[Resolved] Non-Genuine Microsoft Security Essentials
June 25, 2011 3 Comments
Microsoft Security Essentials not genuine |
In rare cases, Microsoft Security Essentials fails the Windows validation check. Usually this is due to a corrupt data.dat file. or incorrect security permissions on that file.
Summary
- Platform: Windows XP Home.
- Problem: Microsoft Security Essentials would not pass Windows Genuine Advantage validation even though Windows was already validated.
- Resolution: Added the “Everyone” group read and execute permissions to the MsseWAT.dll and LegitLib.dll files in C:\Program Files\Microsoft Security Client
Full Solution
I regard Microsoft Security Essentials as a very good anti-malware application. It’s free, fast and relatively unobtrusive. It picks up alot of malware, and it’s graphical interface is clean and intuitive.
Recently, a customer of ours needed help. His Security Essentials was failing the Windows genuine validation check. If Security Essentials fails the validation check, it’s interface will turn red, the real-time protection will turn off, and the anti-virus definitions will not update, as you can see below.
Microsoft Security Essentials failing Windows genuine validation |
Windows XP in the process of validation. |
MGADiag showing that Windows XP passes validation. |
I first turned to Process Explorer. When I ran the Security Essentials validation check, I noticed that just before the Security Essentials window went red that MpCmdRun.exe was spawned as a child process of MsMpEng.exe. MsMpEng.exe being the main Security Essentials engine.
Setting a filter on MpCmdRun.exe |
I next turned to Process Monitor, and created a filter on MpCmdRun.exe:
Then I started capturing events with Process Monitor and I reran the Security Essentials validation check.
Now process monitor takes some experience to use. It can be like looking for a needle in a haystack if you’re not sure what you are looking for. There were alot of events recorded, but could not find anything that immediately stood out.
However, I did notice one thing, MpCmdRun.exe was writing to a log file called MpCmdRun.log in the NetworkService temp directory:
MpCmdRun.exe writing to MpCmdRun.log |
This file is part of Windows Genuine Advantage, although it is included only with Security Essentials, and it’s not part of the operating system.
According to Microsoft at http://support.microsoft.com/kb/947821 error 0x80092003 means an error is occuring while reading to or writing from a file. Either the file is locked by another process, or it is being denied access to.
MpCmdRun.log: Error 0x80092003 when verifying mssewat.dll |
MpCmdRun.exe denied access to MsseWat.dll |
MpCmdRun.exe was trying to query the MsseWat.dll file and was denied access. This was definately a permissions issue. I had to restart into safe mode to check and fix the permissions of this file.
Adding the Everyone group read and execute access to MsseWat.dll |
Once in safe mode, a check of the permissions on MsseWat.dll showed that the Administrators group had Read and Execute permission, and the System group had full control. Nothing looked untoward, however I added the Everyone group and gave it Read and Execute permissions as shown below.
I then restarted back to normal mode, and opened Security Essentials, this time the interface was orange, not red, meaning that realtime protection was on, but that it would shortly be disabled if I did not validate Windows. However it still would not validate when I clicked on the Run validation check link!
Setting an access denied filter with Process Monitor |
Again I turned to Process Monitor, and reran Security Essentials, this time I set a filter on the ACCESS DENIED result as shown below.
The process monitor results this time showed another file with an access denied error, this time it was LegitLib.dll: C:\Program Files\Microsoft Security Client\LegitLib.dll
Again, this file is part of Windows Genuine Advantage, but It’s only included with Security Essentials.
The case was closed, the problem solved. As to what caused the problem in the first place, that is unknown, but issues like this happen all the time.
I hope this post has been informative and educational. And if you learned something from this, or it helped you solve a similar issue, then please leave a comment or drop me a line.
Thank you so much, I had the same problem, but on Vista, none the less I was able to do as described, but I only had to do it for the MsseWat.dll file, I didn’t even had to use safe mode, I just clicked edit under the safety tab, and then gave full control to users.
Excellent detail.. Thanks alot.. Worked fine.!
I’ve tried everything unsuccessfully on Windows XP (SP3) and now read your tutorial, it didn’t work for either.
One thing even you didn’t noticed that every time Windows starts [%ALLUSERSPROFILE%\Application Data\Windows Genuine Advantage\Data\data.dat] file is created automatically and then MSE shows that message about Validation and turned into orange again. This should be find out what process is creating “data.dat” file after deleting it, and how to stop that file being created again?
And by the way you also didn’t mention what version of MSE you used?
Thanks for the guide, this is the closest so far I must say.