Suddenly Windows 7 is not genuine

[elimak]

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>NET START VSS
The Volume Shadow Copy service is starting.
The Volume Shadow Copy service was started successfully.


C:\Windows\system32>SC QC VSS
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: VSS
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\system32\vssvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Volume Shadow Copy
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem

C:\Windows\system32>SC QUERYEX VSS

SERVICE_NAME: VSS
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 7012
FLAGS :

C:\Windows\system32>VSSADMIN LIST WRITERS
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2005 Microsoft Corp.


C:\Windows\system32>

 

[NoelDP]

OH DEAR!
I've only seen that once before - and palmed the 'client' off on the MS ITPro forum.....

Their response was
<quote>
I suggest you can try the following:

1. Re-registered the following DLLs.

a. Net stop vss
b. Net stop swprv
c. Go to system32 folder by typing
d. CD %systemroot%\system32

regsvr32 ole32.dll
regsvr32 vss_ps.dll
Vssvc /Register
regsvr32 /i swprv.dll
regsvr32 /i eventcls.dll
regsvr32 es.dll
regsvr32 stdprov.dll
regsvr32 vssui.dll
regsvr32 msxml.dll
regsvr32 msxml3.dll
regsvr32 msxml4.dll
regsvr32 Vssapi.dll
regsvr32 Vssui.dll
​

e. Net start vss
f. Net start swprv
​

2. Disable all security program (such as McAfee) to check whether this is the issue. 3. Test the issue in Clean Boot mode.
4. Refer to the following article to check the issue.
Event ID 8194

</quote>

Unfortunately, there was no feedback as to whether it worked or not.

 

[elimak]

I did all the tasks in 1.

this is the result:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>Net stop vss
The Volume Shadow Copy service is not started.

More help is available by typing NET HELPMSG 3521.


C:\Windows\system32>Net stop swprv
The Microsoft Software Shadow Copy Provider service is not started.

More help is available by typing NET HELPMSG 3521.


C:\Windows\system32>cd %systemroot%\system32

C:\Windows\system32>regsvr32 ole32.dll

C:\Windows\system32>regsvr32 vss_ps.dll

C:\Windows\system32>Vssvc /Register

C:\Windows\system32>regsvr32 /i swprv.dll

C:\Windows\system32>regsvr32 /i eventcls.dll

C:\Windows\system32>regsvr32 es.dll

C:\Windows\system32>regsvr32 stdprov.dll

C:\Windows\system32>regsvr32 vssui.dll

C:\Windows\system32>regsvr32 msxml.dll

C:\Windows\system32>regsvr32 msxml3.dll

C:\Windows\system32>regsvr32 msxml4.dll

C:\Windows\system32>regsvr32 Vssapi.dll

C:\Windows\system32>regsvr32 Vssui.dll

C:\Windows\system32>Net start vss
The Volume Shadow Copy service is starting.
The Volume Shadow Copy service was started successfully.


C:\Windows\system32>Net start swprv
The Microsoft Software Shadow Copy Provider service is starting.
The Microsoft Software Shadow Copy Provider service was started successfully.


C:\Windows\system32>

and the errors that showed up:

I am going to reboot and try 2. 3. and 4.

 

[elimak]

After reboot I am still running the same error when I try to create a restore point.

I am running Windows essential and I could not find how to deactivate it.

I dont really understand what to do with:
4. Refer to the following article to check the issue.
Event ID 8194

... Do you think you can help me further? This is bad, isn't it?

 

[NoelDP]

Interestingly I got axactly the same results in my test rig
Please run (Elevated Command Prompt)
VSSADMIN LIST WRITERS
after a reboot and see what it says now

 

[elimak]

It is not very talkative:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>VSSADMIN LIST WRITERS
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2005 Microsoft Corp.


C:\Windows\system32>

 

[NoelDP]

OK
let's see if this does anything.
Open an Elevated COmmand Prompt, and run the following commands....

Net Stop Winmgmt
CD /D %Windir%\system32\wbem
Ren Repository Repository.old
Net Start Winmgmt

WAIT 10 minutes, then reboot.
Then try the VSSADMIN LIST WRITERS again - if you get any output this time, run another MGADiag report.

 

[elimak]

Ren Repository Repository.old
access is denied...

I still did the following requests and I am now waiting before reboot. Please let me know if I should cancel the procedure due the failure of command:
Ren Repository Repository.old

 

[NoelDP]

Interesting
please run the following command

ICACLS C:\Windows\System32\WBEM\Repository

post the results

 

[elimak]

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>ICACLS C:\Windows\System32\WBEM\Repository
C:\Windows\System32\WBEM\Repository BUILTIN\UsersRX)
BUILTIN\UsersOI)(CI)(IO)(GR,GE)
NT AUTHORITY\NETWORK SERVICER)
NT AUTHORITY\NETWORK SERVICEOI)(CI)(IO)(GR
)
No mapping between account names and securit
y IDs was done.
(R,W)
No mapping between account names and securit
y IDs was done.
(OI)(CI)(IO)(GR,GW)
BUILTIN\AdministratorsF)
BUILTIN\AdministratorsOI)(CI)(IO)(F)
NT AUTHORITY\SYSTEMF)
NT AUTHORITY\SYSTEMOI)(CI)(IO)(F)
OWNER RIGHTSOI)(CI)(IO)(Rc)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>

hehe. that's a lot of bad faces

 

[NoelDP]

That's normal - let's look at the files themselves....

ICACLS C:\Windows\System32\WBEM\Repository\*.*

 

[elimak]

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>ICACLS C:\Windows\System32\WBEM\Repository\*.*
C:\Windows\System32\WBEM\Repository\INDEX.BTR BUILTIN\UsersI)(RX)
NT AUTHORITY\NETWORK SERVICEI)(R
)
No mapping between account names a
nd security IDs was done.
(I)(R,W)
BUILTIN\AdministratorsI)(F)
NT AUTHORITY\SYSTEMI)(F)
OWNER RIGHTSI)(Rc)

C:\Windows\System32\WBEM\Repository\MAPPING1.MAP BUILTIN\UsersI)(RX)
NT AUTHORITY\NETWORK SERVICEI
)(R)
No mapping between account name
s and security IDs was done.
(I)(R,W)
BUILTIN\AdministratorsI)(F)
NT AUTHORITY\SYSTEMI)(F)
OWNER RIGHTSI)(Rc)

C:\Windows\System32\WBEM\Repository\MAPPING2.MAP BUILTIN\UsersI)(RX)
NT AUTHORITY\NETWORK SERVICEI
)(R)
No mapping between account name
s and security IDs was done.
(I)(R,W)
BUILTIN\AdministratorsI)(F)
NT AUTHORITY\SYSTEMI)(F)
OWNER RIGHTSI)(Rc)

C:\Windows\System32\WBEM\Repository\MAPPING3.MAP BUILTIN\UsersI)(RX)
NT AUTHORITY\NETWORK SERVICEI
)(R)
No mapping between account name
s and security IDs was done.
(I)(R,W)
BUILTIN\AdministratorsI)(F)
NT AUTHORITY\SYSTEMI)(F)
OWNER RIGHTSI)(Rc)

C:\Windows\System32\WBEM\Repository\OBJECTS.DATA BUILTIN\UsersI)(RX)
NT AUTHORITY\NETWORK SERVICEI
)(R)
No mapping between account name
s and security IDs was done.
(I)(R,W)
BUILTIN\AdministratorsI)(F)
NT AUTHORITY\SYSTEMI)(F)
OWNER RIGHTSI)(Rc)

Successfully processed 5 files; Failed processing 0 files

C:\Windows\system32>

 

[NoelDP]

Ok - I think I know what the problem is.... The files are in use
Now all I have to do is work out which service is using them

 

[NoelDP]

Nope - the only controlling service I cna find is the Winmgmt service.
Ah! I see the problem

Try this instead ...

Net Stop Winmgmt /Y
CD /D %Windir%\system32\wbem
Ren Repository Repository.old
Net Start Winmgmt

 

[elimak]

Access is still denied for Ren Repository Repository.old

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>Net Stop Winmgmt /Y
The Windows Management Instrumentation service is stopping.
The Windows Management Instrumentation service could not be stopped.


C:\Windows\system32>CD /D %Windir%\system32\wbem

C:\Windows\System32\wbem>Ren Repository Repository.old
Access is denied.

C:\Windows\System32\wbem>Net Start Winmgmt
The requested service has already been started.

More help is available by typing NET HELPMSG 2182.


C:\Windows\System32\wbem>

 

[NoelDP]

That's not the problem
The problem is that Winmgmt isn't allowing itself to be stopped.
let's see whether that can be fixed easily....

SC QC WINMGMT
SC QUERYEX WINMGMT
SC SDSHOW WINMGMT
SC QPRIVS WINMGMT
SC QSIDTYPE WINMGMT

post the results

 

[elimak]

C:\Windows\System32\wbem>SC QC WINMGMT
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: WINMGMT
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Management Instrumentation
DEPENDENCIES : RPCSS
SERVICE_START_NAME : localSystem

C:\Windows\System32\wbem>SC QUERYEX WINMGMT

SERVICE_NAME: WINMGMT
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 336
FLAGS :

C:\Windows\System32\wbem>SC SDSHOW WINMGMT

DA;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCR
RC;;;IU)(A;;CCLCSWLOCRRC;;;SU)SAU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\System32\wbem>SC QPRIVS WINMGMT
[SC] QueryServiceConfig2 SUCCESS

SERVICE_NAME: WINMGMT
PRIVILEGES :

C:\Windows\System32\wbem>SC QSIDTYPE WINMGMT
[SC] QueryServiceConfig2 SUCCESS

SERVICE_NAME: WINMGMT
SERVICE_SID_TYPE: UNRESTRICTED

C:\Windows\System32\wbem>

 

[NoelDP]

That all looks normal.

What happens if you try to stop the service while in Safe Mode?, or in a Clean Boot? How to perform a clean boot to troubleshoot a problem in Windows Vista or Windows 7

 

[elimak]

The command Ren Repository Repository.old was successful after a clean boot!

 

[NoelDP]

Ahah!
good - the obvious question then becomes what was blocking it.
More on that later.
reboot while still in 'clean boot', then reset the clean boot to normal and reboot again
what result do you get now from
VSSADMIN LIST WRITERS
?