locked
An Unauthorised Change was made to Windows - Error 0xC004D401 RRS feed

  • Question

  • I look after a Windows 2008 Standard Server and had a error popup appear stating

    'An unauthorized change was made to Windows - you will no longer receive notifications .....etc"

    Error 0xC004D01 - The security processor reported a system file mismatch error.

    The server is still running and the Exchange server that is on it is still functioning.

    However some functions aren't working - can't get into control panel for instance.

    So I did some trawling and found a fair bit of info.

    I did the MGADiag and got the following

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->
    Validation Status: Invalid License
    Validation Code: 50
    Cached Online Validation Code: N/A, hr = 0xc004d401
    Windows Product Key: *****-*****-WW674-GGYP9-7973V
    Windows Product Key Hash: MEmx+Kr0gEg1D5PrwscFbtXScqk=
    Windows Product ID: 92573-OEM-7507351-50675
    Windows Product ID Type: 3
    Windows License Type: OEM System Builder
    Windows OS version: 6.0.6001.2.00020110.1.0.000
    ID: {F8DCAE27-8056-4A39-A1C0-B215E3DB8ABC}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: Registered, 1.9.42.0
    Signed By: Microsoft
    Product Name: Windows Server (R) 2008 Standard
    Architecture: 0x00000009
    Build lab: 6001.vistasp1_gdr.101014-0432
    TTS Error: K:20130603130913189-M:20130601030753264-
    Validation Diagnostic: 
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Internet Explorer\iexplore.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{F8DCAE27-8056-4A39-A1C0-B215E3DB8ABC}</UGUID><Version>1.9.0027.0</Version><OS>6.0.6001.2.00020110.1.0.000</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-7973V</PKey><PID>92573-OEM-7507351-50675</PID><PIDType>3</PIDType><SID>S-1-5-21-4036637347-18724830-3552170445</SID><SYSTEM><Manufacturer>FUJITSU SIEMENS</Manufacturer><Model>PRIMERGY TX200 S4             </Model></SYSTEM><BIOS><Manufacturer>FUJITSU SIEMENS // Phoenix Technologies Ltd.</Manufacturer><Version>4.06  Rev. 1.01.2509            </Version><SMBIOSVersion major="2" minor="4"/><Date>20080205000000.000000+000</Date></BIOS><HWID>39333507018400F8</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  

    Spsys.log Content: U1BMRwEAAAAAAQAACAAAAAxGPQEAAAAAYWECAAAAAAAAayvTbF7OARhy9171jCizkdIEkQaJZ678TpIBtK8euGahnsMBFNqJrgk30egsn9gyfrVcwZ3ZNSd7IPmIgITKmLNv1wD2WLamQmtmfWZV7E+hE1ugqafQqaOcEd48HYsOntqnEBPIUIqaMVS50xsGhTiu2v3HTjLlzsauw1rN6YPtvvhlgmsOgBe4wEVRYcHWzat6M07q88GxBpop0WwiuBXa5HXuzs1OU5kpI4Km83cHZMn5BmY2HdKPD8tNYkwP34K9Ekif+jOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAw=

    Licensing Data-->
    C:\Windows\system32\slmgr.vbs(1634, 5) (null): 0xC004D401

    Windows Activation Technologies-->
    N/A

    HWID Data-->
    HWID Hash Current: MgAAAAEAAgABAAEAAwAAAAAAAgABAAEAGp4EarL3aCbyaPCKCI6ucKhR8vRSw6xWTFg=

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes, but no SLIC table
    Windows marker version: N/A
    OEMID and OEMTableID Consistent: N/A
    BIOS Information: 
      ACPI Table Name OEMID Value OEMTableID Value
      APIC PTLTD APIC  
      FACP FSC   D2509
      HPET PTLTD HPETTBL 
      BOOT PTLTD $SBFTBL$
      MCFG PTLTD  MCFG  
      SPCR PTLTD $UCRTBL$
      SSDT FSC   EISTCPU0
      SSDT FSC   EISTCPU0
      SSDT FSC   EISTCPU0
      SSDT FSC   EISTCPU0
      SSDT FSC   EISTCPU0
      SSDT FSC   EISTCPU0
      SSDT FSC   EISTCPU0
      SSDT FSC   EISTCPU0

    From this page http://social.microsoft.com/Forums/en-US/genuinevista/thread/c0347ece-574b-499b-85af-04c05ca69023 I think that as there is nothing under 'file scan info' points to an incompatible program. However I can't get into control panel or appwiz to uninstall anything.

    I also Ran SFC / verifyonly. This came back with the following

    "Windows Resource Protection found integrity violations. Detail are in C:\windows\logs\CBS\CBS.log"

    I've looked at the CBS log but its huge and I'm not sure what to look for. I want to identify the file(s) that is causing the issue to give me a chance of removing the right program. Can anyone tell me what to look for in the CBS.log?

    Also saw this solution http://social.technet.microsoft.com/Forums/en-US/winservermanager/thread/ca298c12-940b-4c35-a465-137db4b628fd

    but have no idea hat the script actually does and therefore whether its safe to run.

    My big concern is that, as some posts have said, I reboot and then can't log on, and I'm left with an inoperable email server.

    Any extra info that could help identify the real issue would be appreciated.

    R

    Friday, June 7, 2013 12:34 PM

All replies

  • This issue may be caused by hardware and software problems. Scenarios that may lead to this issue include but are not limited to following:

    A hard disk error occurred.
    A program that is incompatible with Windows Vista is installed.

     

    Please refer to this KB:


    Error message when you use Windows Vista: "An unauthorized change was made to your license"
    http://support.microsoft.com/kb/931699

    Monday, June 10, 2013 4:06 AM
  • Run following commands sequentially from elevated cmd (Run as Admin) and see if that helps

    1. icacls %windir%\serviceprofiles\networkservice\appdata\roaming\microsoft\softwarelicensing /grant "BUILTIN\Administrators:(OI)(CI)(F)" "NT AUTHORITY\SYSTEM:(OI)(CI)(F)" "NT Service\slsvc:(OI)(CI)(R,W,D)"
    2.  net stop slsvc && net start slsvc



    Regards, Santosh

    I do not represent the organisation I work for, all the opinions expressed here, are my own.

    This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Blog | Wiki

    Monday, June 10, 2013 5:01 AM
  • Cheers Cheers, but I've covered these issues in my original post. Also it not Vista and I'm not restarting until I've a better idea of the problem
    Wednesday, June 12, 2013 9:36 PM
  • Thanks Santosh, tried this but license still invalid. Don't think its a permissions issue. Its a file issue.

    If anyone can let me know how to interpret the CBS log I'm hoping this will be a start.

    Thanks


    R

    Wednesday, June 12, 2013 9:39 PM
  • If anyone can let me know how to interpret the CBS log I'm hoping this will be a start.

    How to analyze the log file entries that the Microsoft Windows Resource Checker (SFC.exe) program generates in Windows Vista - article is applicable to WS 2008 as well since both Vista and WS 2008 have same code base.

    Regards, Santosh

    I do not represent the organisation I work for, all the opinions expressed here, are my own.

    This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Blog | Wiki

    Thursday, June 13, 2013 3:18 AM
  • Hi Santosh,

    thanks for the pointer. I weeded out the following from the CBS file

    2013-06-05 17:51:36, Info                  CSI    00000131 [SR] Verify complete
    2013-06-05 17:51:36, Info                  CSI    00000132 [SR] Verifying 100 (0x0000000000000064) components
    2013-06-05 17:51:36, Info                  CSI    00000133 [SR] Beginning Verify and Repair transaction
    2013-06-05 17:51:38, Info                  CSI    00000134 Hashes for file member \SystemRoot\WinSxS\amd64_microsoft-windows-s..onfiguration-wizard_31bf3856ad364e35_6.0.6001.18000_none_980e031d0397d753\scwvariables.xml do not match actual file [l:32{16}]"scwvariables.xml" :
      Found: {l:32 b:fGqMO3OFxggeHpXSicGbhktZ19XTGUG3C/gKGwQvwFs=} Expected: {l:32 b:vh/Tpmyj15maCCdMLUbLZ5pxibPU/7Q+yDDiMjcSKVw=}
    2013-06-05 17:51:38, Info                  CSI    00000135 [SR] Cannot repair member file [l:32{16}]"scwvariables.xml" of Microsoft-Windows-Security-Configuration-Wizard, Version = 6.0.6001.18000, pA = PROCESSOR_ARCHITECTURE_AMD64 (9),
     Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
    2013-06-05 17:51:41, Info                  CSI    00000136 Hashes for file member \SystemRoot\WinSxS\amd64_microsoft-windows-s..onfiguration-wizard_31bf3856ad364e35_6.0.6001.18000_none_980e031d0397d753\scwvariables.xml do not match actual file [l:32{16}]"scwvariables.xml" :
      Found: {l:32 b:fGqMO3OFxggeHpXSicGbhktZ19XTGUG3C/gKGwQvwFs=} Expected: {l:32 b:vh/Tpmyj15maCCdMLUbLZ5pxibPU/7Q+yDDiMjcSKVw=}
    2013-06-05 17:51:41, Info                  CSI    00000137 [SR] Cannot repair member file [l:32{16}]"scwvariables.xml" of Microsoft-Windows-Security-Configuration-Wizard, Version = 6.0.6001.18000, pA = PROCESSOR_ARCHITECTURE_AMD64 (9),
    Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
    2013-06-05 17:51:41, Info                  CSI    00000138 [SR] This component was referenced by [l:242{121}]"Microsoft-Windows-Server-Features-Package~31bf3856ad364e35~amd64~~6.0.6001.18000.Microsoft-Windows-Server-Features-Update"
    2013-06-05 17:51:41, Info                  CSI    00000139 Hashes for file member \??\C:\Windows\security\msscw\TransformFiles\scwvariables.xml do not match actual file [l:32{16}]"scwvariables.xml" :
      Found: {l:32 b:fGqMO3OFxggeHpXSicGbhktZ19XTGUG3C/gKGwQvwFs=} Expected: {l:32 b:vh/Tpmyj15maCCdMLUbLZ5pxibPU/7Q+yDDiMjcSKVw=}
    2013-06-05 17:51:41, Info                  CSI    0000013a Hashes for file member \SystemRoot\WinSxS\amd64_microsoft-windows-s..onfiguration-wizard_31bf3856ad364e35_6.0.6001.18000_none_980e031d0397d753\scwvariables.xml do not match actual file [l:32{16}]"scwvariables.xml" :
      Found: {l:32 b:fGqMO3OFxggeHpXSicGbhktZ19XTGUG3C/gKGwQvwFs=} Expected: {l:32 b:vh/Tpmyj15maCCdMLUbLZ5pxibPU/7Q+yDDiMjcSKVw=}
    2013-06-05 17:51:41, Info                  CSI    0000013b [SR] Could not reproject corrupted file [ml:520{260},l:88{44}]"\??\C:\Windows\security\msscw\TransformFiles"\[l:32{16}]"scwvariables.xml"; source file in store is also corrupted
    2013-06-05 17:51:42, Info                  CSI    0000013c Repair results created:

    So it looks like this scwvariables.xml file is corrupt. I took a look at the folder and the file does have a different date to all the other files in the folder.

    I took a look at another 2008 Server and the file size is different - the corrupt one is 1k the good one on the other server is 136k

    So my next question is - Does anyone know if I can just replace this file with one from another server? Or is there any other way of repairing it besides SFC

    Many Thanks

    R

    Monday, June 17, 2013 2:34 PM
  • Since sfc didn't work, Replacing the file should do the trick. Give it a try.

    Regards, Santosh

    I do not represent the organisation I work for, all the opinions expressed here, are my own.

    This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Blog | Wiki

    Monday, June 17, 2013 2:53 PM