Solved Corrupted System File SFC Can't Fix

[Slartybart]

@Jack: I don't think Raid 5 would cause this type of issue. But it did occur to me that part of the allure to having raid was redundancy. I might come back to that.

@tgj: Please check that the Software Protection service is set to automatic (delay start)

Open an elevated command prompt and type the following

DIR C:\Windows\slui.exe /s
ICACLS C:\Windows\System32\slui.exe

REG QUERY HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S 
REG QUERY HKLM\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S 
REG QUERY HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S 

ICACLS C:\Windows\System32\sppsvc.exe
ICACLS C:\Windows\System32\en-US\sppsvc.exe.mui
DIR C:\windows\sppsvc.* /S
REG QUERY HKU
REG QUERY HKU\S-1-5-20
DIR %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform
ICACLS %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat

Post the results of the commands - You can copy the commands and paste them in command prompt (right click the command prompt title bar, select edit, select paste). To copy the ouput, drag the mouse across all of the text and press enter, then paste the clipboard in your post.

[code]
--> paste the output between the code tags
[/code]​

There might be more after I see the output .... still investigating how your system is now.

See if there is a restore point before 'MS' got on your system - don't do anything yet, just see if one is available.

 

[tjg79]

Thanks tjg,

Sounds like you have a valid beef with MS, although they did help you four time without charge.
Are you certain that you spoke with MS?

What number did you call?

There are a lot of scams out there that pretend to be MS or MS authorized... I just want to make sure you're talking to the right people.

Your description tells me a few things, but then it changes. MS stated a malicious object was on your system - you say it can't be because you have scanned your machine. I don't know, I haven't seen any logs...

You also state that there might be or were disc errors due to a power surge or outage. Have you run the Seagate SeaTools on the drive?

Please follow the instructions in this tutorial:
http://www.sevenforums.com/windows-...4840-windows-update-posting-instructions.html

SURT carries cabs with it, I'm not sure it has the cab with slui or if it will fix it if it does. but give it a shot.

If the compressed cab is too large for the forum, deleted the oldest persisted cabs one by one until it can be uploaded.

Other than what Layback Bear already posted re: software licensing UI - the OWM System builder license looks valid.
SFC already flagged slui as corrupt, so it's not surprising that MGAdiag reports a similar issue.

I'm certain that I spoke with MS. I called the activation number, 866.530.6599, Microsoft Genuine Advantage. They in turn patched the call to MS Tech Support. I got a case # on the second and fourth tech support calls. Although, I wasn't that impressed with the MS tech support reps. I thought they were sloppy. I should have received a case number for each support session. The first tech rep didn't back up the registry before he began deleting registry keys. The second tech rep indicated that the first tech rep left very sketchy notes on the first tech support session. Either the first or second tech rep deleted the CAB.log file text, because the oldest entry is during the second tech support session. That log would show no issues with the system file checker until the second tech support session if the log text hadn't been deleted. I don't delete or clean-up Windows logs. The second and third tech support sessions ended abruptly due to communication issue and they didn't call to reestablish the support session. The third and fourth tech reps didn't reveal what the issue was with the slui.exe file, because they were pushing for a paid support call and didn't want to reveal too much information. I think MS has some sleazy business practices in the interest of revenue.

The first tech rep found a registry key "Conduit." He indicated "Conduit" was a malicious software that allows programs to load without user control. I think it was only a registry key and that the program was long ago deleted and wasn't active. I suspect it was loaded some time ago when I checking out some driver update software looking for updated drivers for something. I always delete everything related to sleazy third party software, if it loads, which is most of what you see on Google searches. Even when these types of programs are properly deleted or removed they often leave harmless traces of their former existence in the form of dead registry keys and empty program folders. None of the antivirus or malicious software tools detected any malicious software or viruses.

I've had hdd related issues with my RAID5 since my last clean install about May 2013. Some were due to hdds with a lot of time and related hdd hardware issues and some were due to sudden power failure resulting in parity and data errors. I regularly scan my Seagate hdds with Seagate SeaTools for DOS (at least every three months). I don't think I'll be having any more issues related to power failures, because I've added an APC SMT1500 Smart-UPS about three months ago. If an hdd has a problem, I either replace the drive under the Seagate warranty or use SeaTools for DOS and perform a full erase, long test, and rebuild the RAID5 with either the new hdd or the one that has been full erased by SeaTools for DOS. None of my hdds have any media errors or have any logged failures. Also, S.M.A.R.T. on all four hdds doesn't show any red or yellow flags; everything is green.

I'll take a look at that link and give it a try.

Thanks for the assistance.

Regards

 

[tjg79]

Recreate the Licensing Store
1) Click Start button.
2) Type: CMD.exe into the 'Search programs and files' field
3) Right-Click on CMD.exe and select Run as Administrator
4) Type: net stop sppsvc (It may ask you if you are sure, select yes)
Note: the Software Protection service may not be running, this is ok.
5) Type: cd %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform
6) Type: rename tokens.dat tokens.bar
7) Type: cd %windir%\system32
8) Type: net start sppsvc
9) Type: slui.exe
10) After a couple of seconds Windows Activation dialog will appear. You may be asked to re-activate and/or re-enter your product key or Activation may occur automatically.

Run MGADiag again, and post the report

Thanks,

I give it a try and post the report.


Regards

 

[tjg79]

@Jack: I don't think Raid 5 would cause this type of issue. But it did occur to me that part of the allure to having raid was redundancy. I might come back to that.

@tgj: Please check that the Software Protection service is set to automatic (delay start)

Open an elevated command prompt and type the following

DIR C:\Windows\slui.exe /s
ICACLS C:\Windows\System32\slui.exe

REG QUERY HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S
REG QUERY HKLM\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S
REG QUERY HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S

ICACLS C:\Windows\System32\sppsvc.exe
ICACLS C:\Windows\System32\en-US\sppsvc.exe.mui
DIR C:\windows\sppsvc.* /S
REG QUERY HKU
REG QUERY HKU\S-1-5-20
DIR %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform
ICACLS %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
​

Post the results of the commands - You can copy the commands and paste them in command prompt (right click the command prompt title bar, select edit, select paste). To copy the ouput, drag the mouse across all of the text and press enter, then paste the clipboard in your post.

[code]
--> paste the output between the code tags
[/code]
​

There might be more after I see the output .... still investigating how your system is now.

See if there is a restore point before 'MS' got on your system - don't do anything yet, just see if one is available.

Thanks,

I'll follow those instructions and report right after I recreate the licensing store and report those results.

Thanks for the assistance.

Regards

 

[tjg79]

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\Windows\system32>net stop sppsvc
The Software Protection service is not started.
More help is available by typing NET HELPMSG 3521.
 
C:\Windows\system32>cd %windir% \ServiceProfiles\NetworkService\AppData\Roaming\
Microsoft\SoftwareProtectionPlatform
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProt
ectionPlatform>rename tokens.dat tokens.bar
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProt
ectionPlatform>cd %windir%\system32
C:\Windows\System32>net start sppsvc
The Software Protection service is starting.
The Software Protection service was started successfully.
 
C:\Windows\System32>slui.exe
C:\Windows\System32>

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Code: 0x8004FE22
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-9CBQQ-CBRDX-4VBW4
Windows Product Key Hash: 4o79yMzf+5/lHKmwIiotxng2nPc=
Windows Product ID: 00371-OEM-9045181-41077
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {88569B0E-21CB-4760-A2CC-9595DA52037D}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.42.0
Signed By: Microsoft
Product Name: Windows 7 Professional
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.140303-2144
TTS Error: 
Validation Diagnostic: 
Resolution Status: N/A
Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 100 Genuine
Microsoft Office Professional 2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 77F760FE-153-80070002_7E90FEE8-175-80070002_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-b01a_E2AD56EA-766-0_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x80092003
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{88569B0E-21CB-4760-A2CC-9595DA52037D}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-4VBW4</PKey><PID>00371-OEM-9045181-41077</PID><PIDType>3</PIDType><SID>S-1-5-21-764048772-141219837-185285450</SID><SYSTEM><Manufacturer>INTEL_</Manufacturer><Model>DX58SO__</Model></SYSTEM><BIOS><Manufacturer>Intel Corp.</Manufacturer><Version>SOX5810J.86A.5600.2013.0729.2250</Version><SMBIOSVersion major="2" minor="5"/><Date>20130729000000.000000+000</Date></BIOS><HWID>92213407018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120000-0014-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional 2007</Name><Ver>12</Ver><Val>1B16FCA35E8C714</Val><Hash>Ox0izo7MjcnLKUdV4ul5G/4OhBY=</Hash><Pid>81605-906-5273533-65430</Pid><PidType>1</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>  
Spsys.log Content: 0x80070002
Licensing Data-->
Software licensing service version: 6.1.7601.17514
Name: Windows(R) 7, Professional edition
Description: Windows Operating System - Windows(R) 7, OEM_COA_NSLP channel
Activation ID: e120e868-3df2-464a-95a0-b52fa5ada4bf
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00371-00180-451-841077-02-1033-7601.0000-2122014
Installation ID: 021892549173720063162803583281194772514004932426885526
Processor Certificate URL: [URL]http://go.microsoft.com/fwlink/?LinkID=88338[/URL]
Machine Certificate URL: [URL]http://go.microsoft.com/fwlink/?LinkID=88339[/URL]
Use License URL: [URL]http://go.microsoft.com/fwlink/?LinkID=88341[/URL]
Product Key Certificate URL: [URL]http://go.microsoft.com/fwlink/?LinkID=88340[/URL]
Partial Product Key: 4VBW4
License Status: Licensed
Remaining Windows rearm count: 3
Trusted time: 01-Aug-14 05:04:34
Windows Activation Technologies-->
HrOffline: 0x8004FE22
HrOnline: N/A
HealthStatus: 0x0000000000000800
Event Time Stamp: 7:30:2014 23:05
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
 
HWID Data-->
HWID Hash Current: MAAAAAMAAAABAAEAAQACAAAAAQABAAEACrYw0tpjQ0ZsQ7K6xFcOLJyfvSCmnuqC
OEM Activation 1.0 Data-->
N/A
OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes, but no SLIC table
Windows marker version: N/A
OEMID and OEMTableID Consistent: N/A
BIOS Information: 
  ACPI Table Name OEMID Value OEMTableID Value
  APIC   INTEL   DX58SO  
  FACP   INTEL   DX58SO  
  HPET   INTEL   DX58SO  
  MCFG   INTEL   DX58SO  
  WDDT   INTEL   DX58SO  
  ASF!   INTEL   DX58SO  
  SSDT   INTEL   SSDT  PM
  DMAR   INTEL   DX58SO  
  WDTT   INTEL   DX58SO  
  ASPT   INTEL   PerfTune

It doesn't appear that these tasks resolved the issue with the slui.exe file.

Thanks for your assistance.

Regards

 

[gregrocker]

It seems you have serious enough corruption of the OS and/or problems with the RAID which Win7 doesn't much like anyway. RAID confers no obvious benefits and isn't even redundant since most lose their data if they lose one drive. You would think that in five years since beta there would be at least one case reported here where RAID works well with Win7, but all that's seen are problems.

Here is what I would do which will get you back up and running perfectly, and remain that way as long as you stick with the steps, tools and methods given:

Follow these same steps to do a perfect Clean Reinstall - Factory OEM Windows 7. These steps compile everything that's worked best for tens of thousands we have helped directly here maintain a perfect install.

However first unRAID and plug in only your fastest hard drive - preferably an SSD for the best Upgrade you can do with Win7 - to SATA 1 port. Install with it alone plugged in, deleting all partitions during the booted install using the Drive Options pictured in Steps 7 and 8 of the illustrated steps to Clean Install Windows 7

 

[Slartybart]

Golden and I are headed in the same direction, so I'll sit back for a while.

Thanks for the information on the MS calls, I'll close my concern with:

You said the number you called was: (866) 530.6599

I looked on the MGA for Windows and Office Support (Contacts) and found:

Microsoft Genuine Advantage Phone

Windows 7: 1-866-530-6364
All other products: 1-866-530-6599

So at least it was a MS number - phew - too many scammers out there that will mess up your system just to charge you to fix it.
For future reference, use the Windows 7 number or follow this method:
Get Help Activating Microsoft Windows

This is the number that MS has on it's Activation website: (888) 571-2048
Activation and registration information of a Microsoft product

To activate your product over the telephone, use one of the following numbers:

• Office activation (U.S. only): (888) 652-2342
• Windows activation: (888) 571-2048
• TTY number: (800) 718-1599
• If you are an International customer, visit the following Microsoft Web site:
  Microsoft Volume Licensing Activation Centers Worldwide Telephone Numbers
• You can also find Microsoft Product Activation Center phone numbers by visiting the following Microsoft Web site:
  How to contact a Microsoft Product Activation Center by phone

---

As far as the sales push from MS, here's my take. They saw Conduit, or remnant, and the focus changed from Activation to malware remediation. Often there is reluctance to try and resolve an issue if malware is present, it's like trying to change a tire on a moving truck. MS wasn't going to provide free malware remediation, that's what we're here for

Anyway, I know you said your system is clean. I'd still like you to run a scanner. Skip herdProtect - it's a detection only.

Instead, please run AdwCleaner, which will detect and clean if anything is found. It's fairly quick and very efficient for certain types of malware.

---

Download,
Scan,
Clean

Follow the above steps on: How to use AdwCleaner version 3.x

Post the logs here on SevenForums - not on the General Changelog Team (GCT) site.

:ar: I won't charge you anything for this special utility

---

I'm notoriously slow at typing/posting, so I'm catching up on your posts as I write.

I see Greg has posted the sure fire fix, a Clean re-install.

A third option would be to do a Repair install - which will reinstall Windows 7 without affecting user data.
see: http://www.sevenforums.com/tutorials/3413-repair-install.html

I'll stay out of the RAID discussion.

Read the tutorials o become familiar with the options we're giving you.
Then it's your call on what path to take.

Bill
.

 

[Golden]

Well, the system has activated as genuine but the tampered system file is still present. Noel usually is able to fix these, but he isn't about much now as he has computer issues or something similar. If you can wait a week or so, he'll have a look at this, and will most certainly solve it.

Alternatively, do try the Repair Install. I think under the circumstances that is the best bet.

 

[NoelDP]

Until the file corruption is cured no fiddling with the Licensing Store, or changing of Keys can possibly work.


Please follow the Windows Update Posting Instructions and post the requested data
If the file is too large (8MB compressed), remove the older CBSPersist cab files until the final file is below the limit - you can always post them separately after zipping them. (the forum doesn't allow the upload of bare CAB files, for a number of reasons)

 

[tjg79]

OK, I'm back and I will follow all the instructions and post the requested information.

I just got another activation pop-up. I don't know how my Win 7 will function before the Windows Genuine Advantage shuts down or degrades my OS because of this issue. I'll post screen shots of the steps I followed so that everyone can see what I was initially doing. You can also see the MS phone number I called on the last screen shot. Per the software, the only solution is to purchase a genuine copy of Win 7.











I'm downloading the System Update Readiness Tool for Windows 7 (SP1) for x64-based Systems (KB947821) [May 2014] as per the Windows Update Posting Instructions thread link posted by Slartybart in post #13 and NoelDP in post #29.

Questions:

@Slartybart - Re: post #21, The Software Protection Service is set to Automatic (Delayed Start). Also, It's not clear to me what I type before I hit enter in the CMD window.

Open an elevated command prompt and type the following

DIR C:\Windows\slui.exe /s
ICACLS C:\Windows\System32\slui.exe

REG QUERY HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S
REG QUERY HKLM\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S
REG QUERY HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S

ICACLS C:\Windows\System32\sppsvc.exe
ICACLS C:\Windows\System32\en-US\sppsvc.exe.mui
DIR C:\windows\sppsvc.* /S
REG QUERY HKU
REG QUERY HKU\S-1-5-20
DIR %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform
ICACLS %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens. dat
​

I'll run the SURT as the next step and post the results.

Thanks for the assistance.

Regards

 

[tjg79]

I got an additional pop-up pertaining to my alleged fake Windows 7 while I running the SURT that could be an issue with the SURT. A screen shot is posted below.

 

[tjg79]

When I ran the SURT the first time with the "Victim of Software Counterfeiting" pop-up, my Windows desktop changed to a black theme. I cleared the "Victim of Software Counterfeiting" pop-up and then got an icon in my notification area that my time on activation had run out. I clicked that icon and the system indicated that the activation was successful. I rebooted and ran the SURT again this time without the "Victim of Software Counterfeiting" pop-up. The SURT loaded a hot fix without errors. I ran "sfc /scannow" and the issue was not resolved.

Attached is the CBS.log file (compressed).

View attachment 327744

 

[Slartybart]

Copy all of the commands in the code box and paste the whole bunch into an elevated command prompt window
Cmd Paste = Right click

All commands will execute, except perhaps that last one - just hit enter to make sure everything launched.

DIR C:\Windows\slui.exe /s
ICACLS C:\Windows\System32\slui.exe

REG QUERY HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S 
REG QUERY HKLM\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S 
REG QUERY HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S 

ICACLS C:\Windows\System32\sppsvc.exe
ICACLS C:\Windows\System32\en-US\sppsvc.exe.mui
DIR C:\windows\sppsvc.* /S
REG QUERY HKU
REG QUERY HKU\S-1-5-20
DIR %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform
ICACLS %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat

Did you try the troubleshooting tab on the window in this pic?

Did SURT end or did it complete?
Look in Windows\Logs\CBS - is there a Checksur.log?

Post it if there is. Thanks.

I think you're running up against what Noel pointed out - slui corruption needs to be resolved first.

The output from the commands prompt will give more information to get to that point.

Noel is the best at this but he's working an issue on his own machine. Golden is also no slacker. It takes me longer to find the next step because I don't focus on these issues and my knowledge is really old. So it takes a while to fire up those dormant brain cells.

Thanks for your patience and some really good feedback.

Bill
.

 

[tjg79]

Copy all of the commands in the code box and paste the whole bunch into an elevated command prompt window
Cmd Paste = Right click

All commands will execute, except perhaps that last one - just hit enter to make sure everything launched.

DIR C:\Windows\slui.exe /s
ICACLS C:\Windows\System32\slui.exe
 
REG QUERY HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S 
REG QUERY HKLM\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S 
REG QUERY HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S 
 
ICACLS C:\Windows\System32\sppsvc.exe
ICACLS C:\Windows\System32\en-US\sppsvc.exe.mui
DIR C:\windows\sppsvc.* /S
REG QUERY HKU
REG QUERY HKU\S-1-5-20
DIR %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform
ICACLS %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat

Did you try the troubleshooting tab on the window in this pic?

Did SURT end or did it complete?
Look in Windows\Logs\CBS - is there a Checksur.log?

Post it if there is. Thanks.

I think you're running up against what Noel pointed out - slui corruption needs to be resolved first.

The output from the commands prompt will give more information to get to that point.

Noel is the best at this but he's working an issue on his own machine. Golden is also no slacker. It takes me longer to find the next step because I don't focus on these issues and my knowledge is really old. So it takes a while to fire up those dormant brain cells.

Thanks for your patience and some really good feedback.

Bill
.

I can't recall exactly, but I believe I clicked on the troubleshooting tab and it didn't offer anything substantial. I ended up calling the number which connected me to MGA and they in turn patched the call to MS Support after I explained what was going on.

Yes, the SURT completed without any errors. I've attached the additional logs files below.

I'm going to go through all the posts on this thread and answer all the questions and add some additional information.

Thanks for the support.

Regards

View attachment CheckSUR.zip

View attachment CheckSUR.persist.zip

View attachment DeepClean.zip

 

[tjg79]

@Jack: I don't think Raid 5 would cause this type of issue. But it did occur to me that part of the allure to having raid was redundancy. I might come back to that.

@tgj: Please check that the Software Protection service is set to automatic (delay start)

Open an elevated command prompt and type the following

DIR C:\Windows\slui.exe /s
ICACLS C:\Windows\System32\slui.exe
 
REG QUERY HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S 
REG QUERY HKLM\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S 
REG QUERY HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S 
 
ICACLS C:\Windows\System32\sppsvc.exe
ICACLS C:\Windows\System32\en-US\sppsvc.exe.mui
DIR C:\windows\sppsvc.* /S
REG QUERY HKU
REG QUERY HKU\S-1-5-20
DIR %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform
ICACLS %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat

Post the results of the commands - You can copy the commands and paste them in command prompt (right click the command prompt title bar, select edit, select paste). To copy the ouput, drag the mouse across all of the text and press enter, then paste the clipboard in your post.

[code]
--> paste the output between the code tags
[/code]
​

There might be more after I see the output .... still investigating how your system is now.

See if there is a restore point before 'MS' got on your system - don't do anything yet, just see if one is available.

Here is the result of those commands in the CMD prompt window:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\Windows\system32>DIR C:\Windows\slui.exe /s
 Volume in drive C is Windows 7 Pro x64
 Volume Serial Number is 983E-9BB2
 Directory of C:\Windows\System32
20-Nov-10  23:24           349,696 slui.exe
               1 File(s)        349,696 bytes
 Directory of C:\Windows\winsxs\amd64_microsoft-windows-security-spp-ux_31bf3856
ad364e35_6.1.7601.17514_none_b9e7a42ab571bbb9
20-Nov-10  23:24           349,696 slui.exe
               1 File(s)        349,696 bytes
     Total Files Listed:
               2 File(s)        699,392 bytes
               0 Dir(s)  145,069,395,968 bytes free
C:\Windows\system32>ICACLS C:\Windows\System32\slui.exe
C:\Windows\System32\slui.exe NT SERVICE\TrustedInstaller:(F)
                             BUILTIN\Administrators:(RX)
                             NT AUTHORITY\SYSTEM:(RX)
                             BUILTIN\Users:(RX)
Successfully processed 1 files; Failed processing 0 files
C:\Windows\system32>
C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{EE57495
7-4077-4AD6-8658-327C2C86C5AA} /S
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{EE574957-4077-4AD6-8658
-327C2C86C5AA}\1.0
    (Default)    REG_SZ    SPPUI 1.0 Type Library
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{EE574957-4077-4AD6-8658
-327C2C86C5AA}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{EE574957-4077-4AD6-8658
-327C2C86C5AA}\1.0\0\win32
    (Default)    REG_EXPAND_SZ    %SystemRoot%\System32\slui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{EE574957-4077-4AD6-8658
-327C2C86C5AA}\1.0\FLAGS
    (Default)    REG_SZ    0
 
C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-
8658-327C2C86C5AA} /S
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5A
A}\1.0
    (Default)    REG_SZ    SPPUI 1.0 Type Library
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5A
A}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5A
A}\1.0\0\win32
    (Default)    REG_EXPAND_SZ    %SystemRoot%\System32\slui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5A
A}\1.0\FLAGS
    (Default)    REG_SZ    0
 
C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{EE57495
7-4077-4AD6-8658-327C2C86C5AA} /S
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{EE574957-4077-4AD6-8658
-327C2C86C5AA}\1.0
    (Default)    REG_SZ    SPPUI 1.0 Type Library
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{EE574957-4077-4AD6-8658
-327C2C86C5AA}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{EE574957-4077-4AD6-8658
-327C2C86C5AA}\1.0\0\win32
    (Default)    REG_EXPAND_SZ    %SystemRoot%\System32\slui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{EE574957-4077-4AD6-8658
-327C2C86C5AA}\1.0\FLAGS
    (Default)    REG_SZ    0
 
C:\Windows\system32>
C:\Windows\system32>ICACLS C:\Windows\System32\sppsvc.exe
C:\Windows\System32\sppsvc.exe NT SERVICE\TrustedInstaller:(F)
                               BUILTIN\Administrators:(RX)
                               NT AUTHORITY\SYSTEM:(RX)
                               BUILTIN\Users:(RX)
Successfully processed 1 files; Failed processing 0 files
C:\Windows\system32>ICACLS C:\Windows\System32\en-US\sppsvc.exe.mui
C:\Windows\System32\en-US\sppsvc.exe.mui NT SERVICE\TrustedInstaller:(F)
                                         BUILTIN\Administrators:(RX)
                                         NT AUTHORITY\SYSTEM:(RX)
                                         BUILTIN\Users:(RX)
Successfully processed 1 files; Failed processing 0 files
C:\Windows\system32>DIR C:\windows\sppsvc.* /S
 Volume in drive C is Windows 7 Pro x64
 Volume Serial Number is 983E-9BB2
 Directory of C:\windows\Prefetch
01-Aug-14  12:55            19,842 SPPSVC.EXE-B0F8131B.pf
               1 File(s)         19,842 bytes
 Directory of C:\windows\System32
20-Nov-10  23:23         3,524,608 sppsvc.exe
               1 File(s)      3,524,608 bytes
 Directory of C:\windows\System32\en-US
12-Apr-11  04:17            18,944 sppsvc.exe.mui
               1 File(s)         18,944 bytes
 Directory of C:\windows\winsxs\amd64_microsoft-windows-security-spp.resources_3
1bf3856ad364e35_6.1.7600.16385_en-us_f8bce8b9508ba1f6
12-Apr-11  04:17            18,944 sppsvc.exe.mui
               1 File(s)         18,944 bytes
 Directory of C:\windows\winsxs\amd64_microsoft-windows-security-spp_31bf3856ad3
64e35_6.1.7601.17514_none_78875ce737927d27
20-Nov-10  23:23         3,524,608 sppsvc.exe
               1 File(s)      3,524,608 bytes
     Total Files Listed:
               5 File(s)      7,106,946 bytes
               0 Dir(s)  145,069,371,392 bytes free
C:\Windows\system32>REG QUERY HKU
HKEY_USERS\.DEFAULT
HKEY_USERS\S-1-5-19
HKEY_USERS\S-1-5-20
HKEY_USERS\S-1-5-21-764048772-141219837-185285450-1000
HKEY_USERS\S-1-5-21-764048772-141219837-185285450-1000_Classes
HKEY_USERS\S-1-5-18
C:\Windows\system32>REG QUERY HKU\S-1-5-20
HKEY_USERS\S-1-5-20\AppEvents
HKEY_USERS\S-1-5-20\Console
HKEY_USERS\S-1-5-20\Control Panel
HKEY_USERS\S-1-5-20\Environment
HKEY_USERS\S-1-5-20\EUDC
HKEY_USERS\S-1-5-20\Keyboard Layout
HKEY_USERS\S-1-5-20\Network
HKEY_USERS\S-1-5-20\Printers
HKEY_USERS\S-1-5-20\Software
HKEY_USERS\S-1-5-20\System
C:\Windows\system32>DIR %windir%\ServiceProfiles\NetworkService\AppData\Roaming\
Microsoft\SoftwareProtectionPlatform
 Volume in drive C is Windows 7 Pro x64
 Volume Serial Number is 983E-9BB2
 Directory of C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsof
t\SoftwareProtectionPlatform
01-Aug-14  12:33    <DIR>          .
01-Aug-14  12:33    <DIR>          ..
14-Jul-09  00:46    <DIR>          Cache
31-Jul-14  10:00         7,520,374 tokens.bar
01-Aug-14  12:33         4,823,712 tokens.dat
               2 File(s)     12,344,086 bytes
               3 Dir(s)  145,069,371,392 bytes free
C:\Windows\system32>ICACLS %windir%\ServiceProfiles\NetworkService\AppData\Roami
ng\Microsoft\SoftwareProtectionPlatform\tokens.dat

After my fourth call with MS Support which left me with system file checker issues, I attempted to fix it by restoring my system to a restore point just before my contact with MS Support. The restore was successful, but it didn't resolve the system file checker issue.

After that I tried to read the CBS.log but got an access denied. That's when I came to this forum and posted my first thread related to that issue which I later resolved and then became aware of the corrupted slui.exe issue which is the reason I started this thread.

Original Thread:

http://www.sevenforums.com/performance-maintenance/339768-system-file-checker-errors-cbs-log.html


Do you see anything interesting in that CMD Prompt window output?

Regards

 

[Slartybart]

It will take me a bit to check the output against expected norms.

The last command didn't seem to execute, could you run this in an elevated command prompt

ICACLS %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat

and post the output?

Thanks.

 

[tjg79]

It will take me a bit to check the output against expected norms.

The last command didn't seem to execute, could you run this in an elevated command prompt

ICACLS %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat

and post the output?

Thanks.

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\Windows\system32>ICACLS %windir%\ServiceProfiles\NetworkService\AppData\Roami
ng\Microsoft\SoftwareProtectionPlatform\tokens. dat
Invalid parameter "dat"
C:\Windows\system32>ICACLS %windir%\ServiceProfiles\NetworkService\AppData\Roami
ng\Microsoft\SoftwareProtectionPlatform\tokens.dat
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProt
ectionPlatform\tokens.dat NT AUTHORITY\SYSTEM:(I)(F)
                          BUILTIN\Administrators:(I)(F)
                          NT AUTHORITY\NETWORK SERVICE:(I)(F)
Successfully processed 1 files; Failed processing 0 files
C:\Windows\system32>

 

[tjg79]

I'm confused:
http://www.sevenforums.com/performance-maintenance/339768-system-file-checker-errors-cbs-log.html

Maybe you're looking at this the wrong way.

See if a quick malware scan shows up anything: http://www.sevenforums.com/tutorials/339342-herdprotect-malware-detection.html
You don't need to analyze the output, please post a screen shot of the Scan results (if there are lots, just post the log in step 8.

Attached is the result of the Herdprotect scan:



Is this an issue?

 

[Slartybart]

mpdrm files seem ok, they are most likely part of ClamAV, a free AV application - do you have that installed?

A lot of Open Source programs get flagged, so you have to check.

Only a few of the lower tier engines flagged it. You can leave all 3 it in place.

 

[Slartybart]

Ok slui looks good, one down.

I reviewed the thread and I got a bit confused (easily done) - the order is out of sync a bit.

Please run another MGAdiag to bring me back in sync.
http://www.sevenforums.com/windows-...ne-activation-issue-posting-instructions.html

I don't think anything has miraculously changed, but I need to verify the status after the license store was recreated.