Troubleshooting Activation Issues

Today, Henry Chen and I are going to talk about troubleshooting some activation issues that we often run into.

To begin, here is an article which talks about what Microsoft Product Activation is and why it is important. Also, thisarticle explains KMS Activation.

Now, let’s jump into some common activation scenarios.

Scenario 1 – Security Processor Loader Driver

1. You get an error 0x80070426 when you try to activate a Windows 7 SP1 or a Windows Server 2008 R2 SP1 KMS client by running slmgr /ato.

clip_image002

When you try to start Software Protection services, you will see this popup error.

clip_image004

If you review the Application Event log, you will see the Event 1001.

Source:  Microsoft-Windows-Security-SPP
Event ID:  1001
Level:  Error
Description:  The Software Protection service failed to start. 0x80070002

To resolve this, make sure the Security Processor Loader Driver is started.

  1. Go to Device Manager.
  2. Click on View — > Show hidden devices
  3. Drop down Non-Plug and Play Drivers

clip_image006

clip_image008

In this case, it is disabled.  It could be either Automatic, Demand or System, but not started.

clip_image010

If it’s other than Boot, change the startup type to Bootand then start the driver.

You could also as shown below change it from the registry by browsing to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\spldrand change the start value to 0 and reboot.

clip_image012

If it fails to start, uninstall and re-install the driver and reboot your machine. In almost every case that we have seen, reinstalling the driver fixes the issue (i.e. you are able to start the driver).

Once it’s started, you will be able to start Software Protection Service and then activate Windows successfully.

Scenario 2 – Plug & Play

When trying to activate using slmgr /atoyou get the following error even when running the command elevated:

—————————
Windows Script Host
—————————

Activating Windows Server(R), ServerStandard edition (68531fb9-5511-4989-97be-d11a0f55633f) …Error: 0x80070005 Access denied: the requested action requires elevated privileges

—————————
OK  
—————————

And the below is shown when you try to display activation information using slmgr /dlv

—————————
Windows Script Host
—————————

Script: C:\Windows\system32\slmgr.vbs
Line:   1131
Char:   5
Error:  Permission denied
Code:   800A0046
Source: Microsoft VBScript runtime error

—————————
OK  
—————————

We do have an article

KB2008385

which talks about the cause of the issue. While missing permission is the root cause, we have seen instances where GPO is not enabled and the permission does not seem to be correct. We also have a

blog

written by our office team member on how to set the permissions using command line which we have found to be useful. We often combine both these articles to resolve issues.

First, to verify you have the right permissions, run the below command.

sc sdshow plugplay

Below is how the correct permissions should look like:

On Windows 7 SP1 or Windows Server 2008 R2 SP1

D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;CCLCSWLOCRRC;;;IU)
(A;;CCLCSWLOCRRC;;;SU) <——– This is the permission that seems to be missing in almost all instances.
S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

On a broken machine this is what we see.

D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;CCLCSWLOCRRC;;;IU)
S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

In order to set the correct permissions, run the following command as given in the blogfor Office:

sc sdset plugplay D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

Then run sc sdshow plugplayto make sure the permissions have been set. Once they are set, you will be able to activate Windows successfully.

There also have been instances where we have seen combination of 1 and 2, so you might have to check if spldr driver is started as well as permission on plugplayservice.

On Windows Server 2012 R2

When you run slmgr /atoyou get the below error on a machine that is domain joined. The other commands like slmgr /dlv works.

—————————
Windows Script Host
—————————

Activating Windows(R), ServerDatacenter edition (00091344-1ea4-4f37-b789-01750ba6988c) …

Error: 0x80070005 Access denied: the requested action requires elevated privileges

—————————
OK
—————————

This happens when SELFaccount is missing access permission on COM Security.

To add the permission back, type dcomcnfgon the RUN box and hit OK.

clip_image014

Under Component Services, expand Computers, right-click My Computer, and then click Properties.

clip_image016

Click the COM Security tab, and then click Edit Default under Access Permissions.

clip_image018

If SELF does not appear in the Group or user names list, click Add, type SELF, click Check Names, and then click OK.

clip_image020

Click SELF, and then click to select the following check boxes in the Allowcolumn:

· Local Access

· Remote Access

clip_image022

Then click OK on Access Permission and then OK on My Computer Properties.

Reboot the machine.

Scenario 3 – Read-only attribute

As in scenario 1, we may get error 0x80070426, where a user gets the following when trying to activate Windows 2008 R2 SP1 or Windows 7 SP1.

clip_image024

When trying to Start Software Protectionservice, you get an access is denied error message.

clip_image026

To get more details on the error, we open the Application Event Log which shows the following error:

Source: Microsoft-Windows-Security-SPP
Event ID: 1001
Level: Error
Description: The Software Protection service failed to start. 0xD0000022
6.1.7601.17514

To resolve this issue, browse to %windir%\system32 and make sure the following files have the file attribute Read-Onlyunchecked.

7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

clip_image028

Software Protectionservice should start now.

Scenario 4 – Troubleshooting with Procmon

Here, we will give an idea on how to use Procmonto troubleshoot activation issue.

Windows Server 2012 R2

On a Windows Server 2012 R2 server, when we try to run any slmgrswitches, we get the error below.

clip_image030

When you try to start Software Protection service we get the following error.

clip_image032

Launch process monitor and stop the capture by click on the Captureicon.

clip_image034

Click on the Filtericon.

clip_image036

Choose Process Name, is, type sppsvc.exe (Software Protection Service) and click Add

clip_image038

We will add another Filter. So choose Result, contains, denied and click Add then OK.

clip_image040

Start the capture by clicking on the Capture icon as shown above and start the Software Protectionservice.

Once you get the error, we should see entries similar to what is shown below. In this case it’s a folder but could be a registry path too based on where we are missing permissions.

clip_image042

As per the result, looks like we have permission issue on C:\Windows\System32\spp\store\2.0. We could be missing permissions on any of the folders in the path.

Usually we start with the last folder so in this case it would be 2.0.

Comparing permissions on broken machine (Left) and working machine (Right) we can see that sppsvcis missing.

clip_image044

clip_image046

As you already guessed, the next step is to add sppsvcback and give it full control.

Click on Edit and from Locations choose your local machine name, then under Enter the object names to select type NT Service\sppsvc and click on Check Names then OK.

clip_image048

Make sure you give the service account Full control and click OK on the warning message and OKto close the Permissions box.

clip_image050

Now try starting the Software Protection service and it should start successfully and you will be able to successfully activate Windows.

We hope this blog was useful in troubleshooting some of your activations issues.

Saurabh Koshta
Henry Chen