Today, Henry Chen and I are going to talk about troubleshooting some activation issues that we often run into.
Now, let’s jump into some common activation scenarios.
Scenario 1 – Security Processor Loader Driver
1. You get an error 0x80070426 when you try to activate a Windows 7 SP1 or a Windows Server 2008 R2 SP1 KMS client by running slmgr /ato.
When you try to start Software Protection services, you will see this popup error.
If you review the Application Event log, you will see the Event 1001.
Event ID: 1001
Description: The Software Protection service failed to start. 0x80070002
To resolve this, make sure the Security Processor Loader Driver is started.
- Go to Device Manager.
- Click on View — > Show hidden devices
- Drop down Non-Plug and Play Drivers
In this case, it is disabled. It could be either Automatic, Demand or System, but not started.
If it’s other than Boot, change the startup type to Bootand then start the driver.
You could also as shown below change it from the registry by browsing to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\spldrand change the start value to 0 and reboot.
If it fails to start, uninstall and re-install the driver and reboot your machine. In almost every case that we have seen, reinstalling the driver fixes the issue (i.e. you are able to start the driver).
Once it’s started, you will be able to start Software Protection Service and then activate Windows successfully.
Scenario 2 – Plug & Play
When trying to activate using slmgr /atoyou get the following error even when running the command elevated:
Windows Script Host
Activating Windows Server(R), ServerStandard edition (68531fb9-5511-4989-97be-d11a0f55633f) …Error: 0x80070005 Access denied: the requested action requires elevated privileges
And the below is shown when you try to display activation information using slmgr /dlv
Windows Script Host
Error: Permission denied
Source: Microsoft VBScript runtime error
We do have an article
which talks about the cause of the issue. While missing permission is the root cause, we have seen instances where GPO is not enabled and the permission does not seem to be correct. We also have a
written by our office team member on how to set the permissions using command line which we have found to be useful. We often combine both these articles to resolve issues.
First, to verify you have the right permissions, run the below command.
sc sdshow plugplay
Below is how the correct permissions should look like:
On Windows 7 SP1 or Windows Server 2008 R2 SP1
(A;;CCLCSWLOCRRC;;;SU) <——– This is the permission that seems to be missing in almost all instances.
On a broken machine this is what we see.
In order to set the correct permissions, run the following command as given in the blogfor Office:
sc sdset plugplay D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Then run sc sdshow plugplayto make sure the permissions have been set. Once they are set, you will be able to activate Windows successfully.
There also have been instances where we have seen combination of 1 and 2, so you might have to check if spldr driver is started as well as permission on plugplayservice.
On Windows Server 2012 R2
When you run slmgr /atoyou get the below error on a machine that is domain joined. The other commands like slmgr /dlv works.
Windows Script Host
Activating Windows(R), ServerDatacenter edition (00091344-1ea4-4f37-b789-01750ba6988c) …
Error: 0x80070005 Access denied: the requested action requires elevated privileges
This happens when SELFaccount is missing access permission on COM Security.
To add the permission back, type dcomcnfgon the RUN box and hit OK.
Under Component Services, expand Computers, right-click My Computer, and then click Properties.
Click the COM Security tab, and then click Edit Default under Access Permissions.
If SELF does not appear in the Group or user names list, click Add, type SELF, click Check Names, and then click OK.
Click SELF, and then click to select the following check boxes in the Allowcolumn:
· Local Access
· Remote Access
Then click OK on Access Permission and then OK on My Computer Properties.
Reboot the machine.
Scenario 3 – Read-only attribute
As in scenario 1, we may get error 0x80070426, where a user gets the following when trying to activate Windows 2008 R2 SP1 or Windows 7 SP1.
When trying to Start Software Protectionservice, you get an access is denied error message.
To get more details on the error, we open the Application Event Log which shows the following error:
Event ID: 1001
Description: The Software Protection service failed to start. 0xD0000022
To resolve this issue, browse to %windir%\system32 and make sure the following files have the file attribute Read-Onlyunchecked.
Software Protectionservice should start now.
Scenario 4 – Troubleshooting with Procmon
Here, we will give an idea on how to use Procmonto troubleshoot activation issue.
Windows Server 2012 R2
On a Windows Server 2012 R2 server, when we try to run any slmgrswitches, we get the error below.
When you try to start Software Protection service we get the following error.
Launch process monitor and stop the capture by click on the Captureicon.
Click on the Filtericon.
Choose Process Name, is, type sppsvc.exe (Software Protection Service) and click Add
We will add another Filter. So choose Result, contains, denied and click Add then OK.
Start the capture by clicking on the Capture icon as shown above and start the Software Protectionservice.
Once you get the error, we should see entries similar to what is shown below. In this case it’s a folder but could be a registry path too based on where we are missing permissions.
As per the result, looks like we have permission issue on C:\Windows\System32\spp\store\2.0. We could be missing permissions on any of the folders in the path.
Usually we start with the last folder so in this case it would be 2.0.
Comparing permissions on broken machine (Left) and working machine (Right) we can see that sppsvcis missing.
As you already guessed, the next step is to add sppsvcback and give it full control.
Click on Edit and from Locations choose your local machine name, then under Enter the object names to select type NT Service\sppsvc and click on Check Names then OK.
Make sure you give the service account Full control and click OK on the warning message and OKto close the Permissions box.
Now try starting the Software Protection service and it should start successfully and you will be able to successfully activate Windows.
We hope this blog was useful in troubleshooting some of your activations issues.