You may be prompted to activate Windows Vista or Windows Server 2008 SP 1 or experience system lock out with SEP 12.1 on a computer on which Enterprise Volume License was already activated

Article:TECH181449  |  Created: 2012-02-14  |  Updated: 2012-09-28  |  Article URL http://www.symantec.com/docs/TECH181449
Article Type
Technical Solution


Environment

Issue



You may be prompted to activate Windows Vista or Windows Server 2008 SP 1 or experience system lock out with SEP 12.1 on a computer on which Enterprise Volume License was already activated.  When you apply Windows Vista SP 2 or Windows Server 2008 SP 2 the issue goes away. 


Error



You may experiencing the following messages and the inability to log into the machine:

An unauthorized change has been made to Windows."
ERROR TEXT: 0xC004D401 - The security processor reported a system file mismatch
error.

Event ID 4102
Source Winlogon
Windows License is invalid. Error 0xC004F027.  Policy value 0x00000000.

&

Event ID 4103
Source Winlogon
Windows License Activation Failed.  Error 0x00000000.


Environment



  • Vista 32 bit and Vista 64 bit  SP 1 and SEP 12.1 x
  • Vista SP 1 with Enterprise Volume Licensing
  • Windows 2008 SP 1 32 bit and 64 bit
  • Standard or Enterprise Volume licensing.
     

Cause



This issue can occur when Application and Device control is enabled with a policy that prevents modification of system files. In most cases the default policy 'prevent modification of system files' is enabled, however custom created policies may also cause the error.

The Application and Device control portion of SEP 12.x is controlled by Sysplant.sys which injects Sysfer.dll into all running processes.  Prior to Service Pack 2 for Windows Vista and Windows Server 2008, Microsoft had an integrity check on the windows licensing service Slsvc.exe which would trigger the error when Sysfer.dll is injected into Slsvc.exe.  Microsoft has relaxed this integrity check in Service pack 2 for Windows Vista and Windows Server 2008.

 


Solution



Because Sysfer.dll injects itself into Slsvc.exe, customers can do one of the following to resolve the issue:

  1. Withdraw the Application and Device control policy.  Once the client receives the new policy the machine must be rebooted to for the policy to take effect. 
  2. Apply Service Pack 2 for Windows Vista or Windows Server 2008.  

NOTE:  Windows 2008 SP 1 is no longer supported as of July 11 2011 and Windows Vista SP 1 is no longer support as of July 12 2011.

  1. Create a Application control exception for c:\windows\system32\slsvc.exe, which will prevent Sysfer.dll from injecting Slsvc.exe. Once the client receives the new policy the machine must be rebooted to for the policy to take effect.



Article URL http://www.symantec.com/docs/TECH181449


Terms of use for this information are found in Legal Notices