Corrupted System File SFC Can't Fix

I got an additional pop-up pertaining to my alleged fake Windows 7 while I running the SURT that could be an issue with the SURT. A screen shot is posted below.

When I ran the SURT the first time with the "Victim of Software Counterfeiting" pop-up, my Windows desktop changed to a black theme. I cleared the "Victim of Software Counterfeiting" pop-up and then got an icon in my notification area that my time on activation had run out. I clicked that icon and the system indicated that the activation was successful. I rebooted and ran the SURT again this time without the "Victim of Software Counterfeiting" pop-up. The SURT loaded a hot fix without errors. I ran "sfc /scannow" and the issue was not resolved.

Attached is the CBS.log file (compressed).

Attachment 327744

Slartybart said:

Copy all of the commands in the code box and paste the whole bunch into an elevated command prompt window
Cmd Paste = Right click

All commands will execute, except perhaps that last one - just hit enter to make sure everything launched.

Code:

DIR C:\Windows\slui.exe /s
ICACLS C:\Windows\System32\slui.exe
 
REG QUERY HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S 
REG QUERY HKLM\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S 
REG QUERY HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S 
 
ICACLS C:\Windows\System32\sppsvc.exe
ICACLS C:\Windows\System32\en-US\sppsvc.exe.mui
DIR C:\windows\sppsvc.* /S
REG QUERY HKU
REG QUERY HKU\S-1-5-20
DIR %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform
ICACLS %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat

Did you try the troubleshooting tab on the window in this pic?

Did SURT end or did it complete?
Look in Windows\Logs\CBS - is there a Checksur.log?

Post it if there is. Thanks.

I think you're running up against what Noel pointed out - slui corruption needs to be resolved first.

The output from the commands prompt will give more information to get to that point.

Noel is the best at this but he's working an issue on his own machine. Golden is also no slacker. It takes me longer to find the next step because I don't focus on these issues and my knowledge is really old. So it takes a while to fire up those dormant brain cells.

Thanks for your patience and some really good feedback.

Bill
.

I can't recall exactly, but I believe I clicked on the troubleshooting tab and it didn't offer anything substantial. I ended up calling the number which connected me to MGA and they in turn patched the call to MS Support after I explained what was going on.

Yes, the SURT completed without any errors. I've attached the additional logs files below.

I'm going to go through all the posts on this thread and answer all the questions and add some additional information.

Thanks for the support.

Regards

CheckSUR.zip

CheckSUR.persist.zip

DeepClean.zip

Slartybart said:

@Jack: I don't think Raid 5 would cause this type of issue. But it did occur to me that part of the allure to having raid was redundancy. I might come back to that.

@tgj: Please check that the Software Protection service is set to automatic (delay start)

Open an elevated command prompt and type the following

Code:

DIR C:\Windows\slui.exe /s
ICACLS C:\Windows\System32\slui.exe
 
REG QUERY HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S 
REG QUERY HKLM\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S 
REG QUERY HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S 
 
ICACLS C:\Windows\System32\sppsvc.exe
ICACLS C:\Windows\System32\en-US\sppsvc.exe.mui
DIR C:\windows\sppsvc.* /S
REG QUERY HKU
REG QUERY HKU\S-1-5-20
DIR %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform
ICACLS %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat

Post the results of the commands - You can copy the commands and paste them in command prompt (right click the command prompt title bar, select edit, select paste). To copy the ouput, drag the mouse across all of the text and press enter, then paste the clipboard in your post.

[code]
--> paste the output between the code tags
[/code]

There might be more after I see the output .... still investigating how your system is now.

See if there is a restore point before 'MS' got on your system - don't do anything yet, just see if one is available.

Here is the result of those commands in the CMD prompt window:

Code:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\Windows\system32>DIR C:\Windows\slui.exe /s
 Volume in drive C is Windows 7 Pro x64
 Volume Serial Number is 983E-9BB2
 Directory of C:\Windows\System32
20-Nov-10  23:24           349,696 slui.exe
               1 File(s)        349,696 bytes
 Directory of C:\Windows\winsxs\amd64_microsoft-windows-security-spp-ux_31bf3856
ad364e35_6.1.7601.17514_none_b9e7a42ab571bbb9
20-Nov-10  23:24           349,696 slui.exe
               1 File(s)        349,696 bytes
     Total Files Listed:
               2 File(s)        699,392 bytes
               0 Dir(s)  145,069,395,968 bytes free
C:\Windows\system32>ICACLS C:\Windows\System32\slui.exe
C:\Windows\System32\slui.exe NT SERVICE\TrustedInstaller:(F)
                             BUILTIN\Administrators:(RX)
                             NT AUTHORITY\SYSTEM:(RX)
                             BUILTIN\Users:(RX)
Successfully processed 1 files; Failed processing 0 files
C:\Windows\system32>
C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{EE57495
7-4077-4AD6-8658-327C2C86C5AA} /S
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{EE574957-4077-4AD6-8658
-327C2C86C5AA}\1.0
    (Default)    REG_SZ    SPPUI 1.0 Type Library
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{EE574957-4077-4AD6-8658
-327C2C86C5AA}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{EE574957-4077-4AD6-8658
-327C2C86C5AA}\1.0\0\win32
    (Default)    REG_EXPAND_SZ    %SystemRoot%\System32\slui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{EE574957-4077-4AD6-8658
-327C2C86C5AA}\1.0\FLAGS
    (Default)    REG_SZ    0
 
C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-
8658-327C2C86C5AA} /S
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5A
A}\1.0
    (Default)    REG_SZ    SPPUI 1.0 Type Library
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5A
A}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5A
A}\1.0\0\win32
    (Default)    REG_EXPAND_SZ    %SystemRoot%\System32\slui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5A
A}\1.0\FLAGS
    (Default)    REG_SZ    0
 
C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{EE57495
7-4077-4AD6-8658-327C2C86C5AA} /S
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{EE574957-4077-4AD6-8658
-327C2C86C5AA}\1.0
    (Default)    REG_SZ    SPPUI 1.0 Type Library
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{EE574957-4077-4AD6-8658
-327C2C86C5AA}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{EE574957-4077-4AD6-8658
-327C2C86C5AA}\1.0\0\win32
    (Default)    REG_EXPAND_SZ    %SystemRoot%\System32\slui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{EE574957-4077-4AD6-8658
-327C2C86C5AA}\1.0\FLAGS
    (Default)    REG_SZ    0
 
C:\Windows\system32>
C:\Windows\system32>ICACLS C:\Windows\System32\sppsvc.exe
C:\Windows\System32\sppsvc.exe NT SERVICE\TrustedInstaller:(F)
                               BUILTIN\Administrators:(RX)
                               NT AUTHORITY\SYSTEM:(RX)
                               BUILTIN\Users:(RX)
Successfully processed 1 files; Failed processing 0 files
C:\Windows\system32>ICACLS C:\Windows\System32\en-US\sppsvc.exe.mui
C:\Windows\System32\en-US\sppsvc.exe.mui NT SERVICE\TrustedInstaller:(F)
                                         BUILTIN\Administrators:(RX)
                                         NT AUTHORITY\SYSTEM:(RX)
                                         BUILTIN\Users:(RX)
Successfully processed 1 files; Failed processing 0 files
C:\Windows\system32>DIR C:\windows\sppsvc.* /S
 Volume in drive C is Windows 7 Pro x64
 Volume Serial Number is 983E-9BB2
 Directory of C:\windows\Prefetch
01-Aug-14  12:55            19,842 SPPSVC.EXE-B0F8131B.pf
               1 File(s)         19,842 bytes
 Directory of C:\windows\System32
20-Nov-10  23:23         3,524,608 sppsvc.exe
               1 File(s)      3,524,608 bytes
 Directory of C:\windows\System32\en-US
12-Apr-11  04:17            18,944 sppsvc.exe.mui
               1 File(s)         18,944 bytes
 Directory of C:\windows\winsxs\amd64_microsoft-windows-security-spp.resources_3
1bf3856ad364e35_6.1.7600.16385_en-us_f8bce8b9508ba1f6
12-Apr-11  04:17            18,944 sppsvc.exe.mui
               1 File(s)         18,944 bytes
 Directory of C:\windows\winsxs\amd64_microsoft-windows-security-spp_31bf3856ad3
64e35_6.1.7601.17514_none_78875ce737927d27
20-Nov-10  23:23         3,524,608 sppsvc.exe
               1 File(s)      3,524,608 bytes
     Total Files Listed:
               5 File(s)      7,106,946 bytes
               0 Dir(s)  145,069,371,392 bytes free
C:\Windows\system32>REG QUERY HKU
HKEY_USERS\.DEFAULT
HKEY_USERS\S-1-5-19
HKEY_USERS\S-1-5-20
HKEY_USERS\S-1-5-21-764048772-141219837-185285450-1000
HKEY_USERS\S-1-5-21-764048772-141219837-185285450-1000_Classes
HKEY_USERS\S-1-5-18
C:\Windows\system32>REG QUERY HKU\S-1-5-20
HKEY_USERS\S-1-5-20\AppEvents
HKEY_USERS\S-1-5-20\Console
HKEY_USERS\S-1-5-20\Control Panel
HKEY_USERS\S-1-5-20\Environment
HKEY_USERS\S-1-5-20\EUDC
HKEY_USERS\S-1-5-20\Keyboard Layout
HKEY_USERS\S-1-5-20\Network
HKEY_USERS\S-1-5-20\Printers
HKEY_USERS\S-1-5-20\Software
HKEY_USERS\S-1-5-20\System
C:\Windows\system32>DIR %windir%\ServiceProfiles\NetworkService\AppData\Roaming\
Microsoft\SoftwareProtectionPlatform
 Volume in drive C is Windows 7 Pro x64
 Volume Serial Number is 983E-9BB2
 Directory of C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsof
t\SoftwareProtectionPlatform
01-Aug-14  12:33    <DIR>          .
01-Aug-14  12:33    <DIR>          ..
14-Jul-09  00:46    <DIR>          Cache
31-Jul-14  10:00         7,520,374 tokens.bar
01-Aug-14  12:33         4,823,712 tokens.dat
               2 File(s)     12,344,086 bytes
               3 Dir(s)  145,069,371,392 bytes free
C:\Windows\system32>ICACLS %windir%\ServiceProfiles\NetworkService\AppData\Roami
ng\Microsoft\SoftwareProtectionPlatform\tokens.dat

After my fourth call with MS Support which left me with system file checker issues, I attempted to fix it by restoring my system to a restore point just before my contact with MS Support. The restore was successful, but it didn't resolve the system file checker issue.

After that I tried to read the CBS.log but got an access denied. That's when I came to this forum and posted my first thread related to that issue which I later resolved and then became aware of the corrupted slui.exe issue which is the reason I started this thread.

Original Thread:

System File Checker Errors - CBS.log


Do you see anything interesting in that CMD Prompt window output?

Regards

Slartybart said:

It will take me a bit to check the output against expected norms.

The last command didn't seem to execute, could you run this in an elevated command prompt

ICACLS %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens. dat

and post the output?

Thanks.

Code:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\Windows\system32>ICACLS %windir%\ServiceProfiles\NetworkService\AppData\Roami
ng\Microsoft\SoftwareProtectionPlatform\tokens. dat
Invalid parameter "dat"
C:\Windows\system32>ICACLS %windir%\ServiceProfiles\NetworkService\AppData\Roami
ng\Microsoft\SoftwareProtectionPlatform\tokens.dat
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProt
ectionPlatform\tokens.dat NT AUTHORITY\SYSTEM:(I)(F)
                          BUILTIN\Administrators:(I)(F)
                          NT AUTHORITY\NETWORK SERVICE:(I)(F)
Successfully processed 1 files; Failed processing 0 files
C:\Windows\system32>

Slartybart said:

I'm confused:
System File Checker Errors - CBS.log

Maybe you're looking at this the wrong way.

See if a quick malware scan shows up anything: herdProtect: Malware Detection
You don't need to analyze the output, please post a screen shot of the Scan results (if there are lots, just post the log in step 8.

Attached is the result of the Herdprotect scan:



Is this an issue?