1

a few days ago, for no apparent reason, my Windows 10 machine, in the middle of work, started to stutter and eventually came to a stop with a blue-screen. After the BSOD reboot it refused to boot, it would not reach the WIndows Logo phase, nor would F8 work, instead it entered an endless "Windows needs o be repaired" boot loop. Whatever repair I attempted, like fixmbr, fixboot, the usual stuff to fix boot issues, the machine would not boot any more but always end up in the repair console. Using a Linux live installation I ruled out a hardware defect or a virus infection. Finally I decided to go with the repair option "Re-install Windows from local sounrce, remove applications, keep user data" (Actual text my vary slightly, my language version is German, and I didn't take notes).

After this, my machine booted like a charm, a qick check of the network settings (IPV4 and IPV6 and DNS) showed everythig OK, and I started to pull together my user data (despite what MS claims, a lot was lost, e.g. all my mails, because they were, for unknown reasons, removed from my user profile and moved to a useless hidden folder underneath \windows.old), but I could resture most from there and I have backups.

Otherwise most seemed OK, my old login/account is working, Documents folder and all contents was retained, and the Microsoft Account the machine was linked to is still visible in control panel, and takes me to the website which works. OneDrive seems to work correctly too.

First oddities occurred when I was not able to install certain programs, e.g. Java, Minecraft and MS Teams. Others, like Skype, and a handful of other Applications I need installed with no issues. The ones which didn't crashed with absurd messages all stating in one way or another that I was not connected to the Internet, though I clearly was. I could install Java using the offline package.

Digging deeper I found that the Machine has lost it's activated license (it was a perfectly legal Windows 7 installation upgraded to Windows 10 Years ago), and would not activate over the internet again, despite that the machine is still listed in my Microsoft account with a "last seen" date showing the day of the fatal crash.

Usually I track licensing issues with the slmgr tool (in a command line with admin privileges), but the tool fails any command with "Access denied".

I also noted that Windows Update does fail to check for new updates, and the sppsvc service cannot start ("Access denied"). Fatal errors from the "Software Protection Service" ("Access Denied") pile up in my Eventlog.

Tracing cnnections with Wireshark I noticed that all connection failures are accompanied by errors connecting to socket 443 (ssl) on Microsoft servers.

Furthermore many (say 50%) of websites I tried to browse would either fall back to http or refuse a connection entirely because https was mandatory. This made me look into the certificate store, and I found lots of expirend root ertificates, some with alarming names, like "Microsoft Root Certificate Authority" (expired 2021-5-10) and "Microsoft Root Authority" (2020-12-31) and "Microsoft Authenticode(tm) Root Authority" (2000-01-01). I also noted that the Microsoft Console fails to validate Certificates (Status is always empty), and I found no way to try to renew a CRL or any certificyte using the Certificates Console.

This is where I am right now, and I am unsure what to try next. Trying to talk to Microsoft, like usual, was a waste of time. Unless one pays for a $$.$$$ Premium Support service, they are regularly unable to solve anthing but the most trivial problems. They are especially unable and/or unwilling to track any issues with their license checks. In this case, they immedately hung up the phone on me, and attempts to use their communities revealed just a lot of advise from people who did obviously just try to stab in the dark, or give obviously wrong advices.

There surely is a problem with the license code/activation. I cannot provide a Windows 10 Code, because I was never given one, remember, this machine was legally updated from Windows 7, and the Windows 7 code which I still have won't work with a Windows 10 activation. I could reward Microsoft for their arrogant attitude they regularly show against legit customers and their hostile license enforcement system, by shoving another approx €234 in their **** to repay for a license I already have payed for, but probably waste the money because I then find out that the activation issue is a follow-up problem of some underlying communication problem, probably caused by invalid certificates required to establish a secure connection for the license check.

The other way could be to renew the CRL and all System certificates, but the usual way using Windows Update doesn't seem to work, and I found no package containing all the current certificates for download and offline install.

And there is a high probability that I am dealing with more than one problem, and that the problems I have already identified are neither all ones, nor they are the cause of the problems I face.

I'd be really grateful for advice and experience from you how I must

a) accurately troubleshoot this problem to find out where exactly the problems stem from: missing activation, certificates outdated, or something different

b) fix it.

Thnx for reading this quite long post, and trying to help, if you need more diagnostics please let me know what you need.

The machine is on Windows 10 x64 version 2004 (10.0.19041.985).

Greetings from Germany,

Armin.

Edit: to keep me busy, I followed leads how tod eal with ssps service not starting with "Access denied". One led to checking the permissions (make sure network services have Read permissions) of the folder "C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionFolder". The folder does not exist on my system (system and hidden folder display is on). According to sources, it should contain a file named "tokens.dat", but there isn't such a file. A file with that name is contained in C:\Windows\System32\spp\store\2.0. Folder name looks somewhat similar. Permissions on that folder are System:F, Administartors:F, NT Service\sppsvc: F, Users:R. Did Microsoft move the folder?

Nimral
  • 138
  • 5
  • 1
    Newest version isn’t 2004 it’s 21H1 or 20H2; Windows 10 absolutely will activate with a Windows 7 license code (the one printed on the COA located on your device). You don’t mention the reason you were unable to install Java; [ShowKeyPlus](https://github.com/Superfly-Inc/ShowKeyPlus/releases) is the only tool I would use to determine if the license key was the proper generic key that should be used when a system is upgraded to Windows 10 from Windows 7; You certainly CAN upgrade to 21H1 just use the Upgrade Assistant to do so. – Ramhound Jun 09 '21 at 10:36
  • [Upgrade Assistant Tool](https://support.microsoft.com/en-us/topic/windows-10-update-assistant-3550dfb2-a015-7765-12ea-fba2ac36fb3f) – Ramhound Jun 09 '21 at 10:37
  • Java can be installed from two packages, one will only install a loader and fetch the actual installation after started, the other one is a complete offline package. The online package did obviously have the same connection inssues like many other packages trying to load files in the background have, the offline package installed allright. – Nimral Jun 09 '21 at 10:39
  • If I enter the WIndows 7 key, the activation dialog comes back within a split seconds saying that the key was invalid. If I enter a different key I have bought for my spouse's computer some time ago I get a hourglass and then it says that the code doesn't work, the error is 0xc0000022, which is, AFAIK, "Access denied". And whenever I try to activate, I notice 443 socket errors in Wireshark. – Nimral Jun 09 '21 at 10:49
  • The Upgrade Assistant Tool can be downloaded via browser, when executed says my computer hardware checked ok, and then fails with error 0x80072f8f when trying to download more files. Tells me to check the network settings (...) or contact Microsoft Supprt (gnarl). – Nimral Jun 09 '21 at 11:01
  • Alright; Download the ISO for [21H1](https://superuser.com/questions/1108085/where-can-i-get-a-clean-iso-of-a-specific-build-of-windows-10) this will bypass SSL checks, allowing you to update your system and solve the certificate issue; I assume you are NOT running on the current cumulative update for 2004? All the information in your comments should be an edit to your question, commentary is temporary. – Ramhound Jun 09 '21 at 11:40
  • I suspect once you fix the certificate store issue you will easily solve the activation issue – Ramhound Jun 09 '21 at 11:45
  • @Nimral BSODs don't occur because of a boot issue _(why `BootRec` wouldn't fix it)_ and will state what the error is prior to rebooting. Windows 10 activates via Windows Update and Windows always moves an existing install into `Windows.old` upon Clean Installing w/o formatting. You have expired CAs because they were current at the time the `install.esd`/`.wim` was compiled [April 2020] and if you can't run Windows Update, they can't be updated. There are only three things that would cause the issues you're having: hardware (such as a failing drive), corrupt install ISO, or virus/malware – JW0914 Jun 09 '21 at 12:53
  • @Nimral _When crafting long questions/answers, markdown becomes vital to readability, such as bullets, numbered lists, etc., as your question, in its current format, is taxing to digest and reference back._ – JW0914 Jun 09 '21 at 12:54
  • Always trying to give as much info as I have, sorry. Ramhound (see above) asked me to edit the question, if I have more information. You think there is too many info in it now, and suggest markdowns? What's the approriate way to deal with new findings after the initial post, and how would markdown help? Maybe there is a FAQ, or you can provide a link to a not so easy to resolve question requiring some information transfer going back and forth, where I can see how markdown was used to make it more readable? – Nimral Jun 09 '21 at 13:13
  • Windows Repair, as I found out, does also move part of the user profile (%appdata% and some of its subfolders to be specific), which, IMHO, is an exceptionally bad idea and contradicts their statement to keep *all* user data. Anyway, I could recover my data from there, but also found alarming hints that the moved "appdata" folder does also contain certificate stores ... – Nimral Jun 09 '21 at 13:27
  • I started to mess with boot repair because, after the machine was shut down by a BSOD, it wouzld not boot any more. No WIndows logo, no more BSOD, it just kept endlessly booting into the repair console. I thought that the most likely cause could be that the BSOD damaged the boot einvironment. AT least the WIndows logo should apprar, shouldn't it? – Nimral Jun 09 '21 at 13:31
  • Several offline virus scans with recent signature databases found no malware. – Nimral Jun 09 '21 at 13:34

1 Answers1

0

Finally I got progress.

I did like Ramhound suggested and tried to use the Upgrade Assistant tool. Unfortunately, after downloading and starting, it tries to get an activation code from me. None of the various codes I tried worked. I could then skip this step, after which the tool tried to load something from Microsoft, an EULA I guess. Since, like already stated, this machine was not able to communicate with any Microsoft server through SSL, this is where the game ended and I got more "smart tips" to check my Internet connection or contact my Administrator (talk to myself !?) or call Microsoft Support. Nah.

Next attempt was to download the latest 21H1 update ISO from somewhere and install offline, so nothing needs to be loaded in the background. Remember, I can download any file via ths browser, it's "only" installers and services loading files in the background (from the Microsoft CDN?) which fail. I followed numerous Links claiming to lead to the full ISO in some way, but I always ended at something telling me that my only option was to get the version via Windows Update, since I a not an "Enterprise Customer" but as already mentioned, Windows Update service was unable to communicate too. I found no source where I could download the ISO file directly. Stalemate.

Finally I remembered I had subscribed to the "Windows Insider" program years ago, and there you can indeed download the last preview (Release Candidate, Build 19043.928) of the 21H1 version in ISO format, which, for my purposes, was as suitable as the final Release build. I downloaded the 5.6GB file via the browser (which works via Firefox), installed it in Update Mode over my non-working Windows 10 from the ISO, and after a couple of reboots, gee, suddenly everything fell into place by itself: all the sudden my machine was activated again, my license code was valid again, I could install whatever program I liked, including Teams and Minecraft and others who try to load files from Microsoft servers in the background, no more errors in the eventlog, guess the installation fixed the problem the repair has caused.

Regarding the non-existing tokens.dat in C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionFolder: the directory doesn't exist on the now working 21H1 machine as well, so it seems any information dtrying to mess with tokens.dat in that directory is wrong or at least outdated.

Since Windows Update recovered too I was finally able to pull in the Release Version of Windows 10 21H1 (10.0.19043.1052) via Windows Update.

Looking into the Certificate store I found that many certificates, inlcuding the suspiciously looking from above, are still expired, this seems to be normal. Whatever caused secure communication break, it seems it was not the certificates.

Anyway, though the root problem was not found, I got my machine into a working state again, thanks for all who tried to help, and for your patience.

Armin.

Nimral
  • 138
  • 5
  • When crafting long questions/answers, markdown becomes vital to readability, such as bullets, numbered lists, etc., otherwise they become taxing to digest and reference back. Please also use correct markdown for `monospaced` code _(code, filenames, paths, etc.)_ – JW0914 Jun 14 '21 at 13:31