[Resolved] Non-Genuine Microsoft Security Essentials

 

Microsoft Security Essentials not genuine

In rare cases, Microsoft Security Essentials fails the Windows validation check. Usually this is due to a corrupt data.dat file. or incorrect security permissions on that file.

This was not the case here.

Read on to find out how it was solved.

Summary

• Platform: Windows XP Home.
• Problem: Microsoft Security Essentials would not pass Windows Genuine Advantage validation even though Windows was already validated.
• Resolution: Added the “Everyone” group read and execute permissions to the MsseWAT.dll and LegitLib.dll files in C:\Program Files\Microsoft Security Client

Full Solution

I regard Microsoft Security Essentials as a very good anti-malware application. It’s free, fast and relatively unobtrusive. It picks up alot of malware, and it’s graphical interface is clean and intuitive.
Recently, a customer of ours needed help. His Security Essentials was failing the Windows genuine validation check. If Security Essentials fails the validation check, it’s interface will turn red, the real-time protection will turn off, and the anti-virus definitions will not update, as you can see below.

Microsoft Security Essentials failing Windows genuine validation

Clicking on the “Resolve Now” button would open the Windows genuine validation site in Internet Explorer. Validation passed with no problems.

Windows XP in the process of validation.

Clicking on the “Run validation check” in Security Essentials would initiate the validation check, Security Essentials would turn green for a few seconds, and then go back to red. I first researched this issue online, and tried all the solutions offered, to no avail.

The first solution which I found, and is detailed here, was to make sure that the data.dat file in %AllUsersProfile%\Application Data\Windows Genuine Advantage\data had the correct security permissions. So I restarted into safe mode (the customer was running Windows XP Home, in order to see the security tab you need to restart into safe mode). And added the Everyone group with all available permissions to the data.dat file. Needless to say, this solution did not work, Security Essentials would still not pass validation.

The second solution, which I obtained from My Digital Life, detailed here, gave instructions for deleting the data.dat file, revalidating Windows XP here, running the wgatray.exe (Windows Genuine Advantage tray icon) program, and restarting the computer.

This did not help, again, the problem was unresolved!

The third solution I tried was to run MGADiag, the Microsoft Genuine Advantage Diagnostic tool.

This tool will revalidate your copy of Windows, as well as resolve any data.dat issues (provided the data.dat file has correct permissions). Well MGADiag found no problems with the Windows validation as you can see below, and again the issue was not resolved.

MGADiag showing that Windows XP passes validation.

By now I think it was getting pretty obvious that the problem was not with Windows itelf, but rather with the Security Essentials program. I was running out of options, and out of time. As a final recourse, I turned to Sysinternals Process Explorer and Process Monitor. Both extremely valuable and important tools in any type of software troubleshooting.

I first turned to Process Explorer. When I ran the Security Essentials validation check, I noticed that just before the Security Essentials window went red that MpCmdRun.exe was spawned as a child process of MsMpEng.exe. MsMpEng.exe being the main Security Essentials engine.

Setting a filter on MpCmdRun.exe

I next turned to Process Monitor, and created a filter on MpCmdRun.exe:

Then I started capturing events with Process Monitor and I reran the Security Essentials validation check.

Now process monitor takes some experience to use. It can be like looking for a needle in a haystack if you’re not sure what you are looking for. There were alot of events recorded, but could not find anything that immediately stood out.
However, I did notice one thing, MpCmdRun.exe was writing to a log file called MpCmdRun.log in the NetworkService temp directory:

MpCmdRun.exe writing to MpCmdRun.log

Well I opened that log file and I saw that that there was an error verifying the Security Essentials WAT dll file: C:\Program Files\Microsoft Security Client\mssewat.dll.

WAT stands for Windows Activation Technologies.
This file is part of Windows Genuine Advantage, although it is included only with Security Essentials, and it’s not part of the operating system.
According to Microsoft at http://support.microsoft.com/kb/947821 error 0x80092003 means an error is occuring while reading to or writing from a file. Either the file is locked by another process, or it is being denied access to.

MpCmdRun.log: Error 0x80092003 when verifying mssewat.dll

I now felt that I was onto something. I did a search in the Process Monitor listing for mssewat.dll and this is what I found:

MpCmdRun.exe denied access to MsseWat.dll

MpCmdRun.exe was trying to query the MsseWat.dll file and was denied access. This was definately a permissions issue. I had to restart into safe mode to check and fix the permissions of this file.

Adding the Everyone group read and execute access to MsseWat.dll

Once in safe mode, a check of the permissions on MsseWat.dll  showed that the Administrators group had Read and Execute permission, and the System group had full control. Nothing looked untoward, however I added the Everyone group and gave it Read and Execute permissions as shown below.

I then restarted back to normal mode, and opened Security Essentials, this time the interface was orange, not red, meaning that realtime protection was on, but that it would shortly be disabled if I did not validate Windows. However it still would not validate when I clicked on the Run validation check link!

Security Essentials now orange instead of red.

Setting an access denied filter with Process Monitor

Again I turned to Process Monitor, and reran Security Essentials, this time I set a filter on the ACCESS DENIED result as shown below.

The process monitor results this time showed another file with an access denied error, this time it was LegitLib.dll: C:\Program Files\Microsoft Security Client\LegitLib.dll
Again, this file is part of Windows Genuine Advantage, but It’s only included with Security Essentials.

MpCmdRun.exe denied access to LegitLib.dll

I again restarted in Safe Mode, added the Everyone group Read and Execute permissions to the LegitLib.dll file and restarted the computer in normal mode.

And this time it worked! Security Essentials was green, activated, updated, and working properly!
The case was closed, the problem solved. As to what caused the problem in the first place, that is unknown, but issues like this happen all the time.

Security Essentials green and activated

I hope this post has been informative and educational. And if you learned something from this, or it helped you solve a similar issue, then please leave a comment or drop me a line.