Corrupted System File SFC Can't Fix

Slartybart · 01 Aug 2014

@Jack: I don't think Raid 5 would cause this type of issue. But it did occur to me that part of the allure to having raid was redundancy. I might come back to that.

@tgj: Please check that the Software Protection service is set to automatic (delay start)

Open an elevated command prompt and type the following

Code:

DIR C:\Windows\slui.exe /s
ICACLS C:\Windows\System32\slui.exe

REG QUERY HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S 
REG QUERY HKLM\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S 
REG QUERY HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S 

ICACLS C:\Windows\System32\sppsvc.exe
ICACLS C:\Windows\System32\en-US\sppsvc.exe.mui
DIR C:\windows\sppsvc.* /S
REG QUERY HKU
REG QUERY HKU\S-1-5-20
DIR %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform
ICACLS %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat

Post the results of the commands - You can copy the commands and paste them in command prompt (right click the command prompt title bar, select edit, select paste). To copy the ouput, drag the mouse across all of the text and press enter, then paste the clipboard in your post.

[code]
--> paste the output between the code tags
[/code]

There might be more after I see the output .... still investigating how your system is now.

See if there is a restore point before 'MS' got on your system - don't do anything yet, just see if one is available.

tjg79 · 01 Aug 2014

Slartybart said:

Thanks tjg,

Sounds like you have a valid beef with MS, although they did help you four time without charge.
Are you certain that you spoke with MS?

What number did you call?

There are a lot of scams out there that pretend to be MS or MS authorized... I just want to make sure you're talking to the right people.

Your description tells me a few things, but then it changes. MS stated a malicious object was on your system - you say it can't be because you have scanned your machine. I don't know, I haven't seen any logs...

You also state that there might be or were disc errors due to a power surge or outage. Have you run the Seagate SeaTools on the drive?

Please follow the instructions in this tutorial:
Windows Update Posting Instructions

SURT carries cabs with it, I'm not sure it has the cab with slui or if it will fix it if it does. but give it a shot.

If the compressed cab is too large for the forum, deleted the oldest persisted cabs one by one until it can be uploaded.

Other than what Layback Bear already posted re: software licensing UI - the OWM System builder license looks valid.
SFC already flagged slui as corrupt, so it's not surprising that MGAdiag reports a similar issue.

I'm certain that I spoke with MS. I called the activation number, 866.530.6599, Microsoft Genuine Advantage. They in turn patched the call to MS Tech Support. I got a case # on the second and fourth tech support calls. Although, I wasn't that impressed with the MS tech support reps. I thought they were sloppy. I should have received a case number for each support session. The first tech rep didn't back up the registry before he began deleting registry keys. The second tech rep indicated that the first tech rep left very sketchy notes on the first tech support session. Either the first or second tech rep deleted the CAB.log file text, because the oldest entry is during the second tech support session. That log would show no issues with the system file checker until the second tech support session if the log text hadn't been deleted. I don't delete or clean-up Windows logs. The second and third tech support sessions ended abruptly due to communication issue and they didn't call to reestablish the support session. The third and fourth tech reps didn't reveal what the issue was with the slui.exe file, because they were pushing for a paid support call and didn't want to reveal too much information. I think MS has some sleazy business practices in the interest of revenue.

The first tech rep found a registry key "Conduit." He indicated "Conduit" was a malicious software that allows programs to load without user control. I think it was only a registry key and that the program was long ago deleted and wasn't active. I suspect it was loaded some time ago when I checking out some driver update software looking for updated drivers for something. I always delete everything related to sleazy third party software, if it loads, which is most of what you see on Google searches. Even when these types of programs are properly deleted or removed they often leave harmless traces of their former existence in the form of dead registry keys and empty program folders. None of the antivirus or malicious software tools detected any malicious software or viruses.

I've had hdd related issues with my RAID5 since my last clean install about May 2013. Some were due to hdds with a lot of time and related hdd hardware issues and some were due to sudden power failure resulting in parity and data errors. I regularly scan my Seagate hdds with Seagate SeaTools for DOS (at least every three months). I don't think I'll be having any more issues related to power failures, because I've added an APC SMT1500 Smart-UPS about three months ago. If an hdd has a problem, I either replace the drive under the Seagate warranty or use SeaTools for DOS and perform a full erase, long test, and rebuild the RAID5 with either the new hdd or the one that has been full erased by SeaTools for DOS. None of my hdds have any media errors or have any logged failures. Also, S.M.A.R.T. on all four hdds doesn't show any red or yellow flags; everything is green.

I'll take a look at that link and give it a try.

Thanks for the assistance.

Regards

tjg79 · 01 Aug 2014

Golden said:

Recreate the Licensing Store
1) Click Start button.
2) Type: CMD.exe into the 'Search programs and files' field
3) Right-Click on CMD.exe and select Run as Administrator
4) Type: net stop sppsvc (It may ask you if you are sure, select yes)
Note: the Software Protection service may not be running, this is ok.
5) Type: cd %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform
6) Type: rename tokens.dat tokens.bar
7) Type: cd %windir%\system32
8) Type: net start sppsvc
9) Type: slui.exe
10) After a couple of seconds Windows Activation dialog will appear. You may be asked to re-activate and/or re-enter your product key or Activation may occur automatically.

Run MGADiag again, and post the report

Thanks,

I give it a try and post the report.

Regards

tjg79 · 01 Aug 2014

Slartybart said:

@Jack: I don't think Raid 5 would cause this type of issue. But it did occur to me that part of the allure to having raid was redundancy. I might come back to that.

@tgj: Please check that the Software Protection service is set to automatic (delay start)

Open an elevated command prompt and type the following

DIR C:\Windows\slui.exe /s
ICACLS C:\Windows\System32\slui.exe

REG QUERY HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S
REG QUERY HKLM\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S
REG QUERY HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S

ICACLS C:\Windows\System32\sppsvc.exe
ICACLS C:\Windows\System32\en-US\sppsvc.exe.mui
DIR C:\windows\sppsvc.* /S
REG QUERY HKU
REG QUERY HKU\S-1-5-20
DIR %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform
ICACLS %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens. dat

Post the results of the commands - You can copy the commands and paste them in command prompt (right click the command prompt title bar, select edit, select paste). To copy the ouput, drag the mouse across all of the text and press enter, then paste the clipboard in your post.

[code]
--> paste the output between the code tags
[/code]

There might be more after I see the output .... still investigating how your system is now.

See if there is a restore point before 'MS' got on your system - don't do anything yet, just see if one is available.

Thanks,

I'll follow those instructions and report right after I recreate the licensing store and report those results.

Thanks for the assistance.

Regards

tjg79 · 01 Aug 2014

Code:

 
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\Windows\system32>net stop sppsvc
The Software Protection service is not started.
More help is available by typing NET HELPMSG 3521.
 
C:\Windows\system32>cd %windir% \ServiceProfiles\NetworkService\AppData\Roaming\
Microsoft\SoftwareProtectionPlatform
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProt
ectionPlatform>rename tokens.dat tokens.bar
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProt
ectionPlatform>cd %windir%\system32
C:\Windows\System32>net start sppsvc
The Software Protection service is starting.
The Software Protection service was started successfully.
 
C:\Windows\System32>slui.exe
C:\Windows\System32>

Corrupted System File SFC Can't Fix-store-rebuild-screenshot.jpg

Code:

 
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Code: 0x8004FE22
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-9CBQQ-CBRDX-4VBW4
Windows Product Key Hash: 4o79yMzf+5/lHKmwIiotxng2nPc=
Windows Product ID: 00371-OEM-9045181-41077
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {88569B0E-21CB-4760-A2CC-9595DA52037D}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.42.0
Signed By: Microsoft
Product Name: Windows 7 Professional
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.140303-2144
TTS Error: 
Validation Diagnostic: 
Resolution Status: N/A
Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 100 Genuine
Microsoft Office Professional 2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 77F760FE-153-80070002_7E90FEE8-175-80070002_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-b01a_E2AD56EA-766-0_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x80092003
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{88569B0E-21CB-4760-A2CC-9595DA52037D}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-4VBW4</PKey><PID>00371-OEM-9045181-41077</PID><PIDType>3</PIDType><SID>S-1-5-21-764048772-141219837-185285450</SID><SYSTEM><Manufacturer>INTEL_</Manufacturer><Model>DX58SO__</Model></SYSTEM><BIOS><Manufacturer>Intel Corp.</Manufacturer><Version>SOX5810J.86A.5600.2013.0729.2250</Version><SMBIOSVersion major="2" minor="5"/><Date>20130729000000.000000+000</Date></BIOS><HWID>92213407018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120000-0014-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional 2007</Name><Ver>12</Ver><Val>1B16FCA35E8C714</Val><Hash>Ox0izo7MjcnLKUdV4ul5G/4OhBY=</Hash><Pid>81605-906-5273533-65430</Pid><PidType>1</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>  
Spsys.log Content: 0x80070002
Licensing Data-->
Software licensing service version: 6.1.7601.17514
Name: Windows(R) 7, Professional edition
Description: Windows Operating System - Windows(R) 7, OEM_COA_NSLP channel
Activation ID: e120e868-3df2-464a-95a0-b52fa5ada4bf
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00371-00180-451-841077-02-1033-7601.0000-2122014
Installation ID: 021892549173720063162803583281194772514004932426885526
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: 4VBW4
License Status: Licensed
Remaining Windows rearm count: 3
Trusted time: 01-Aug-14 05:04:34
Windows Activation Technologies-->
HrOffline: 0x8004FE22
HrOnline: N/A
HealthStatus: 0x0000000000000800
Event Time Stamp: 7:30:2014 23:05
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
 
HWID Data-->
HWID Hash Current: MAAAAAMAAAABAAEAAQACAAAAAQABAAEACrYw0tpjQ0ZsQ7K6xFcOLJyfvSCmnuqC
OEM Activation 1.0 Data-->
N/A
OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes, but no SLIC table
Windows marker version: N/A
OEMID and OEMTableID Consistent: N/A
BIOS Information: 
  ACPI Table Name OEMID Value OEMTableID Value
  APIC   INTEL   DX58SO  
  FACP   INTEL   DX58SO  
  HPET   INTEL   DX58SO  
  MCFG   INTEL   DX58SO  
  WDDT   INTEL   DX58SO  
  ASF!   INTEL   DX58SO  
  SSDT   INTEL   SSDT  PM
  DMAR   INTEL   DX58SO  
  WDTT   INTEL   DX58SO  
  ASPT   INTEL   PerfTune

It doesn't appear that these tasks resolved the issue with the slui.exe file.

Thanks for your assistance.

Regards

gregrocker · 01 Aug 2014

It seems you have serious enough corruption of the OS and/or problems with the RAID which Win7 doesn't much like anyway. RAID confers no obvious benefits and isn't even redundant since most lose their data if they lose one drive. You would think that in five years since beta there would be at least one case reported here where RAID works well with Win7, but all that's seen are problems.

Here is what I would do which will get you back up and running perfectly, and remain that way as long as you stick with the steps, tools and methods given:

Follow these same steps to do a perfect Clean Reinstall - Factory OEM Windows 7. These steps compile everything that's worked best for tens of thousands we have helped directly here maintain a perfect install.

However first unRAID and plug in only your fastest hard drive - preferably an SSD for the best Upgrade you can do with Win7 - to SATA 1 port. Install with it alone plugged in, deleting all partitions during the booted install using the Drive Options pictured in Steps 7 and 8 of the illustrated steps to Clean Install Windows 7

Slartybart · 01 Aug 2014

Golden and I are headed in the same direction, so I'll sit back for a while.

Thanks for the information on the MS calls, I'll close my concern with:

You said the number you called was: (866) 530.6599

I looked on the MGA for Windows and Office Support (Contacts) and found:

Microsoft Genuine Advantage Phone

Windows 7: 1-866-530-6364
All other products: 1-866-530-6599

So at least it was a MS number - phew - too many scammers out there that will mess up your system just to charge you to fix it.
For future reference, use the Windows 7 number or follow this method:
Get Help Activating Microsoft Windows

This is the number that MS has on it's Activation website: (888) 571-2048
Activation and registration information of a Microsoft product

To activate your product over the telephone, use one of the following numbers:

Office activation (U.S. only): (888) 652-2342
Windows activation: (888) 571-2048
TTY number: (800) 718-1599
If you are an International customer, visit the following Microsoft Web site:
Microsoft Volume Licensing Activation Centers Worldwide Telephone Numbers
You can also find Microsoft Product Activation Center phone numbers by visiting the following Microsoft Web site:
How to contact a Microsoft Product Activation Center by phone

As far as the sales push from MS, here's my take. They saw Conduit, or remnant, and the focus changed from Activation to malware remediation. Often there is reluctance to try and resolve an issue if malware is present, it's like trying to change a tire on a moving truck. MS wasn't going to provide free malware remediation, that's what we're here for

Anyway, I know you said your system is clean. I'd still like you to run a scanner. Skip herdProtect - it's a detection only.

Instead, please run AdwCleaner, which will detect and clean if anything is found. It's fairly quick and very efficient for certain types of malware.

Download,
Scan,
Clean

Follow the above steps on: How to use AdwCleaner version 3.x

Post the logs here on SevenForums - not on the General Changelog Team (GCT) site.

I won't charge you anything for this special utility

I'm notoriously slow at typing/posting, so I'm catching up on your posts as I write.

I see Greg has posted the sure fire fix, a Clean re-install.

A third option would be to do a Repair install - which will reinstall Windows 7 without affecting user data.
see: Repair Install

I'll stay out of the RAID discussion.

Read the tutorials o become familiar with the options we're giving you.
Then it's your call on what path to take.

Bill
.

Golden · 01 Aug 2014

Well, the system has activated as genuine but the tampered system file is still present. Noel usually is able to fix these, but he isn't about much now as he has computer issues or something similar. If you can wait a week or so, he'll have a look at this, and will most certainly solve it.

Alternatively, do try the Repair Install. I think under the circumstances that is the best bet.

NoelDP · 01 Aug 2014

Until the file corruption is cured no fiddling with the Licensing Store, or changing of Keys can possibly work.

Please follow the Windows Update Posting Instructions and post the requested data
If the file is too large (8MB compressed), remove the older CBSPersist cab files until the final file is below the limit - you can always post them separately after zipping them. (the forum doesn't allow the upload of bare CAB files, for a number of reasons)

tjg79 · 01 Aug 2014

OK, I'm back and I will follow all the instructions and post the requested information.

I just got another activation pop-up. I don't know how my Win 7 will function before the Windows Genuine Advantage shuts down or degrades my OS because of this issue. I'll post screen shots of the steps I followed so that everyone can see what I was initially doing. You can also see the MS phone number I called on the last screen shot. Per the software, the only solution is to purchase a genuine copy of Win 7.

Corrupted System File SFC Can't Fix-act-1.jpg

Corrupted System File SFC Can't Fix-act-2.jpg

Corrupted System File SFC Can't Fix-act-3.jpg

Corrupted System File SFC Can't Fix-act-4.jpg

Corrupted System File SFC Can't Fix-act-5.jpg

I'm downloading the System Update Readiness Tool for Windows 7 (SP1) for x64-based Systems (KB947821) [May 2014] as per the Windows Update Posting Instructions thread link posted by Slartybart in post #13 and NoelDP in post #29.

Questions:

@Slartybart - Re: post #21, The Software Protection Service is set to Automatic (Delayed Start). Also, It's not clear to me what I type before I hit enter in the CMD window.

Open an elevated command prompt and type the following

DIR C:\Windows\slui.exe /s
ICACLS C:\Windows\System32\slui.exe

REG QUERY HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S
REG QUERY HKLM\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S
REG QUERY HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S

ICACLS C:\Windows\System32\sppsvc.exe
ICACLS C:\Windows\System32\en-US\sppsvc.exe.mui
DIR C:\windows\sppsvc.* /S
REG QUERY HKU
REG QUERY HKU\S-1-5-20
DIR %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform
ICACLS %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens. dat

I'll run the SURT as the next step and post the results.

Thanks for the assistance.

Regards