Hello all, My volume, domain-based license for Windows 7 Professional is supposed to activate automatically upon connection to the network and it usually does. However, I have a user whose laptop recently began issuing the WGA nag seemingly out of nowhere, despite the system menu indicating that Windows is activated. I have tried reactivating it manually both on my own and with MS tech support on the phone, with no change. I ran the MGAdiag tool and initially found a validation code 0x800fe21 error with no file scan reports, but a report of 'tampered file... slcext.dll | slcext.dll.mui' later on. I tried sfc /scannow, but it only reported 'corrupt files...could not fix some of them'. I then replaced the slcext.dll with the same dll from an install DVD, but the problem persisted and the diagnostic report did not change. Finally, I replaced as much of the WAT file hierarchy as I could find in System32 (sppobjs.dll, sppc.dll, sppcext.dll, sppwinob.dll, slc.dll, slcext.dll, sppuinotify.dll, slui.exe, sppcomapi.dll, sppcommdlg.dll, sppsvc.exe) with files from an installation DVD. This finally changed the MGAdiag report so that it is as follows: Diagnostic Report (1.9.0027.0): ----------------------------------------- Windows Validation Data--> Validation Code: 0 Cached Online Validation Code: 0x0 Windows Product Key: *****-*****-J8D7P-XQJJ2-GPDD4 Windows Product Key Hash: xgsndMkYdJsYmUng0qIJ/thx+HI= Windows Product ID: 00371-868-0000007-85279 Windows Product ID Type: 1 Windows License Type: KMS Client Windows OS version: 6.1.7600.2.00010100.0.0.048 ID: {0055D73C-7B1C-4A30-973E-FF3E4F11ED7B}(3) Is Admin: Yes TestCab: 0x0 LegitcheckControl ActiveX: N/A, hr = 0x80070002 Signed By: N/A, hr = 0x80070002 Product Name: Windows 7 Professional Architecture: 0x00000009 Build lab: 7600.win7_gdr.100618-1621 TTS Error: Validation Diagnostic: Resolution Status: N/A Vista WgaER Data--> ThreatID(s): N/A, hr = 0x80070002 Version: N/A, hr = 0x80070002 Windows XP Notifications Data--> Cached Result: N/A, hr = 0x80070002 File Exists: No Version: N/A, hr = 0x80070002 WgaTray.exe Signed By: N/A, hr = 0x80070002 WgaLogon.dll Signed By: N/A, hr = 0x80070002 OGA Notifications Data--> Cached Result: N/A, hr = 0x80070002 Version: N/A, hr = 0x80070002 OGAExec.exe Signed By: N/A, hr = 0x80070002 OGAAddin.dll Signed By: N/A, hr = 0x80070002 OGA Data--> Office Status: 109 N/A OGA Version: N/A, 0x80070002 Signed By: N/A, hr = 0x80070002 Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3 Browser Data--> Proxy settings: N/A User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32) Default Browser: C:\Program Files (x86)\Internet Explorer\iexplore.exe Download signed ActiveX controls: Prompt Download unsigned ActiveX controls: Disabled Run ActiveX controls and plug-ins: Allowed Initialize and script ActiveX controls not marked as safe: Disabled Allow scripting of Internet Explorer Webbrowser control: Disabled Active scripting: Allowed Script ActiveX controls marked as safe for scripting: Allowed File Scan Data--> Other data--> Office Details: <GenuineResults><MachineData><UGUID>{0055D73C-7B1C-4A30-973E-FF3E4F11ED7B}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7600.2.00010100.0.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-GPDD4</PKey><PID>00371-868-0000007-85279</PID><PIDType>1</PIDType><SID>S-1-5-21-4258130026-898627856-1927301690</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP EliteBook 8540p</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>68CVD Ver. F.0A</Version><SMBIOSVersion major="2" minor="6"/><Date>20100622000000.000000+000</Date></BIOS><HWID>7CB83607018400FC</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>HPQOEM</OEMID><OEMTableID>SLIC-MPC</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults> Spsys.log Content: 0x80070002 Licensing Data--> Software licensing service version: 6.1.7600.16385 Name: Windows(R) 7, Professional edition Description: Windows Operating System - Windows(R) 7, VOLUME_KMSCLIENT channel Activation ID: b92e9980-b9d5-4821-9c94-140f632f6312 Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f Extended PID: 00371-00170-868-000000-03-1033-7600.0000-0892011 Installation ID: 016366928894357251275883924576040275932131858374162173 Partial Product Key: GPDD4 License Status: Licensed Volume activation expiration: 259200 minute(s) (180 day(s)) Remaining Windows rearm count: 1 Trusted time: 3/30/2011 5:07:58 PM Key Management Service client information Client Machine ID (CMID): 02dc6a2f-b6dc-40a8-a843-d3cab84a06bc KMS machine name from DNS: sauspatch.labs.att.com:1688 KMS machine extended PID: 55041-00168-313-224255-03-1033-7600.0000-3142009 Activation interval: 120 minutes Renewal interval: 10080 minutes KMS host caching is enabled Windows Activation Technologies--> HrOffline: 0x00000000 HrOnline: 0x00000000 HealthStatus: 0x0000000000000000 Event Time Stamp: 3:25:2011 08:31 ActiveX: Registered, Version: 7.1.7600.16395 Admin Service: Not Registered - 0x80070005 HealthStatus Bitmask Output: HWID Data--> HWID Hash Current: NAAAAAEABAABAAEAAAACAAAAAgABAAEA6GFAcc4Pmr348CL8RG26Q7yGyizUAU7nwg1cXQ== OEM Activation 1.0 Data--> N/A OEM Activation 2.0 Data--> BIOS valid for OA 2.0: yes Windows marker version: 0x20001 OEMID and OEMTableID Consistent: yes BIOS Information: ACPI Table Name OEMID Value OEMTableID Value APIC HPQOEM 1521 FACP HPQOEM 1521 HPET HPQOEM 1521 MCFG HPQOEM 1521 TCPA HPQOEM 1521 SSDT HPQOEM SataAhci SSDT HPQOEM SataAhci SLIC HPQOEM SLIC-MPC SSDT HPQOEM SataAhci SSDT HPQOEM SataAhci SSDT HPQOEM SataAhci SSDT HPQOEM SataAhci ASF! HPQOEM 1521 As you can see, it is still not quite genuine for some reason... I tried sfc /scannow again and found that a different file was upsetting Windows. From the CBS log: 2011-03-30 17:26:59, Info CSI 000002e1 [SR] Verify complete 2011-03-30 17:26:59, Info CSI 000002e2 [SR] Verifying 80 (0x0000000000000050) components 2011-03-30 17:26:59, Info CSI 000002e3 [SR] Beginning Verify and Repair transaction 2011-03-30 17:27:02, Info CSI 000002e4 Repair results created: POQ 121 starts: POQ 121 ends. 2011-03-30 17:27:02, Info CSI 000002e5 [SR] Verify complete 2011-03-30 17:27:02, Info CSI 000002e6 [SR] Repairing 1 components 2011-03-30 17:27:02, Info CSI 000002e7 [SR] Beginning Verify and Repair transaction 2011-03-30 17:27:02, Info CSI 000002e8 Hashes for file member \SystemRoot\WinSxS\amd64_microsoft-windows-security-spp-wga_31bf3856ad364e35_6.1.7600.16385_none_5b467ba9bd0679bb\slwga.dll do not match actual file [l:18{9}]"slwga.dll" : Found: {l:32 b:TbvuElzomT1l9AmstyZ6sapEsyBVwLkK2djkv/jUxI0=} Expected: {l:32 b:tA0Qz/3NPjGqCgnuGHJFrqI37BjJCy4RlMd/Gm1roU0=} 2011-03-30 17:27:02, Info CSI 000002e9 [SR] Cannot repair member file [l:18{9}]"slwga.dll" of Microsoft-Windows-Security-SPP-WGA, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch 2011-03-30 17:27:02, Info CSI 000002ea Hashes for file member \SystemRoot\WinSxS\amd64_microsoft-windows-security-spp-wga_31bf3856ad364e35_6.1.7600.16385_none_5b467ba9bd0679bb\slwga.dll do not match actual file [l:18{9}]"slwga.dll" : Found: {l:32 b:TbvuElzomT1l9AmstyZ6sapEsyBVwLkK2djkv/jUxI0=} Expected: {l:32 b:tA0Qz/3NPjGqCgnuGHJFrqI37BjJCy4RlMd/Gm1roU0=} 2011-03-30 17:27:02, Info CSI 000002eb [SR] Cannot repair member file [l:18{9}]"slwga.dll" of Microsoft-Windows-Security-SPP-WGA, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch 2011-03-30 17:27:02, Info CSI 000002ec [SR] This component was referenced by [l:202{101}]"Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.WindowsFoundationDelivery" 2011-03-30 17:27:02, Info CSI 000002ed Repair results created: POQ 122 starts: POQ 122 ends. So there is a hash mismatch on slwga.dll which is angering Windows... I tried replacing slwga.dll again, but the diag report and cbs log results stayed exactly the same. What can be done about a hash mismatch? I'm afraid the WGA notification is going to continue vexing and eventually crippling my user, and (worse) lots of Windows Update downloads are failing with 'unknown error' code 8e5e03fb, which I expect is due to Windows believing it is not quite genuine. What can I do from here? I've heard that Service Pack 1 might help, but I am loath to install it blindly when the problem seems so close to resolution... Thanks, CCJ

Hi, Would you please let me know if the Windows Genuine notification occurs now? Do you receive any error message? The issue can be caused by corrupted License database. Please rename the tokens.dat and activate the computer again. You can refer to: http://blogs.technet.com/b/csstwplatform/archive/2011/01/19/windows-2008-kms-lost-activation-status-with-error-0xc004d302-after-reboot.aspx If the activation fails, please refer to the following article to enable auto-discovery for this KMS client. http://technet.microsoft.com/en-us/library/ff793406.aspx Regarding the Windows Update issue, please reset Windows Update components and run Windows Update Readiness Tool. http://support.microsoft.com/kb/971058 http://www.microsoft.com/downloads/en/details.aspx?FamilyID=914fbc5b-1fba-4bae-a7c3-d2c47c6fcffc Best Regards, NikiPlease remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Unfortunately the user needed his laptop back ASAP so I wasn't able to experiment further... after re-imaging, the laptop activated without issue so a database problem is unlikely (also dozens of other machines have activated without any problems on the same volume license). Thanks for the links though, it's valuable info!