Remove From My Forums

"An unauthorized change was made to Windows" - Reinstall required!

Question

This happened on an OEM install of Vista. Because Microsoft no longer includes the installation disk, it is impossible to reinstall Windows. There is no reasonable way to get the system working again (but there are unreasonable solutions that involve giving more money to Microsoft.... or Apple).

The "File Scan" section shows:

File Scan Data-->
File Mismatch: C:\Windows\system32\shell32.dll[6.0.6002.18646], Hr = 0x800b0100

....but I compared that file with the same file on a working Vista system and found them to be byte-for-byte identical. Here is the complete diagnostic report:

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Invalid License
Validation Code: 50
Cached Online Validation Code: N/A, hr = 0xc004f012
Windows Product Key: *****-*****-C6VHG-HFY2Y-QKJBC
Windows Product Key Hash: gxUqS56PIdmA4fmdIuLlSyTtWs0=
Windows Product ID: 89578-OEM-7250421-72397
Windows Product ID Type: 8
Windows License Type: COA SLP
Windows OS version: 6.0.6002.2.00010300.2.0.003
ID: {DF232663-4A6F-4966-937B-8AB3C09B6FE8}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows Vista (TM) Home Premium
Architecture: 0x00000000
Build lab: 6002.vistasp2_gdr.130308-1436
TTS Error: 
Validation Diagnostic: 
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: 6.0.6002.16398

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\Windows\system32\shell32.dll[6.0.6002.18646], Hr = 0x800b0100

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{DF232663-4A6F-4966-937B-8AB3C09B6FE8}</UGUID><Version>1.9.0027.0</Version><OS>6.0.6002.2.00010300.2.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-QKJBC</PKey><PID>89578-OEM-7250421-72397</PID><PIDType>8</PIDType><SID>S-1-5-21-2451316926-822776585-1986153624</SID><SYSTEM><Manufacturer>Gateway</Manufacturer><Model>T5246</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>6.00 PG</Version><SMBIOSVersion major="2" minor="4"/><Date>20071110000000.000000+000</Date></BIOS><HWID>F3303507018400F8</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>GATEWA</OEMID><OEMTableID>SYSTEM  </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  

Spsys.log Content: U1BMRwEAAAAAAQAABAAAABUGAAAAAAAAYWECAASA5JDbKxIfSgnOASPvOhE4aiPWkIrToHXwxdroccfQ51oqbI3L4AW6ebltk6IF68QmnKAretE6l9Uo9DOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAw2LChCixnhclyLKxemNGWeTc94onuYMBS1pAlQZVEVuIT+6OzXxmdmouU38j2Nwu0zkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgM

Licensing Data-->
Software licensing service version: 6.0.6002.18005

Windows Activation Technologies-->
N/A

HWID Data-->
HWID Hash Current: OAAAAAEAAwABAAIAAQACAAAAAwABAAEAJJQ8QEJT1vcEX5IAtHwQMYQu8vRiPZxZ1gysVr/4yPQ=

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20000
OEMID and OEMTableID Consistent: yes
BIOS Information: 
  ACPI Table Name	OEMID Value	OEMTableID Value
  APIC			GATEWA		SYSTEM  
  FACP			GATEWA		SYSTEM  
  HPET			GATEWA		SYSTEM  
  MCFG			GATEWA		SYSTEM  
  SLIC			GATEWA		SYSTEM  
  SSDT			PTLTD 		POWERNOW

Thursday, December 12, 2013 7:10 PM

Answers

0

Sign in to vote
Sorry about the delay!

I've uploaded a file - sdfaa.zip - to my SkyDrive at Noel's SkyDrive

Please download and save it.

Right-click on the saved file and select Extract all...

Change the target to C:\ and click on Extract

Close all windows (it would be a good idea to print these
instructions!)

Now reboot to the Repair Environment - as soon as the machine restarts, start
tapping F8 - this should bring up the Advanced Boot Menu, at the top of which
should be the option 'Repair my Computer'

Pick that

You'll have to log in with your username and password.

Pick the option to use a Command Prompt

At the prompt type

DIR C:\sdfaa

hit the enter key - if you get a 'Not
Found' error try

DIR D:\sdfaa

or

DIR E:\sdfaa

The drive letter in use when you find the folder will need to be substituted (for<drive>) into the following
command...

XCOPY <drive>:\sdfaa <drive>:\windows\winsxs /y /i /s /v /h

(e.g. XCOPY P:\wfire P:\windows\winsxs /y /i /s /v /h )

run the command (it should take almost no time) and when the prompt returns, type

EXIT

and hit the Enter key to exit Command Prompt - reboot to Normal Mode Windows.

Now run SFC /SCANNOW in an Elevated Command Prompt

then reboot and upload the new CBS.log file to your SkyDrive Public folder, and
post a new link

Also run a new MGADiag report, and post the result.

Noel Paton | Nil Carborundum Illegitemi

CrashFixPC | The Three-toed Sloth

No - I do not work for Microsoft, or any of its contractors.
- Proposed as answer by Noel D PatonModerator Thursday, December 26, 2013 8:45 PM
- Marked as answer by Noel D PatonModerator Sunday, January 26, 2014 11:39 AM
Thursday, December 19, 2013 2:19 PM

Moderator

All replies

0

Sign in to vote
Please run a full CHKDSK and SFC scan....

Click on Start > All Programs > Accessories

Right-click on the Command Prompt entry

Select Run as Administrator and accept the UAC prompt - the Elevated Command Prompt window should pop up.

At the Command prompt, type

CHKDSK C: /R

and hit the Enter key.

You will be told that the drive is locked,

and the CHKDSK will run at he next boot - hit the Y key, press Enter, and then reboot.

The CHKDSK will take a few hours depending on the size of the drive, so be patient!

After the CHKDSK has run, Windows should boot normally (possibly after a second auto-reboot) -

then run the SFC.

SFC -System File Checker - Instructions

Click on Start > All Programs > Accessories

Right-click on the Command Prompt entry

Select Run as Administrator and accept the UAC prompt - the Elevated Command Prompt window should pop up.

At the Command prompt, type

SFC /SCANNOW

and hit the Enter key

Wait for the scan to finish - make a note of any error messages - and then reboot.

Copy the CBS.log file created (C:\Windows\Logs\CBS\CBS.log) to your desktop (you can't manipulate it directly) and then compress the copy and upload it to your SkyDrive Public folder (http://skydrive.live.com ) and post a link to it so that I can take a look.

Post a new MGADiag report with details of any error messages encountered.

Noel Paton | Nil Carborundum Illegitemi

CrashFixPC | The Three-toed Sloth

No - I do not work for Microsoft, or any of its contractors.
- Proposed as answer by Noel D PatonModerator Sunday, December 15, 2013 1:52 PM
Friday, December 13, 2013 9:22 AM

Moderator

CBS.zip

Console output from SFC was as follows:

Beginning system scan. This process will take some time. Beginning verification phase of system scan. Verification 100% complete. Windows Resource Protection found corrupt files but was unable to fix some of th em. Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log The system file repair changes will take effect after the next reboot.

The new MGADiag report is as follows:

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Invalid License
Validation Code: 50
Cached Online Validation Code: N/A, hr = 0xc004f012
Windows Product Key: *****-*****-C6VHG-HFY2Y-QKJBC
Windows Product Key Hash: gxUqS56PIdmA4fmdIuLlSyTtWs0=
Windows Product ID: 89578-OEM-7250421-72397
Windows Product ID Type: 8
Windows License Type: COA SLP
Windows OS version: 6.0.6002.2.00010300.2.0.003
ID: {DF232663-4A6F-4966-937B-8AB3C09B6FE8}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows Vista (TM) Home Premium
Architecture: 0x00000000
Build lab: 6002.vistasp2_gdr.130308-1436
TTS Error: 
Validation Diagnostic: 
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: 6.0.6002.16398

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{DF232663-4A6F-4966-937B-8AB3C09B6FE8}</UGUID><Version>1.9.0027.0</Version><OS>6.0.6002.2.00010300.2.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-QKJBC</PKey><PID>89578-OEM-7250421-72397</PID><PIDType>8</PIDType><SID>S-1-5-21-2451316926-822776585-1986153624</SID><SYSTEM><Manufacturer>Gateway</Manufacturer><Model>T5246</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>6.00 PG</Version><SMBIOSVersion major="2" minor="4"/><Date>20071110000000.000000+000</Date></BIOS><HWID>F3303507018400F8</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>GATEWA</OEMID><OEMTableID>SYSTEM  </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  

Spsys.log Content: U1BMRwEAAAAAAQAABAAAABUGAAAAAAAAYWECAASA5JDbKxIfSgnOASPvOhE4aiPWkIrToHXwxdroccfQ51oqbI3L4AW6ebltk6IF68QmnKAretE6l9Uo9DOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAw2LChCixnhclyLKxemNGWeTc94onuYMBS1pAlQZVEVuIT+6OzXxmdmouU38j2Nwu0zkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgM

Licensing Data-->
Software licensing service version: 6.0.6002.18005

Windows Activation Technologies-->
N/A

HWID Data-->
HWID Hash Current: OAAAAAEAAwABAAIAAQACAAAAAwABAAEAJJQ8QEJT1vcEX5IAtHwQMYQu8vRiPZxZ1gysVr/4yPQ=

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20000
OEMID and OEMTableID Consistent: yes
BIOS Information: 
  ACPI Table Name	OEMID Value	OEMTableID Value
  APIC			GATEWA		SYSTEM  
  FACP			GATEWA		SYSTEM  
  HPET			GATEWA		SYSTEM  
  MCFG			GATEWA		SYSTEM  
  SLIC			GATEWA		SYSTEM  
  SSDT			PTLTD 		POWERNOW

Tuesday, December 17, 2013 6:08 PM

Here's the summary from the SFC log...

	Line 275320: 2013-12-17 12:54:54, Info                  CSI    0000021c [SR] Repairing 4 components
	Line 275321: 2013-12-17 12:54:54, Info                  CSI    0000021d [SR] Beginning Verify and Repair transaction
	Line 275324: 2013-12-17 12:54:54, Info                  CSI    0000021f [SR] Cannot repair member file [l:50{25}]"PhotoLibraryResources.dll" of Microsoft-Windows-PhotoLibraryResources, Version = 6.0.6000.16386, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
	Line 275327: 2013-12-17 12:54:54, Info                  CSI    00000221 [SR] Cannot repair member file [l:22{11}]"shell32.dll" of Microsoft-Windows-shell32, Version = 6.0.6002.18646, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
	Line 275330: 2013-12-17 12:54:54, Info                  CSI    00000223 [SR] Repairing corrupted file [ml:58{29},l:56{28}]"\??\C:\Windows\system32\wbem"\[l:42{21}]"Wdf01000Uninstall.mof" from store
	Line 275333: 2013-12-17 12:54:54, Info                  CSI    00000225 [SR] Repairing corrupted file [ml:58{29},l:56{28}]"\??\C:\Windows\system32\wbem"\[l:24{12}]"Wdf01000.mof" from store
	Line 275342: 2013-12-17 12:54:54, Info                  CSI    00000229 [SR] Repairing corrupted file [ml:58{29},l:56{28}]"\??\C:\Windows\system32\wbem"\[l:42{21}]"Wdf01000Uninstall.mof" from store
	Line 275345: 2013-12-17 12:54:54, Info                  CSI    0000022b [SR] Repairing corrupted file [ml:58{29},l:56{28}]"\??\C:\Windows\system32\wbem"\[l:24{12}]"Wdf01000.mof" from store

I'm surprised that the Shell32.dll problem doesn't show in the MGADiag report!

I'll post a fix protocol for the outstanding errors a little later, and we'll see how that works.

You may want to check for malware, since damaged system files like this are often the result of infestations.

Please download and install Malwarebytes Anti-malware (free version) from http://www.malwarebytes.org/products/malwarebytes_free/ - UNtick 'Enable free trial of MBAM PRO' at the end of the installation - and update it, then run a full scan in your main account, and Quick scans in any other user accounts.

Delete everything it finds

Noel Paton | Nil Carborundum Illegitemi

CrashFixPC | The Three-toed Sloth

No - I do not work for Microsoft, or any of its contractors.

Wednesday, December 18, 2013 9:48 AM

Moderator

0

Sign in to vote
Sorry about the delay!

I've uploaded a file - sdfaa.zip - to my SkyDrive at Noel's SkyDrive

Please download and save it.

Right-click on the saved file and select Extract all...

Change the target to C:\ and click on Extract

Close all windows (it would be a good idea to print these
instructions!)

Now reboot to the Repair Environment - as soon as the machine restarts, start
tapping F8 - this should bring up the Advanced Boot Menu, at the top of which
should be the option 'Repair my Computer'

Pick that

You'll have to log in with your username and password.

Pick the option to use a Command Prompt

At the prompt type

DIR C:\sdfaa

hit the enter key - if you get a 'Not
Found' error try

DIR D:\sdfaa

or

DIR E:\sdfaa

The drive letter in use when you find the folder will need to be substituted (for<drive>) into the following
command...

XCOPY <drive>:\sdfaa <drive>:\windows\winsxs /y /i /s /v /h

(e.g. XCOPY P:\wfire P:\windows\winsxs /y /i /s /v /h )

run the command (it should take almost no time) and when the prompt returns, type

EXIT

and hit the Enter key to exit Command Prompt - reboot to Normal Mode Windows.

Now run SFC /SCANNOW in an Elevated Command Prompt

then reboot and upload the new CBS.log file to your SkyDrive Public folder, and
post a new link

Also run a new MGADiag report, and post the result.

Noel Paton | Nil Carborundum Illegitemi

CrashFixPC | The Three-toed Sloth

No - I do not work for Microsoft, or any of its contractors.
- Proposed as answer by Noel D PatonModerator Thursday, December 26, 2013 8:45 PM
- Marked as answer by Noel D PatonModerator Sunday, January 26, 2014 11:39 AM
Thursday, December 19, 2013 2:19 PM

Moderator
0

Sign in to vote

Any update on this?

Noel Paton | Nil Carborundum Illegitemi

CrashFixPC | The Three-toed Sloth

No - I do not work for Microsoft, or any of its contractors.

Sunday, December 29, 2013 1:42 PM

Moderator
0

Sign in to vote

No update yet. My employer was closed for the holidays. I'll post it as soon as I have it.

Thursday, January 2, 2014 6:25 PM
0

Sign in to vote

No problem - come back when you can!

Noel Paton | Nil Carborundum Illegitemi

CrashFixPC | The Three-toed Sloth

No - I do not work for Microsoft, or any of its contractors.

Thursday, January 2, 2014 7:47 PM

Moderator
0

Sign in to vote

Any further progress?

Noel Paton | Nil Carborundum Illegitemi

CrashFixPC | The Three-toed Sloth

No - I do not work for Microsoft, or any of its contractors.

Sunday, January 19, 2014 10:55 AM

Moderator

Answered by:

"An unauthorized change was made to Windows" - Reinstall required!

Question

Answers

All replies