifiers="32768">1022</EventID>
        <Version>0</Version>
        <Level>3</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2008-11-03T22:55:04.000Z" />
        <EventRecordID>35816</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>Application</Channel>
        <Computer>IAS-0001</Computer>
        <Security />
      </System>
      <EventData>
        <Data>hr=0xC004D401</Data>
      </EventData>
    </Event>

    -------------------------------------------------------------------------

    Log Name:      Application
    Source:        Microsoft-Windows-Security-Licensing-SLC
    Date:          11/3/2008 4:55:05 PM
    Event ID:      8193
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      IAS-0001
    Description:
    License Activation Scheduler (SLUINotify.dll) failed with the following error code:
    0xC004D401
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Licensing-SLC" Guid="{1FD7C1D2-D037-4620-8D29-B2C7E5FCC13A}" EventSourceName="Software Licensing Service" />
        <EventID Qualifiers="49152">8193</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2008-11-03T22:55:05.000Z" />
        <EventRecordID>35818</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>Application</Channel>
        <Computer>IAS-0001</Computer>
        <Security />
      </System>
      <EventData>
        <Data>0xC004D401</Data>
      </EventData>
    </Event>

    -------------------------------------------------------------------------

    Log Name:      Application
    Source:        Application Error
    Date:          11/3/2008 4:58:00 PM
    Event ID:      1000
    Task Category: (100)
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      IAS-0001
    Description:
    Faulting application svchost.exe_HPSLPSVC, version 6.0.6001.18000, time stamp 0x47918b89, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x006f0069, process id 0xae8, application start time 0x01c93dc0a10a8063.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Application Error" />
        <EventID Qualifiers="0">1000</EventID>
        <Level>2</Level>
        <Task>100</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2008-11-03T22:58:00.000Z" />
        <EventRecordID>35821</EventRecordID>
        <Channel>Application</Channel>
        <Computer>IAS-0001</Computer>
        <Security />
      </System>
      <EventData>
        <Data>svchost.exe_HPSLPSVC</Data>
        <Data>6.0.6001.18000</Data>
        <Data>47918b89</Data>
        <Data>unknown</Data>
        <Data>0.0.0.0</Data>
        <Data>00000000</Data>
        <Data>c0000005</Data>
        <Data>006f0069</Data>
        <Data>ae8</Data>
        <Data>01c93dc0a10a8063</Data>
      </EventData>
    </Event>

    -------------------------------------------------------------------------

    Log Name:      Application
    Source:        MSSQL$MSSMLBIZ
    Date:          11/3/2008 4:58:33 PM
    Event ID:      17896
    Task Category: (2)
    Level:         Information
    Keywords:      Classic
    User:          N/A
    Computer:      IAS-0001
    Description:
    The time stamp counter of CPU on scheduler id 1 is not synchronized with other CPUs.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="MSSQL$MSSMLBIZ" />
        <EventID Qualifiers="16384">17896</EventID>
        <Level>4</Level>
        <Task>2</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2008-11-03T22:58:33.000Z" />
        <EventRecordID>35827</EventRecordID>
        <Channel>Application</Channel>
        <Computer>IAS-0001</Computer>
        <Security />
      </System>
      <EventData>
        <Data>1</Data>
        <Binary>E84500000A000000120000004900410053002D0030003000300031005C004D00530053004D004C00420049005A00000000000000</Binary>
      </EventData>
    </Event>

    -------------------------------------------------------------------------

    Log Name:      Application
    Source:        HPSLPSVC
    Date:          11/3/2008 4:58:42 PM
    Event ID:      0
    Task Category: None
    Level:         Information
    Keywords:      Classic
    User:          N/A
    Computer:      IAS-0001
    Description:
    The description for Event ID 0 from source HPSLPSVC cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

    If the event originated on another computer, the display information had to be saved with the event.

    The following information was included with the event:

    Service started

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="HPSLPSVC" />
        <EventID Qualifiers="0">0</EventID>
        <Level>4</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2008-11-03T22:58:42.000Z" />
        <EventRecordID>35837</EventRecordID>
        <Channel>Application</Channel>
        <Computer>IAS-0001</Computer>
        <Security />
      </System>
      <EventData>
        <Data>Service started</Data>
      </EventData>
    </Event>

    -------------------------------------------------------------------------

    Log Name:      Application
    Source:        Windows Error Reporting
    Date:          11/3/2008 5:01:37 PM
    Event ID:      1001
    Task Category: None
    Level:         Information
    Keywords:      Classic
    User:          N/A
    Computer:      IAS-0001
    Description:
    Fault bucket 197453827, type 5
    Event Name: BEX
    Response: None
    Cab Id: 0

    Problem signature:
    P1: svchost.exe_HPSLPSVC
    P2: 6.0.6001.18000
    P3: 47918b89
    P4: StackHash_f290
    P5: 0.0.0.0
    P6: 00000000
    P7: 006f0069
    P8: c0000005
    P9: 00000008
    P10:

    Attached files:
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report161ff907\WERCF58.tmp.version.txt
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report161ff907\WERCF69.tmp.appcompat.txt
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report161ff907\WERD17C.tmp.hdmp
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report161ff907\WERF69A.tmp.mdmp

    These files may be available here:
    C:\ProgramData\Microsoft\Windows\WER\ReportArchive\Report160b1d0b
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Windows Error Reporting" />
        <EventID Qualifiers="0">1001</EventID>
        <Level>4</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2008-11-03T23:01:37.000Z" />
        <EventRecordID>35838</EventRecordID>
        <Channel>Application</Channel>
        <Computer>IAS-0001</Computer>
        <Security />
      </System>
      <EventData>
        <Data>197453827</Data>
        <Data>5</Data>
        <Data>BEX</Data>
        <Data>None</Data>
        <Data>0</Data>
        <Data>svchost.exe_HPSLPSVC</Data>
        <Data>6.0.6001.18000</Data>
        <Data>47918b89</Data>
        <Data>StackHash_f290</Data>
        <Data>0.0.0.0</Data>
        <Data>00000000</Data>
        <Data>006f0069</Data>
        <Data>c0000005</Data>
        <Data>00000008</Data>
        <Data>
        </Data>
        <Data>
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report161ff907\WERCF58.tmp.version.txt
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report161ff907\WERCF69.tmp.appcompat.txt
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report161ff907\WERD17C.tmp.hdmp
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report161ff907\WERF69A.tmp.mdmp</Data>
        <Data>C:\ProgramData\Microsoft\Windows\WER\ReportArchive\Report160b1d0b</Data>
      </EventData>
    </Event>

    -------------------------------------------------------------------------

    (NOTE:  There were many of these throughout the day, showing various different CPU time stamp frequencies, and moving in both directions)

    Log Name:      Application
    Source:        MSSQL$MSSMLBIZ
    Date:          11/3/2008 5:18:35 PM
    Event ID:      17895
    Task Category: (2)
    Level:         Information
    Keywords:      Classic
    User:          N/A
    Computer:      IAS-0001
    Description:
    CPU time stamp frequency has changed from 1942142 to 261087 ticks per millisecond. The new frequency will be used.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="MSSQL$MSSMLBIZ" />
        <EventID Qualifiers="16384">17895</EventID>
        <Level>4</Level>
        <Task>2</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2008-11-03T23:18:35.000Z" />
        <EventRecordID>35845</EventRecordID>
        <Channel>Application</Channel>
        <Computer>IAS-0001</Computer>
        <Security />
      </System>
      <EventData>
        <Data>1942142</Data>
        <Data>261087</Data>
        <Binary>E74500000A000000120000004900410053002D0030003000300031005C004D00530053004D004C00420049005A00000000000000</Binary>
      </EventData>
    </Event>

    -------------------------------------------------------------------------

    Log Name:      Application
    Source:        Microsoft-Windows-Security-Licensing-SLC
    Date:          11/3/2008 6:44:02 PM
    Event ID:      8208
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      IAS-0001
    Description:
    Acquisition of genuine ticket failed (hr=0xC004D401) for template Id 55c92734-d682-4d71-983e-d6ec3f16059f
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Licensing-SLC" Guid="{1FD7C1D2-D037-4620-8D29-B2C7E5FCC13A}" EventSourceName="Software Licensing Service" />
        <EventID Qualifiers="49152">8208</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2008-11-04T00:44:02.000Z" />
        <EventRecordID>35861</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>Application</Channel>
        <Computer>IAS-0001</Computer>
        <Security />
      </System>
      <EventData>
        <Data>hr=0xC004D401</Data>
        <Data>55c92734-d682-4d71-983e-d6ec3f16059f</Data>
      </EventData>
    </Event>

    -------------------------------------------------------------------------

    Log Name:      Application
    Source:        Microsoft-Windows-Winlogon
    Date:          11/3/2008 7:41:17 PM
    Event ID:      6000
    Task Category: None
    Level:         Information
    Keywords:      Classic
    User:          N/A
    Computer:      IAS-0001
    Description:
    The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Winlogon" Guid="{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}" EventSourceName="Wlclntfy" />
        <EventID Qualifiers="32768">6000</EventID>
        <Version>0</Version>
        <Level>4</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2008-11-04T01:41:17.000Z" />
        <EventRecordID>35889</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>Application</Channel>
        <Computer>IAS-0001</Computer>
        <Security />
      </System>
      <EventData>
        <Data>SessionEnv</Data>
        <Binary>D9060000</Binary>
      </EventData>
    </Event>

    -------------------------------------------------------------------------

    Log Name:      Application
    Source:        Microsoft-Windows-User Profiles Service
    Date:          11/3/2008 7:41:17 PM
    Event ID:      1530
    Task Category: None
    Level:         Warning
    Keywords:      Classic
    User:          SYSTEM
    Computer:      IAS-0001
    Description:
    Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. 

     DETAIL -
     6 user registry handles leaked from \Registry\User\S-1-5-21-1974829029-2963902209-3712134996-1000:
    Process 988 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000
    Process 1352 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000\Software\Policies
    Process 1816 (\Device\HarddiskVolume3\Windows\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000\Software\Policies
    Process 1352 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000\Software
    Process 1816 (\Device\HarddiskVolume3\Windows\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000\Software
    Process 1572 (\Device\HarddiskVolume3\Program Files\McAfee\Common Framework\FrameworkService.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" EventSourceName="profsvc" />
        <EventID Qualifiers="32768">1530</EventID>
        <Version>0</Version>
        <Level>3</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2008-11-04T01:41:17.000Z" />
        <EventRecordID>35890</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>Application</Channel>
        <Computer>IAS-0001</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData Name="EVENT_HIVE_LEAK">
        <Data Name="Detail">6 user registry handles leaked from \Registry\User\S-1-5-21-1974829029-2963902209-3712134996-1000:
    Process 988 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000
    Process 1352 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000\Software\Policies
    Process 1816 (\Device\HarddiskVolume3\Windows\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000\Software\Policies
    Process 1352 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000\Software
    Process 1816 (\Device\HarddiskVolume3\Windows\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000\Software
    Process 1572 (\Device\HarddiskVolume3\Program Files\McAfee\Common Framework\FrameworkService.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness
    </Data>
      </EventData>
    </Event>


    -------------------------------------------------------------------------

    Log Name:      Application
    Source:        Microsoft-Windows-User Profiles Service
    Date:          11/3/2008 7:41:18 PM
    Event ID:      1530
    Task Category: None
    Level:         Warning
    Keywords:      Classic
    User:          SYSTEM
    Computer:      IAS-0001
    Description:
    Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. 

     DETAIL -
     3 user registry handles leaked from \Registry\User\S-1-5-21-1974829029-2963902209-3712134996-1000_Classes:
    Process 1816 (\Device\HarddiskVolume3\Windows\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000_CLASSES
    Process 1572 (\Device\HarddiskVolume3\Program Files\McAfee\Common Framework\FrameworkService.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000_CLASSES
    Process 988 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000_CLASSES

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" EventSourceName="profsvc" />
        <EventID Qualifiers="32768">1530</EventID>
        <Version>0</Version>
        <Level>3</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2008-11-04T01:41:18.000Z" />
        <EventRecordID>35891</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>Application</Channel>
        <Computer>IAS-0001</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData Name="EVENT_HIVE_LEAK">
        <Data Name="Detail">3 user registry handles leaked from \Registry\User\S-1-5-21-1974829029-2963902209-3712134996-1000_Classes:
    Process 1816 (\Device\HarddiskVolume3\Windows\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000_CLASSES
    Process 1572 (\Device\HarddiskVolume3\Program Files\McAfee\Common Framework\FrameworkService.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000_CLASSES
    Process 988 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000_CLASSES
    </Data>
      </EventData>
    </Event>

    -------------------------------------------------------------------------


    Log Name:      Application
    Source:        Microsoft-Windows-EventSystem
    Date:          11/3/2008 7:42:22 PM
    Event ID:      4625
    Task Category: None
    Level:         Information
    Keywords:      Classic
    User:          N/A
    Computer:      IAS-0001
    Description:
    The EventSystem sub system is suppressing duplicate event log entries for a duration of 86400 seconds.  The suppression timeout can be controlled by a REG_DWORD value named SuppressDuplicateDuration under the following registry key: HKLM\Software\Microsoft\EventSystem\EventLog.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-EventSystem" Guid="{899daace-4868-4295-afcd-9eb8fb497561}" EventSourceName="EventSystem" />
        <EventID Qualifiers="16384">4625</EventID>
        <Version>0</Version>
        <Level>4</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2008-11-04T01:42:22.000Z" />
        <EventRecordID>35898</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>Application</Channel>
        <Computer>IAS-0001</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="param1">86400</Data>
        <Data Name="param2">SuppressDuplicateDuration</Data>
        <Data Name="param3">Software\Microsoft\EventSystem\EventLog</Data>
      </EventData>
    </Event>

    -------------------------------------------------------------------------

    Log Name:      Application
    Source:        Microsoft-Windows-Security-Licensing-SLC
    Date:          11/3/2008 7:42:33 PM
    Event ID:      1033
    Task Category: None
    Level:         Information
    Keywords:      Classic
    User:          N/A
    Computer:      IAS-0001
    Description:
    These policies are being excluded since they are only defined with override-only attribute.
    Policy Names=(IIS-W3SVC-MaxConcurrentRequests) (Telnet-Client-EnableTelnetClient) (Telnet-Client-EnableTelnetClient_w) (Telnet-Server-EnableTelnetServer) (Telnet-Server-EnableTelnetServer_w) (nfs-admincmdtools-enabled) (nfs-adminmmc-enabled) (nfs-clientcmdtools-enabled) (nfs-clientcore-enabled) (sua-EnableSUA)
    App Id=55c92734-d682-4d71-983e-d6ec3f16059f
    Sku Id=5e802570-4657-4e84-bfbc-6a0e531b84af
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Licensing-SLC" Guid="{1FD7C1D2-D037-4620-8D29-B2C7E5FCC13A}" EventSourceName="Software Licensing Service" />
        <EventID Qualifiers="16384">1033</EventID>
        <Version>0</Version>
        <Level>4</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2008-11-04T01:42:33.000Z" />
        <EventRecordID>35901</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>Application</Channel>
        <Computer>IAS-0001</Computer>
        <Security />
      </System>
      <EventData>
        <Data>(IIS-W3SVC-MaxConcurrentRequests) (Telnet-Client-EnableTelnetClient) (Telnet-Client-EnableTelnetClient_w) (Telnet-Server-EnableTelnetServer) (Telnet-Server-EnableTelnetServer_w) (nfs-admincmdtools-enabled) (nfs-adminmmc-enabled) (nfs-clientcmdtools-enabled) (nfs-clientcore-enabled) (sua-EnableSUA) </Data>
        <Data>55c92734-d682-4d71-983e-d6ec3f16059f</Data>
        <Data>5e802570-4657-4e84-bfbc-6a0e531b84af</Data>
      </EventData>
    </Event>


    -------------------------------------------------------------------------

    Log Name:      Application
    Source:        Microsoft-Windows-Security-Licensing-SLC
    Date:          11/3/2008 7:42:33 PM
    Event ID:      1003
    Task Category: None
    Level:         Information
    Keywords:      Classic
    User:          N/A
    Computer:      IAS-0001
    Description:
    The Software Licensing service has completed licensing status check.
    Application Id=55c92734-d682-4d71-983e-d6ec3f16059f
    Licensing Status=
    {1,[1f59edc8-ad79-4d96-a62d-c33ee78da2ec, 8, 0xC004F014,0x0]}

    {1,[30fab9cc-8614-4339-989f-7ce61fb7a5c4, 8, 0xC004F014,0x0]}

    {1,[33a7e8d3-e2ab-413b-96a6-27c83b21c695, 8, 0xC004F014,0x0]}

    {1,[56a13760-2b9c-406f-be8a-8f2ef22f10b5, 8, 0xC004F014,0x0]}

    {1,[5e802570-4657-4e84-bfbc-6a0e531b84af, 0, 0x0,0x0],[0x0,0x0,0x0,0,0,0x0],[0x0,0xFFFFFFFF,0x0,0,0,0x0],[0x0,0xFFFFFFFF,0x0,0,0,0x0],[0,0,0x0]}

    {1,[a79a48fc-70d9-4413-ab47-81cf5d08f7ee, 8, 0xC004F014,0x0]}

    {1,[d6a70f3f-2052-4633-a9aa-25ea0cdff672, 8, 0xC004F014,0x0]}

    {1,[f00fa8e9-ac0f-4f43-a259-a26c110cbbf9, 8, 0xC004F014,0x0]}

    {1,[f79b5e33-4a4e-451c-9e8a-55dcc9bdb89d, 8, 0xC004F014,0x0]}

    {1,[afd5f68f-b70f-4000-a21d-28dbc8be8b07, 8, 0xC004F014,0x0]}

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Licensing-SLC" Guid="{1FD7C1D2-D037-4620-8D29-B2C7E5FCC13A}" EventSourceName="Software Licensing Service" />
        <EventID Qualifiers="16384">1003</EventID>
        <Version>0</Version>
        <Level>4</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2008-11-04T01:42:33.000Z" />
        <EventRecordID>35902</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>Application</Channel>
        <Computer>IAS-0001</Computer>
        <Security />
      </System>
      <EventData>
        <Data>55c92734-d682-4d71-983e-d6ec3f16059f</Data>
        <Data>
    {1,[1f59edc8-ad79-4d96-a62d-c33ee78da2ec, 8, 0xC004F014,0x0]}

    {1,[30fab9cc-8614-4339-989f-7ce61fb7a5c4, 8, 0xC004F014,0x0]}

    {1,[33a7e8d3-e2ab-413b-96a6-27c83b21c695, 8, 0xC004F014,0x0]}

    {1,[56a13760-2b9c-406f-be8a-8f2ef22f10b5, 8, 0xC004F014,0x0]}

    {1,[5e802570-4657-4e84-bfbc-6a0e531b84af, 0, 0x0,0x0],[0x0,0x0,0x0,0,0,0x0],[0x0,0xFFFFFFFF,0x0,0,0,0x0],[0x0,0xFFFFFFFF,0x0,0,0,0x0],[0,0,0x0]}

    {1,[a79a48fc-70d9-4413-ab47-81cf5d08f7ee, 8, 0xC004F014,0x0]}

    {1,[d6a70f3f-2052-4633-a9aa-25ea0cdff672, 8, 0xC004F014,0x0]}

    {1,[f00fa8e9-ac0f-4f43-a259-a26c110cbbf9, 8, 0xC004F014,0x0]}

    {1,[f79b5e33-4a4e-451c-9e8a-55dcc9bdb89d, 8, 0xC004F014,0x0]}

    {1,[afd5f68f-b70f-4000-a21d-28dbc8be8b07, 8, 0xC004F014,0x0]}
    </Data>
      </EventData>
    </Event>


    -------------------------------------------------------------------------

    Tuesday, November 4, 2008 2:55 AM
  • Hello B Hill :-)


    Please review the following Knowledge Base (KB) article and refer to the resolution portion of the webpage:

     KB931573 – You may be prompted to activate Windows Vista on a computer on which Windows Vista was already activated by a Volume License or OEM installation

     http://support.microsoft.com/default.aspx?scid=kb;EN-US;931573 

     If the above does not resolve your issue, please follow the steps below. If the first set of steps does not resolve, move on to the next set of steps.

     ----------------------------------------------------------------------------------------

    Step set #1

     1) Open Internet Explorer

    2) A Browser will open, type: %windir%\system32 into the address field

    3) Find the file cmd.exe

    4) Right Click on the cmd.exe and select Run as Administrator

    5) Type: cscript slmgr.vbs -rilc (It may take a long time for this to complete, please be patient)

    6) Hit the Enter key

    7) Reboot 2 times

     -------------------------------------------------------------------------------------

    Step set #2

     

    1) Open Internet Browser

    2) Type %windir%\system32 into the browser address bar.

    3) Find the file CMD.exe

    4) Right-Click on CMD.exe and select Run as Administrator

    5) Type: net stop slsvc  (it may ask you if you are sure, select yes)

    6) Type: cd %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareLicensing

    7) Type: rename tokens.dat tokens.bar

    8) Type: cd %windir%\system32

    9) Type net start slsvc

    10) Reboot Twice

    11) Windows Vista may require you to enter a Product Key [use the Certificate of Authenticity (COA)] SLP Product Key found on the sticker on the side or bottom of your computer and activate. Use the Activate by Phone method outlined below.

    From the Desktop:

    a) If you have access to the Start button: Click the Start button, and type in "slui.exe 4" in the search field and then press the "Enter" key. This will bring up the Activate by Phone dialog window. Follow the steps provided by the window. The phone activation process should only take about 6 minutes.


    b) If you do not have access to the Start button: Reboot and login to Vista, a dialog window will come up. In that window, click the option "Access computer with reduced functionality". Once you do that, Internet Explorer or Firefox browser will open. In the address bar type "c:\windows\system32\cmd.exe" press enter, a new window will come up, type: slui 4 and hit enter and follow steps to Activate over the Phone.

    Also you may reference the following site for various Telephone Activation Centers:

    http://support.microsoft.com/kb/326851




    Thank you for visiting the Genuine Advantage forum.


    Stephen Holm, MS
    WGA Forum Manager


    Stephen Holm
    • Marked as answer by Stephen Holm Thursday, November 6, 2008 3:26 AM
    • Unmarked as answer by B S Hill Thursday, November 6, 2008 6:17 PM
    Thursday, November 6, 2008 3:26 AM
  • Stephen,

    Thank you for taking the time to respond to my posts.  I'd be grateful if you could provide some additional information, though.

    I remain unclear on what excatly has happened.  Do you see anything in the information I provided that would explain the cause of the errors I experienced?  Though I have shut down and rebooted my computer several times since my original post, and haven't experienced the problems again, I would like to know if this resolved, is simply an intermittent problem, and/or if there is something I did (or a program on my system did) which could cause the problem to recur again in the future.  I'm especially concerned about the following descriptions from two of the error messages in the Event Viewer:

        "The system has been tampered. hr=0xC004D401"  (What is tampering with the system...and how??)

            and

        "License Activation Scheduler (SLUINotify.dll) failed with the following error code:0xC004D401" (Does this mean the system is failing to, or unable to, look up its activation status?)


    Next, how does the solution you posted correct the problem(s)?  The error code that is the subject of the KB article provided doesn't seem to match the error code I have experienced.  Lastly, could you please explain what the additional steps that you provided do?  I'd like to understand what these command lines do, and also how to reverse the changed setting(s), should this be necessary.

    Thanks in advance, and I look forward to your reply.

    Regards,
    Brandon
    • Edited by B S Hill Thursday, November 6, 2008 6:16 PM
    Thursday, November 6, 2008 6:09 PM
  • Hello Brandon,


    Please see in-line answers :-). 


      "The system has been tampered. hr=0xC004D401"  (What is tampering with the system...and how??)


    Windows Vista is in what we call a 'Mod-Auth' Tamper state.  There are 2 types of Mod-Auth tampers. 
     

    1) A critical system file was modified On Disk - What this means is that the file, located on the hard drive, and was modified in some way. This can be caused by a malicious program (malware) or by manual file modification (by a user of the system). There is also a very small chance that an Update may fail in mid-update and cause this type of issue. As a safety mechanism, Updates are made so that if they fail, they roll back any updating that was done before the failure, but there is an off-chance that the roll back did not occur.

     2) A critical system file was modified In Memory - What this means is the file itself (on the hard drive) is un-modified, but the code, from that file, running in the system, was modified in some way and is usually caused by a running program that is incompatible with Windows Vista.



    "License Activation Scheduler (SLUINotify.dll) failed with the following error code:0xC004D401"

    Brandon activation issues do fall outside the support scope for WGA but I would like to redirect you tohttp://social.technet.microsoft.com/Forums/en-US/search/?q=Vista%20Product%20Activation forum. Here you can present what you are experiencing and get an answer :-).  


    Hopefully I was able to answer your questions.


    Take care Brandon,


    Stephen Holm, MS
    WGA Forum Manager


    Stephen Holm
    • Marked as answer by Stephen Holm Thursday, November 6, 2008 10:59 PM
    • Unmarked as answer by B S Hill Tuesday, November 11, 2008 11:37 PM
    • Marked as answer by Stephen Holm Wednesday, November 12, 2008 1:55 AM
    Thursday, November 6, 2008 10:59 PM
  • Stephen,

    Thanks for explaing a little more about a couple of the points I raised in my follow-up.  However, although I'm pretty clear now on what the warnings mean, I still don't know why the errors in question happened or how to prevent them from happening in the future.

    Can you shed some light on those two issues, as they are probably more relevant than simple knowing more about what actually happened.

    Also, what is the difference between Activation and WGA, and what is the reason for directing inquiries about that particular error message to another support group?

    Regards,
    Brandon
    Tuesday, November 11, 2008 11:41 PM
  • Hello Brandon


    The difference between Activation and WGA can be found at
    http://www.microsoft.com/genuine.  Please search this area as it can answer your questions. We try our best to explain issues and provide solutions for Windows Genuine Advantage concerns. There are issues which fall outside the support scope so we try our best to provide our customers a location where they may be redirected in order to receive answers.  As far as what exactly caused your problem I am not 100% sure but I did provide you with the 2 types of Mod-Auth tampers and details as what they are. 




    Take care Brandon


    Stephen Holm, MS
    WGA Forum Manager

    Stephen Holm
    • Marked as answer by Stephen Holm Wednesday, November 12, 2008 2:01 AM
    Wednesday, November 12, 2008 2:01 AM