Windows Genuine Advantage pop-up continues despite activation; sfc /scannow reveals hash mismatch on slwga.dll
Hello all,
My volume, domain-based license for Windows 7 Professional is supposed to activate automatically upon connection to the network and it usually does. However, I have a user whose laptop recently began issuing the WGA nag seemingly out of nowhere, despite
the system menu indicating that Windows is activated. I have tried reactivating it manually both on my own and with MS tech support on the phone, with no change. I ran the MGAdiag tool and initially found a validation code 0x800fe21 error with
no file scan reports, but a report of 'tampered file... slcext.dll | slcext.dll.mui' later on. I tried sfc /scannow, but it only reported 'corrupt files...could not fix some of them'. I then replaced the slcext.dll with the same dll from an install
DVD, but the problem persisted and the diagnostic report did not change. Finally, I replaced as much of the WAT file hierarchy as I could find in System32 (sppobjs.dll, sppc.dll, sppcext.dll, sppwinob.dll, slc.dll, slcext.dll, sppuinotify.dll, slui.exe,
sppcomapi.dll, sppcommdlg.dll, sppsvc.exe) with files from an installation DVD. This finally changed the MGAdiag report so that it is as follows:
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-J8D7P-XQJJ2-GPDD4
Windows Product Key Hash: xgsndMkYdJsYmUng0qIJ/thx+HI=
Windows Product ID: 00371-868-0000007-85279
Windows Product ID Type: 1
Windows License Type: KMS Client
Windows OS version: 6.1.7600.2.00010100.0.0.048
ID: {0055D73C-7B1C-4A30-973E-FF3E4F11ED7B}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Professional
Architecture: 0x00000009
Build lab: 7600.win7_gdr.100618-1621
TTS Error:
Validation Diagnostic:
Resolution Status: N/A
Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{0055D73C-7B1C-4A30-973E-FF3E4F11ED7B}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7600.2.00010100.0.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-GPDD4</PKey><PID>00371-868-0000007-85279</PID><PIDType>1</PIDType><SID>S-1-5-21-4258130026-898627856-1927301690</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP
EliteBook 8540p</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>68CVD Ver. F.0A</Version><SMBIOSVersion major="2" minor="6"/><Date>20100622000000.000000+000</Date></BIOS><HWID>7CB83607018400FC</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern
Standard Time(GMT-05:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>HPQOEM</OEMID><OEMTableID>SLIC-MPC</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>
Spsys.log Content: 0x80070002
Licensing Data-->
Software licensing service version: 6.1.7600.16385
Name: Windows(R) 7, Professional edition
Description: Windows Operating System - Windows(R) 7, VOLUME_KMSCLIENT channel
Activation ID: b92e9980-b9d5-4821-9c94-140f632f6312
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00371-00170-868-000000-03-1033-7600.0000-0892011
Installation ID: 016366928894357251275883924576040275932131858374162173
Partial Product Key: GPDD4
License Status: Licensed
Volume activation expiration: 259200 minute(s) (180 day(s))
Remaining Windows rearm count: 1
Trusted time: 3/30/2011 5:07:58 PM
Key Management Service client information
Client Machine ID (CMID): 02dc6a2f-b6dc-40a8-a843-d3cab84a06bc
KMS machine name from DNS: sauspatch.labs.att.com:1688
KMS machine extended PID: 55041-00168-313-224255-03-1033-7600.0000-3142009
Activation interval: 120 minutes
Renewal interval: 10080 minutes
KMS host caching is enabled
Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x00000000
HealthStatus: 0x0000000000000000
Event Time Stamp: 3:25:2011 08:31
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Not Registered - 0x80070005
HealthStatus Bitmask Output:
HWID Data-->
HWID Hash Current: NAAAAAEABAABAAEAAAACAAAAAgABAAEA6GFAcc4Pmr348CL8RG26Q7yGyizUAU7nwg1cXQ==
OEM Activation 1.0 Data-->
N/A
OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name
OEMID Value OEMTableID Value
APIC
HPQOEM
1521
FACP
HPQOEM
1521
HPET
HPQOEM
1521
MCFG
HPQOEM
1521
TCPA
HPQOEM
1521
SSDT
HPQOEM
SataAhci
SSDT
HPQOEM
SataAhci
SLIC
HPQOEM
SLIC-MPC
SSDT
HPQOEM
SataAhci
SSDT
HPQOEM
SataAhci
SSDT
HPQOEM
SataAhci
SSDT
HPQOEM
SataAhci
ASF!
HPQOEM
1521
As you can see, it is still not quite genuine for some reason... I tried sfc /scannow again and found that a different file was upsetting Windows. From the CBS log:
2011-03-30 17:26:59, Info CSI 000002e1 [SR] Verify complete
2011-03-30 17:26:59, Info CSI 000002e2 [SR] Verifying 80 (0x0000000000000050) components
2011-03-30 17:26:59, Info CSI 000002e3 [SR] Beginning Verify and Repair transaction
2011-03-30 17:27:02, Info CSI 000002e4 Repair results created:
POQ 121 starts:
POQ 121 ends.
2011-03-30 17:27:02, Info CSI 000002e5 [SR] Verify complete
2011-03-30 17:27:02, Info CSI 000002e6 [SR] Repairing 1 components
2011-03-30 17:27:02, Info CSI 000002e7 [SR] Beginning Verify and Repair transaction
2011-03-30 17:27:02, Info CSI 000002e8 Hashes for file member \SystemRoot\WinSxS\amd64_microsoft-windows-security-spp-wga_31bf3856ad364e35_6.1.7600.16385_none_5b467ba9bd0679bb\slwga.dll
do not match actual file [l:18{9}]"slwga.dll" :
Found: {l:32 b:TbvuElzomT1l9AmstyZ6sapEsyBVwLkK2djkv/jUxI0=} Expected: {l:32 b:tA0Qz/3NPjGqCgnuGHJFrqI37BjJCy4RlMd/Gm1roU0=}
2011-03-30 17:27:02, Info CSI 000002e9 [SR] Cannot repair member file [l:18{9}]"slwga.dll" of Microsoft-Windows-Security-SPP-WGA, Version
= 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2011-03-30 17:27:02, Info CSI 000002ea Hashes for file member \SystemRoot\WinSxS\amd64_microsoft-windows-security-spp-wga_31bf3856ad364e35_6.1.7600.16385_none_5b467ba9bd0679bb\slwga.dll
do not match actual file [l:18{9}]"slwga.dll" :
Found: {l:32 b:TbvuElzomT1l9AmstyZ6sapEsyBVwLkK2djkv/jUxI0=} Expected: {l:32 b:tA0Qz/3NPjGqCgnuGHJFrqI37BjJCy4RlMd/Gm1roU0=}
2011-03-30 17:27:02, Info CSI 000002eb [SR] Cannot repair member file [l:18{9}]"slwga.dll" of Microsoft-Windows-Security-SPP-WGA, Version
= 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2011-03-30 17:27:02, Info CSI 000002ec [SR] This component was referenced by [l:202{101}]"Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.WindowsFoundationDelivery"
2011-03-30 17:27:02, Info CSI 000002ed Repair results created:
POQ 122 starts:
POQ 122 ends.
So there is a hash mismatch on slwga.dll which is angering Windows... I tried replacing slwga.dll again, but the diag report and cbs log results stayed exactly the same. What can be done about a hash mismatch? I'm afraid the WGA notification
is going to continue vexing and eventually crippling my user, and (worse) lots of Windows Update downloads are failing with 'unknown error' code 8e5e03fb, which I expect is due to Windows believing it is not quite genuine. What can I do from here?
I've heard that Service Pack 1 might help, but I am loath to install it blindly when the problem seems so close to resolution...
Thanks,
CCJ
March 31st, 2011 1:12pm
Hi,
Would you please let me know if the Windows Genuine notification occurs now? Do you receive any error message?
The issue can be caused by corrupted License database. Please rename the tokens.dat and activate the computer again. You can refer to:
http://blogs.technet.com/b/csstwplatform/archive/2011/01/19/windows-2008-kms-lost-activation-status-with-error-0xc004d302-after-reboot.aspx
If the activation fails, please refer to the following article to enable auto-discovery for this KMS client.
http://technet.microsoft.com/en-us/library/ff793406.aspx
Regarding the Windows Update issue, please reset Windows Update components and run Windows Update Readiness Tool.
http://support.microsoft.com/kb/971058
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=914fbc5b-1fba-4bae-a7c3-d2c47c6fcffc
Best Regards,
NikiPlease remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
April 4th, 2011 6:25am
Unfortunately the user needed his laptop back ASAP so I wasn't able to experiment further... after re-imaging, the laptop activated without issue so a database problem is unlikely (also dozens of other machines have activated without any problems on the
same volume license). Thanks for the links though, it's valuable info!
April 5th, 2011 1:06am