Answered by:
Vista Ultimate Validation Failure, Control Panel Disappears, "An unauthorized change was made to Windows"

Question
-
(Preface: I just copied and parsted my narrative of troubles that I'd been saving in Word, but I notice that pictures don't come through. If anyone would like screen shorts, though, please let me know, and tell me how to send them, and I will forward the many I haev thatt were originally included amongst the text)
I began experiencing problems with Internet Explorer running very slowly a few weeks ago, and also noticed some performance slowdown during normal operation. Today I experienced some similar slow performance even when using Firefox. Then, I twice in the same afternoon received a message stating that there was an IP conflict, with another device on the network having the same IP address as my machine (I don’t know if this is relevant or not, as it “appeared” to resolve itself, and the network icon displayed a connection to local and Internet). Finally, after receiving several HTTP errors while trying to browse, I received the following pop-up:The link took me to the Validation page, which then failed. I decided to do a system restore, but could not access Control Panel. At first, Control Panel was simply empty and wouldn’t display icons in any view, no matter how much I refreshed. Then, after I closed it and tried to reopen Control Panel, each time, the window would briefly flash and then disappear – I could not get the window to remain open.
I followed a few links from the validation page to find this Microsoft Forum. I have followed the instructions as directed, and the results follow below.
Before I close, I’d like to know how this could randomly have happened. I have not installed any new software recently, so I can’t imagine any new programs that could be causing the change. I have McAfee VirusScan Enterprise on my machine, and it is up-to-date. Is it possible a virus has caused this, but then again, why would McAfee miss this? The only other change that I know of is that I set several processes and services that used to run in the background at startup to manual, or disabled them altogether, in an effort to free up memory needed to watch a Blu-Ray disc on my HDTV the other day. (I had done this previously, at the direction of Dell when troubleshooting my BD drive playback problems). I was very careful to exclude any Microsoft processes and services from any changes, however, and I also didn’t change anything I couldn’t tell what it was directly or through a good web search. Is there a way to reset all of the startup services to default in case I accidentally changed a necessary one (though as you can see below, the main licensing one appears to be working fine)? Any other recommendations??
I know my copy of Vista Ultimate is genuine – it was factory-installed by Dell – and I have validated it regularly on this machine for as long as I’ve owned it, and have also received all the Windows Updates regularly. In closing, I notice that some other users have reported the onset of this problem immediately after the installation of a Vista update, so I wonder if this could be the case here? However, the last Vista update pushed to this machine, to my knowledge, was 2-3 days ago. Could such an effect be so delayed?
Thank you in advance for your help, and I look forward to receiving some assistance and hearing from someone very soon!
Apparently, the service was already started…
Then, after trying to post my own thread in the Vista Validation Issues Forum, I tried logging in, and received the following response:
Incidentally, this is very similar to the issues I first noticed this afternoon using Firefox. Any webpage that had any kind of login option wouldn’t load, and I received an error.
I tried to go ahead and run the Genuine Advantage Diagnostic Tool anyway. I went t to the webpage provided for the tool, selected “Run,” and then “Run” again. I selected “Continue” and the tool proceeded to lock up.
I noticed that the processor had been behaving erratically, so I took the following screen shot, which shows CPU usage ranging from 0-100. And then, lest I forget in the middle of it all, Vista decided to remind me again that validation failed. Lovely.
After this, though, the Genuine Advantage Tool managed to finish doing its job. Results follow:
Diagnostic Report (1.7.0110.1):
-----------------------------------------
WGA Data-->
Validation Status: Invalid License
Validation Code: 50
Online Validation Code: 0xc004d401
Cached Validation Code: N/A, hr = 0xc004d401
Windows Product Key: *****-*****-9364X-37XGX-24W6P
Windows Product Key Hash: aA067NOL80NWIZ94L6hWVdZMoIo=
Windows Product ID: 89580-OEM-7332132-00141
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.0.6001.2.00010100.1.0.001
ID: {07168C65-A358-427C-AD06-41A545BFD803}(1)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.7.69.2
Signed By: Microsoft
Product Name: Windows Vista (TM) Ultimate
Architecture: 0x00000000
Build lab: 6001.vistasp1_gdr.080917-1612
TTS Error: K:20081103173038369-M:20081103165504440-
Validation Diagnostic:
Resolution Status: N/A
WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: 6.0.6002.16398
WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
WGATray.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 100 Genuine
Microsoft Office Professional 2007 - 100 Genuine
Microsoft Office Enterprise 2007 - 100 Genuine
OGA Version: Registered, 1.6.28.0
Signed By: Microsoft
Office Diagnostics: 77F760FE-153-80070002_7E90FEE8-203-80070002_025D1FF3-282-80041010_025D1FF3-170-80041010_025D1FF3-171-1_025D1FF3-434-80040154_025D1FF3-178-80040154_025D1FF3-179-2_025D1FF3-185-80070002_025D1FF3-199-3_FA827CE6-153-8007007e_FA827CE6-180-8007007e
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{07168C65-A358-427C-AD06-41A545BFD803}</UGUID><Version>1.7.0110.1</Version><OS>6.0.6001.2.00010100.1.0.001</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-24W6P</PKey><PID>89580-OEM-7332132-00141</PID><PIDType>2</PIDType><SID>S-1-5-21-1974829029-2963902209-3712134996</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Inspiron 1720 </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A08</Version><SMBIOSVersion major="2" minor="4"/><Date>20080421000000.000000+000</Date></BIOS><HWID>E5303507018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL </OEMID><OEMTableID>M08 </OEMTableID></OEM><BRT/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120000-0014-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional 2007</Name><Ver>12</Ver><Val>D19EBF46A41282</Val><Hash>usGnjYTiWFXs9VrtgJMk8fpOeMQ=</Hash><Pid>81605-321-6524425-65870</Pid><PidType>10</PidType></Product><Product GUID="{91120000-0030-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>50C127D9C76710</Val><Hash>tl51Y09mQficZP/7s13QFwR5XKI=</Hash><Pid>81599-904-5196331-65770</Pid><PidType>1</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>
Spsys.log Content: 0x80070002
Licensing Data-->
C:\Windows\system32\slmgr.vbs(1634, 5) (null): 0xC004D401
HWID Data-->
HWID Hash Current: PAAAAAEABgABAAEAAQABAAAABAABAAEA6GHQLxLUPIfqxnb/SEWicEaDaiREF/L0mNsZslib/mSsViqF
OEM Activation 1.0 Data-->
N/A
OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20000
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC DELL M08
FACP DELL M08
HPET DELL M08
BOOT DELL M08
MCFG DELL M08
SLIC DELL M08
SSDT PmRef CpuPm
Then our friend visited again:
Lastly, I re-ran the Windows validation tool from www.microsoft.com/genuine to copy the error code that is displayed, which was [0xC004D401]
Tuesday, November 4, 2008 1:39 AM
Answers
-
Hello Brandon,
Please see in-line answers :-).
"The system has been tampered. hr=0xC004D401" (What is tampering with the system...and how??)
Windows Vista is in what we call a 'Mod-Auth' Tamper state. There are 2 types of Mod-Auth tampers.1) A critical system file was modified On Disk - What this means is that the file, located on the hard drive, and was modified in some way. This can be caused by a malicious program (malware) or by manual file modification (by a user of the system). There is also a very small chance that an Update may fail in mid-update and cause this type of issue. As a safety mechanism, Updates are made so that if they fail, they roll back any updating that was done before the failure, but there is an off-chance that the roll back did not occur.
2) A critical system file was modified In Memory - What this means is the file itself (on the hard drive) is un-modified, but the code, from that file, running in the system, was modified in some way and is usually caused by a running program that is incompatible with Windows Vista.
"License Activation Scheduler (SLUINotify.dll) failed with the following error code:0xC004D401"
Brandon activation issues do fall outside the support scope for WGA but I would like to redirect you tohttp://social.technet.microsoft.com/Forums/en-US/search/?q=Vista%20Product%20Activation forum. Here you can present what you are experiencing and get an answer :-).
Hopefully I was able to answer your questions.
Take care Brandon,
Stephen Holm, MS
WGA Forum Manager
Stephen Holm- Marked as answer by Stephen Holm Thursday, November 6, 2008 10:59 PM
- Unmarked as answer by B S Hill Tuesday, November 11, 2008 11:37 PM
- Marked as answer by Stephen Holm Wednesday, November 12, 2008 1:55 AM
Thursday, November 6, 2008 10:59 PM -
Hello Brandon
The difference between Activation and WGA can be found at http://www.microsoft.com/genuine. Please search this area as it can answer your questions. We try our best to explain issues and provide solutions for Windows Genuine Advantage concerns. There are issues which fall outside the support scope so we try our best to provide our customers a location where they may be redirected in order to receive answers. As far as what exactly caused your problem I am not 100% sure but I did provide you with the 2 types of Mod-Auth tampers and details as what they are.
Take care Brandon
Stephen Holm, MS
WGA Forum Manager
Stephen Holm- Marked as answer by Stephen Holm Wednesday, November 12, 2008 2:01 AM
Wednesday, November 12, 2008 2:01 AM
All replies
-
Hi - quick update: I don't know if the problem is solved by any means; however, I rebooted my machine and returned to the Windows validation site. This time, Vista Ultimate was validated. Also, Control Panel seems to work now.
I've provided some additional information from the Event Viewer below, to aid in troubleshooting. Most were repeated many times, so I've only inlcuded one of each, which are listed separately bewteen dividing lines.
-------------------------------------------------------------------------
Log Name: Application
Source: Microsoft-Windows-Security-Licensing-SLC
Date: 11/3/2008 4:55:04 PM
Event ID: 1022
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: IAS-0001
Description:
The system has been tampered. hr=0xC004D401
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Licensing-SLC" Guid="{1FD7C1D2-D037-4620-8D29-B2C7E5FCC13A}" EventSourceName="Software Licensing Service" />
<EventID Qualifiers="32768">1022</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2008-11-03T22:55:04.000Z" />
<EventRecordID>35816</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>IAS-0001</Computer>
<Security />
</System>
<EventData>
<Data>hr=0xC004D401</Data>
</EventData>
</Event>
-------------------------------------------------------------------------
Log Name: Application
Source: Microsoft-Windows-Security-Licensing-SLC
Date: 11/3/2008 4:55:05 PM
Event ID: 8193
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: IAS-0001
Description:
License Activation Scheduler (SLUINotify.dll) failed with the following error code:
0xC004D401
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Licensing-SLC" Guid="{1FD7C1D2-D037-4620-8D29-B2C7E5FCC13A}" EventSourceName="Software Licensing Service" />
<EventID Qualifiers="49152">8193</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2008-11-03T22:55:05.000Z" />
<EventRecordID>35818</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>IAS-0001</Computer>
<Security />
</System>
<EventData>
<Data>0xC004D401</Data>
</EventData>
</Event>
-------------------------------------------------------------------------
Log Name: Application
Source: Application Error
Date: 11/3/2008 4:58:00 PM
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: IAS-0001
Description:
Faulting application svchost.exe_HPSLPSVC, version 6.0.6001.18000, time stamp 0x47918b89, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x006f0069, process id 0xae8, application start time 0x01c93dc0a10a8063.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2008-11-03T22:58:00.000Z" />
<EventRecordID>35821</EventRecordID>
<Channel>Application</Channel>
<Computer>IAS-0001</Computer>
<Security />
</System>
<EventData>
<Data>svchost.exe_HPSLPSVC</Data>
<Data>6.0.6001.18000</Data>
<Data>47918b89</Data>
<Data>unknown</Data>
<Data>0.0.0.0</Data>
<Data>00000000</Data>
<Data>c0000005</Data>
<Data>006f0069</Data>
<Data>ae8</Data>
<Data>01c93dc0a10a8063</Data>
</EventData>
</Event>
-------------------------------------------------------------------------
Log Name: Application
Source: MSSQL$MSSMLBIZ
Date: 11/3/2008 4:58:33 PM
Event ID: 17896
Task Category: (2)
Level: Information
Keywords: Classic
User: N/A
Computer: IAS-0001
Description:
The time stamp counter of CPU on scheduler id 1 is not synchronized with other CPUs.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSSQL$MSSMLBIZ" />
<EventID Qualifiers="16384">17896</EventID>
<Level>4</Level>
<Task>2</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2008-11-03T22:58:33.000Z" />
<EventRecordID>35827</EventRecordID>
<Channel>Application</Channel>
<Computer>IAS-0001</Computer>
<Security />
</System>
<EventData>
<Data>1</Data>
<Binary>E84500000A000000120000004900410053002D0030003000300031005C004D00530053004D004C00420049005A00000000000000</Binary>
</EventData>
</Event>
-------------------------------------------------------------------------
Log Name: Application
Source: HPSLPSVC
Date: 11/3/2008 4:58:42 PM
Event ID: 0
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: IAS-0001
Description:
The description for Event ID 0 from source HPSLPSVC cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Service started
Event Xml:
-------------------------------------------------------------------------
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="HPSLPSVC" />
<EventID Qualifiers="0">0</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2008-11-03T22:58:42.000Z" />
<EventRecordID>35837</EventRecordID>
<Channel>Application</Channel>
<Computer>IAS-0001</Computer>
<Security />
</System>
<EventData>
<Data>Service started</Data>
</EventData>
</Event>
Log Name: Application
Source: Windows Error Reporting
Date: 11/3/2008 5:01:37 PM
Event ID: 1001
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: IAS-0001
Description:
Fault bucket 197453827, type 5
Event Name: BEX
Response: None
Cab Id: 0Problem signature:
P1: svchost.exe_HPSLPSVC
P2: 6.0.6001.18000
P3: 47918b89
P4: StackHash_f290
P5: 0.0.0.0
P6: 00000000
P7: 006f0069
P8: c0000005
P9: 00000008
P10:Attached files:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report161ff907\WERCF58.tmp.version.txt
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report161ff907\WERCF69.tmp.appcompat.txt
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report161ff907\WERD17C.tmp.hdmp
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report161ff907\WERF69A.tmp.mdmpThese files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\Report160b1d0b
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Windows Error Reporting" />
<EventID Qualifiers="0">1001</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2008-11-03T23:01:37.000Z" />
<EventRecordID>35838</EventRecordID>
<Channel>Application</Channel>
<Computer>IAS-0001</Computer>
<Security />
</System>
<EventData>
<Data>197453827</Data>
<Data>5</Data>
<Data>BEX</Data>
<Data>None</Data>
<Data>0</Data>
<Data>svchost.exe_HPSLPSVC</Data>
<Data>6.0.6001.18000</Data>
<Data>47918b89</Data>
<Data>StackHash_f290</Data>
<Data>0.0.0.0</Data>
<Data>00000000</Data>
<Data>006f0069</Data>
<Data>c0000005</Data>
<Data>00000008</Data>
<Data>
</Data>
<Data>
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report161ff907\WERCF58.tmp.version.txt
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report161ff907\WERCF69.tmp.appcompat.txt
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report161ff907\WERD17C.tmp.hdmp
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report161ff907\WERF69A.tmp.mdmp</Data>
<Data>C:\ProgramData\Microsoft\Windows\WER\ReportArchive\Report160b1d0b</Data>
</EventData>
</Event>
-------------------------------------------------------------------------
(NOTE: There were many of these throughout the day, showing various different CPU time stamp frequencies, and moving in both directions)
Log Name: Application
Source: MSSQL$MSSMLBIZ
Date: 11/3/2008 5:18:35 PM
Event ID: 17895
Task Category: (2)
Level: Information
Keywords: Classic
User: N/A
Computer: IAS-0001
Description:
CPU time stamp frequency has changed from 1942142 to 261087 ticks per millisecond. The new frequency will be used.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSSQL$MSSMLBIZ" />
<EventID Qualifiers="16384">17895</EventID>
<Level>4</Level>
<Task>2</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2008-11-03T23:18:35.000Z" />
<EventRecordID>35845</EventRecordID>
<Channel>Application</Channel>
<Computer>IAS-0001</Computer>
<Security />
</System>
<EventData>
<Data>1942142</Data>
<Data>261087</Data>
<Binary>E74500000A000000120000004900410053002D0030003000300031005C004D00530053004D004C00420049005A00000000000000</Binary>
</EventData>
</Event>
-------------------------------------------------------------------------
Log Name: Application
Source: Microsoft-Windows-Security-Licensing-SLC
Date: 11/3/2008 6:44:02 PM
Event ID: 8208
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: IAS-0001
Description:
Acquisition of genuine ticket failed (hr=0xC004D401) for template Id 55c92734-d682-4d71-983e-d6ec3f16059f
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Licensing-SLC" Guid="{1FD7C1D2-D037-4620-8D29-B2C7E5FCC13A}" EventSourceName="Software Licensing Service" />
<EventID Qualifiers="49152">8208</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2008-11-04T00:44:02.000Z" />
<EventRecordID>35861</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>IAS-0001</Computer>
<Security />
</System>
<EventData>
<Data>hr=0xC004D401</Data>
<Data>55c92734-d682-4d71-983e-d6ec3f16059f</Data>
</EventData>
</Event>
-------------------------------------------------------------------------
Log Name: Application
Source: Microsoft-Windows-Winlogon
Date: 11/3/2008 7:41:17 PM
Event ID: 6000
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: IAS-0001
Description:
The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Winlogon" Guid="{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}" EventSourceName="Wlclntfy" />
<EventID Qualifiers="32768">6000</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2008-11-04T01:41:17.000Z" />
<EventRecordID>35889</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>IAS-0001</Computer>
<Security />
</System>
<EventData>
<Data>SessionEnv</Data>
<Binary>D9060000</Binary>
</EventData>
</Event>
-------------------------------------------------------------------------
Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 11/3/2008 7:41:17 PM
Event ID: 1530
Task Category: None
Level: Warning
Keywords: Classic
User: SYSTEM
Computer: IAS-0001
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.DETAIL -
6 user registry handles leaked from \Registry\User\S-1-5-21-1974829029-2963902209-3712134996-1000:
Process 988 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000
Process 1352 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000\Software\Policies
Process 1816 (\Device\HarddiskVolume3\Windows\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000\Software\Policies
Process 1352 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000\Software
Process 1816 (\Device\HarddiskVolume3\Windows\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000\Software
Process 1572 (\Device\HarddiskVolume3\Program Files\McAfee\Common Framework\FrameworkService.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000\Software\Microsoft\Windows NT\CurrentVersion\Network\Location AwarenessEvent Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" EventSourceName="profsvc" />
<EventID Qualifiers="32768">1530</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2008-11-04T01:41:17.000Z" />
<EventRecordID>35890</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>IAS-0001</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="EVENT_HIVE_LEAK">
<Data Name="Detail">6 user registry handles leaked from \Registry\User\S-1-5-21-1974829029-2963902209-3712134996-1000:
Process 988 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000
Process 1352 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000\Software\Policies
Process 1816 (\Device\HarddiskVolume3\Windows\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000\Software\Policies
Process 1352 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000\Software
Process 1816 (\Device\HarddiskVolume3\Windows\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000\Software
Process 1572 (\Device\HarddiskVolume3\Program Files\McAfee\Common Framework\FrameworkService.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness
</Data>
</EventData>
</Event>
-------------------------------------------------------------------------
Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 11/3/2008 7:41:18 PM
Event ID: 1530
Task Category: None
Level: Warning
Keywords: Classic
User: SYSTEM
Computer: IAS-0001
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.DETAIL -
3 user registry handles leaked from \Registry\User\S-1-5-21-1974829029-2963902209-3712134996-1000_Classes:
Process 1816 (\Device\HarddiskVolume3\Windows\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000_CLASSES
Process 1572 (\Device\HarddiskVolume3\Program Files\McAfee\Common Framework\FrameworkService.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000_CLASSES
Process 988 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000_CLASSESEvent Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" EventSourceName="profsvc" />
<EventID Qualifiers="32768">1530</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2008-11-04T01:41:18.000Z" />
<EventRecordID>35891</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>IAS-0001</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="EVENT_HIVE_LEAK">
<Data Name="Detail">3 user registry handles leaked from \Registry\User\S-1-5-21-1974829029-2963902209-3712134996-1000_Classes:
Process 1816 (\Device\HarddiskVolume3\Windows\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000_CLASSES
Process 1572 (\Device\HarddiskVolume3\Program Files\McAfee\Common Framework\FrameworkService.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000_CLASSES
Process 988 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1974829029-2963902209-3712134996-1000_CLASSES
</Data>
</EventData>
</Event>
-------------------------------------------------------------------------
Log Name: Application
Source: Microsoft-Windows-EventSystem
Date: 11/3/2008 7:42:22 PM
Event ID: 4625
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: IAS-0001
Description:
The EventSystem sub system is suppressing duplicate event log entries for a duration of 86400 seconds. The suppression timeout can be controlled by a REG_DWORD value named SuppressDuplicateDuration under the following registry key: HKLM\Software\Microsoft\EventSystem\EventLog.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-EventSystem" Guid="{899daace-4868-4295-afcd-9eb8fb497561}" EventSourceName="EventSystem" />
<EventID Qualifiers="16384">4625</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2008-11-04T01:42:22.000Z" />
<EventRecordID>35898</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>IAS-0001</Computer>
<Security />
</System>
<EventData>
<Data Name="param1">86400</Data>
<Data Name="param2">SuppressDuplicateDuration</Data>
<Data Name="param3">Software\Microsoft\EventSystem\EventLog</Data>
</EventData>
</Event>
-------------------------------------------------------------------------
Log Name: Application
Source: Microsoft-Windows-Security-Licensing-SLC
Date: 11/3/2008 7:42:33 PM
Event ID: 1033
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: IAS-0001
Description:
These policies are being excluded since they are only defined with override-only attribute.
Policy Names=(IIS-W3SVC-MaxConcurrentRequests) (Telnet-Client-EnableTelnetClient) (Telnet-Client-EnableTelnetClient_w) (Telnet-Server-EnableTelnetServer) (Telnet-Server-EnableTelnetServer_w) (nfs-admincmdtools-enabled) (nfs-adminmmc-enabled) (nfs-clientcmdtools-enabled) (nfs-clientcore-enabled) (sua-EnableSUA)
App Id=55c92734-d682-4d71-983e-d6ec3f16059f
Sku Id=5e802570-4657-4e84-bfbc-6a0e531b84af
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Licensing-SLC" Guid="{1FD7C1D2-D037-4620-8D29-B2C7E5FCC13A}" EventSourceName="Software Licensing Service" />
<EventID Qualifiers="16384">1033</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2008-11-04T01:42:33.000Z" />
<EventRecordID>35901</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>IAS-0001</Computer>
<Security />
</System>
<EventData>
<Data>(IIS-W3SVC-MaxConcurrentRequests) (Telnet-Client-EnableTelnetClient) (Telnet-Client-EnableTelnetClient_w) (Telnet-Server-EnableTelnetServer) (Telnet-Server-EnableTelnetServer_w) (nfs-admincmdtools-enabled) (nfs-adminmmc-enabled) (nfs-clientcmdtools-enabled) (nfs-clientcore-enabled) (sua-EnableSUA) </Data>
<Data>55c92734-d682-4d71-983e-d6ec3f16059f</Data>
<Data>5e802570-4657-4e84-bfbc-6a0e531b84af</Data>
</EventData>
</Event>
-------------------------------------------------------------------------
Log Name: Application
Source: Microsoft-Windows-Security-Licensing-SLC
Date: 11/3/2008 7:42:33 PM
Event ID: 1003
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: IAS-0001
Description:
The Software Licensing service has completed licensing status check.
Application Id=55c92734-d682-4d71-983e-d6ec3f16059f
Licensing Status=
{1,[1f59edc8-ad79-4d96-a62d-c33ee78da2ec, 8, 0xC004F014,0x0]}{1,[30fab9cc-8614-4339-989f-7ce61fb7a5c4, 8, 0xC004F014,0x0]}
{1,[33a7e8d3-e2ab-413b-96a6-27c83b21c695, 8, 0xC004F014,0x0]}
{1,[56a13760-2b9c-406f-be8a-8f2ef22f10b5, 8, 0xC004F014,0x0]}
{1,[5e802570-4657-4e84-bfbc-6a0e531b84af, 0, 0x0,0x0],[0x0,0x0,0x0,0,0,0x0],[0x0,0xFFFFFFFF,0x0,0,0,0x0],[0x0,0xFFFFFFFF,0x0,0,0,0x0],[0,0,0x0]}
{1,[a79a48fc-70d9-4413-ab47-81cf5d08f7ee, 8, 0xC004F014,0x0]}
{1,[d6a70f3f-2052-4633-a9aa-25ea0cdff672, 8, 0xC004F014,0x0]}
{1,[f00fa8e9-ac0f-4f43-a259-a26c110cbbf9, 8, 0xC004F014,0x0]}
{1,[f79b5e33-4a4e-451c-9e8a-55dcc9bdb89d, 8, 0xC004F014,0x0]}
{1,[afd5f68f-b70f-4000-a21d-28dbc8be8b07, 8, 0xC004F014,0x0]}
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Licensing-SLC" Guid="{1FD7C1D2-D037-4620-8D29-B2C7E5FCC13A}" EventSourceName="Software Licensing Service" />
<EventID Qualifiers="16384">1003</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2008-11-04T01:42:33.000Z" />
<EventRecordID>35902</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>IAS-0001</Computer>
<Security />
</System>
<EventData>
<Data>55c92734-d682-4d71-983e-d6ec3f16059f</Data>
<Data>
{1,[1f59edc8-ad79-4d96-a62d-c33ee78da2ec, 8, 0xC004F014,0x0]}{1,[30fab9cc-8614-4339-989f-7ce61fb7a5c4, 8, 0xC004F014,0x0]}
{1,[33a7e8d3-e2ab-413b-96a6-27c83b21c695, 8, 0xC004F014,0x0]}
{1,[56a13760-2b9c-406f-be8a-8f2ef22f10b5, 8, 0xC004F014,0x0]}
{1,[5e802570-4657-4e84-bfbc-6a0e531b84af, 0, 0x0,0x0],[0x0,0x0,0x0,0,0,0x0],[0x0,0xFFFFFFFF,0x0,0,0,0x0],[0x0,0xFFFFFFFF,0x0,0,0,0x0],[0,0,0x0]}
{1,[a79a48fc-70d9-4413-ab47-81cf5d08f7ee, 8, 0xC004F014,0x0]}
{1,[d6a70f3f-2052-4633-a9aa-25ea0cdff672, 8, 0xC004F014,0x0]}
{1,[f00fa8e9-ac0f-4f43-a259-a26c110cbbf9, 8, 0xC004F014,0x0]}
{1,[f79b5e33-4a4e-451c-9e8a-55dcc9bdb89d, 8, 0xC004F014,0x0]}
{1,[afd5f68f-b70f-4000-a21d-28dbc8be8b07, 8, 0xC004F014,0x0]}
</Data>
</EventData>
</Event>
-------------------------------------------------------------------------Tuesday, November 4, 2008 2:55 AM -
Hello B Hill :-)
Please review the following Knowledge Base (KB) article and refer to the resolution portion of the webpage:
KB931573 – You may be prompted to activate Windows Vista on a computer on which Windows Vista was already activated by a Volume License or OEM installation
http://support.microsoft.com/default.aspx?scid=kb;EN-US;931573
If the above does not resolve your issue, please follow the steps below. If the first set of steps does not resolve, move on to the next set of steps.
----------------------------------------------------------------------------------------
Step set #1
1) Open Internet Explorer
2) A Browser will open, type: %windir%\system32 into the address field
3) Find the file cmd.exe
4) Right Click on the cmd.exe and select Run as Administrator
5) Type: cscript slmgr.vbs -rilc (It may take a long time for this to complete, please be patient)
6) Hit the Enter key
7) Reboot 2 times
-------------------------------------------------------------------------------------
Step set #2
1) Open Internet Browser
2) Type %windir%\system32 into the browser address bar.
3) Find the file CMD.exe
4) Right-Click on CMD.exe and select Run as Administrator
5) Type: net stop slsvc (it may ask you if you are sure, select yes)
6) Type: cd %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareLicensing
7) Type: rename tokens.dat tokens.bar
8) Type: cd %windir%\system32
9) Type net start slsvc
10) Reboot Twice
11) Windows Vista may require you to enter a Product Key [use the Certificate of Authenticity (COA)] SLP Product Key found on the sticker on the side or bottom of your computer and activate. Use the Activate by Phone method outlined below.
From the Desktop:
a) If you have access to the Start button: Click the Start button, and type in "slui.exe 4" in the search field and then press the "Enter" key. This will bring up the Activate by Phone dialog window. Follow the steps provided by the window. The phone activation process should only take about 6 minutes.
b) If you do not have access to the Start button: Reboot and login to Vista, a dialog window will come up. In that window, click the option "Access computer with reduced functionality". Once you do that, Internet Explorer or Firefox browser will open. In the address bar type "c:\windows\system32\cmd.exe" press enter, a new window will come up, type: slui 4 and hit enter and follow steps to Activate over the Phone.Also you may reference the following site for various Telephone Activation Centers:
http://support.microsoft.com/kb/326851
Thank you for visiting the Genuine Advantage forum.
Stephen Holm, MS
WGA Forum Manager
Stephen Holm- Marked as answer by Stephen Holm Thursday, November 6, 2008 3:26 AM
- Unmarked as answer by B S Hill Thursday, November 6, 2008 6:17 PM
Thursday, November 6, 2008 3:26 AM -
Stephen,
Thank you for taking the time to respond to my posts. I'd be grateful if you could provide some additional information, though.
I remain unclear on what excatly has happened. Do you see anything in the information I provided that would explain the cause of the errors I experienced? Though I have shut down and rebooted my computer several times since my original post, and haven't experienced the problems again, I would like to know if this resolved, is simply an intermittent problem, and/or if there is something I did (or a program on my system did) which could cause the problem to recur again in the future. I'm especially concerned about the following descriptions from two of the error messages in the Event Viewer:
"The system has been tampered. hr=0xC004D401" (What is tampering with the system...and how??)
and
"License Activation Scheduler (SLUINotify.dll) failed with the following error code:0xC004D401" (Does this mean the system is failing to, or unable to, look up its activation status?)
Next, how does the solution you posted correct the problem(s)? The error code that is the subject of the KB article provided doesn't seem to match the error code I have experienced. Lastly, could you please explain what the additional steps that you provided do? I'd like to understand what these command lines do, and also how to reverse the changed setting(s), should this be necessary.
Thanks in advance, and I look forward to your reply.
Regards,
Brandon- Edited by B S Hill Thursday, November 6, 2008 6:16 PM
Thursday, November 6, 2008 6:09 PM -
Hello Brandon,
Please see in-line answers :-).
"The system has been tampered. hr=0xC004D401" (What is tampering with the system...and how??)
Windows Vista is in what we call a 'Mod-Auth' Tamper state. There are 2 types of Mod-Auth tampers.1) A critical system file was modified On Disk - What this means is that the file, located on the hard drive, and was modified in some way. This can be caused by a malicious program (malware) or by manual file modification (by a user of the system). There is also a very small chance that an Update may fail in mid-update and cause this type of issue. As a safety mechanism, Updates are made so that if they fail, they roll back any updating that was done before the failure, but there is an off-chance that the roll back did not occur.
2) A critical system file was modified In Memory - What this means is the file itself (on the hard drive) is un-modified, but the code, from that file, running in the system, was modified in some way and is usually caused by a running program that is incompatible with Windows Vista.
"License Activation Scheduler (SLUINotify.dll) failed with the following error code:0xC004D401"
Brandon activation issues do fall outside the support scope for WGA but I would like to redirect you tohttp://social.technet.microsoft.com/Forums/en-US/search/?q=Vista%20Product%20Activation forum. Here you can present what you are experiencing and get an answer :-).
Hopefully I was able to answer your questions.
Take care Brandon,
Stephen Holm, MS
WGA Forum Manager
Stephen Holm- Marked as answer by Stephen Holm Thursday, November 6, 2008 10:59 PM
- Unmarked as answer by B S Hill Tuesday, November 11, 2008 11:37 PM
- Marked as answer by Stephen Holm Wednesday, November 12, 2008 1:55 AM
Thursday, November 6, 2008 10:59 PM -
Stephen,
Thanks for explaing a little more about a couple of the points I raised in my follow-up. However, although I'm pretty clear now on what the warnings mean, I still don't know why the errors in question happened or how to prevent them from happening in the future.
Can you shed some light on those two issues, as they are probably more relevant than simple knowing more about what actually happened.
Also, what is the difference between Activation and WGA, and what is the reason for directing inquiries about that particular error message to another support group?
Regards,
BrandonTuesday, November 11, 2008 11:41 PM -
Hello Brandon
The difference between Activation and WGA can be found at http://www.microsoft.com/genuine. Please search this area as it can answer your questions. We try our best to explain issues and provide solutions for Windows Genuine Advantage concerns. There are issues which fall outside the support scope so we try our best to provide our customers a location where they may be redirected in order to receive answers. As far as what exactly caused your problem I am not 100% sure but I did provide you with the 2 types of Mod-Auth tampers and details as what they are.
Take care Brandon
Stephen Holm, MS
WGA Forum Manager
Stephen Holm- Marked as answer by Stephen Holm Wednesday, November 12, 2008 2:01 AM
Wednesday, November 12, 2008 2:01 AM