Windows 10 corrupt after repair

Question

a few days ago, for no apparent reason, my Windows 10 machine, in the middle of work, started to stutter and eventually came to a stop with a blue-screen. After the BSOD reboot it refused to boot, it would not reach the WIndows Logo phase, nor would F8 work, instead it entered an endless "Windows needs o be repaired" boot loop. Whatever repair I attempted, like fixmbr, fixboot, the usual stuff to fix boot issues, the machine would not boot any more but always end up in the repair console. Using a Linux live installation I ruled out a hardware defect or a virus infection. Finally I decided to go with the repair option "Re-install Windows from local sounrce, remove applications, keep user data" (Actual text my vary slightly, my language version is German, and I didn't take notes).

After this, my machine booted like a charm, a qick check of the network settings (IPV4 and IPV6 and DNS) showed everythig OK, and I started to pull together my user data (despite what MS claims, a lot was lost, e.g. all my mails, because they were, for unknown reasons, removed from my user profile and moved to a useless hidden folder underneath \windows.old), but I could resture most from there and I have backups.

Otherwise most seemed OK, my old login/account is working, Documents folder and all contents was retained, and the Microsoft Account the machine was linked to is still visible in control panel, and takes me to the website which works. OneDrive seems to work correctly too.

First oddities occurred when I was not able to install certain programs, e.g. Java, Minecraft and MS Teams. Others, like Skype, and a handful of other Applications I need installed with no issues. The ones which didn't crashed with absurd messages all stating in one way or another that I was not connected to the Internet, though I clearly was. I could install Java using the offline package.

Digging deeper I found that the Machine has lost it's activated license (it was a perfectly legal Windows 7 installation upgraded to Windows 10 Years ago), and would not activate over the internet again, despite that the machine is still listed in my Microsoft account with a "last seen" date showing the day of the fatal crash.

Usually I track licensing issues with the slmgr tool (in a command line with admin privileges), but the tool fails any command with "Access denied".

I also noted that Windows Update does fail to check for new updates, and the sppsvc service cannot start ("Access denied"). Fatal errors from the "Software Protection Service" ("Access Denied") pile up in my Eventlog.

Tracing cnnections with Wireshark I noticed that all connection failures are accompanied by errors connecting to socket 443 (ssl) on Microsoft servers.

Furthermore many (say 50%) of websites I tried to browse would either fall back to http or refuse a connection entirely because https was mandatory. This made me look into the certificate store, and I found lots of expirend root ertificates, some with alarming names, like "Microsoft Root Certificate Authority" (expired 2021-5-10) and "Microsoft Root Authority" (2020-12-31) and "Microsoft Authenticode(tm) Root Authority" (2000-01-01). I also noted that the Microsoft Console fails to validate Certificates (Status is always empty), and I found no way to try to renew a CRL or any certificyte using the Certificates Console.

This is where I am right now, and I am unsure what to try next. Trying to talk to Microsoft, like usual, was a waste of time. Unless one pays for a $$.$$$ Premium Support service, they are regularly unable to solve anthing but the most trivial problems. They are especially unable and/or unwilling to track any issues with their license checks. In this case, they immedately hung up the phone on me, and attempts to use their communities revealed just a lot of advise from people who did obviously just try to stab in the dark, or give obviously wrong advices.

There surely is a problem with the license code/activation. I cannot provide a Windows 10 Code, because I was never given one, remember, this machine was legally updated from Windows 7, and the Windows 7 code which I still have won't work with a Windows 10 activation. I could reward Microsoft for their arrogant attitude they regularly show against legit customers and their hostile license enforcement system, by shoving another approx €234 in their **** to repay for a license I already have payed for, but probably waste the money because I then find out that the activation issue is a follow-up problem of some underlying communication problem, probably caused by invalid certificates required to establish a secure connection for the license check.

The other way could be to renew the CRL and all System certificates, but the usual way using Windows Update doesn't seem to work, and I found no package containing all the current certificates for download and offline install.

And there is a high probability that I am dealing with more than one problem, and that the problems I have already identified are neither all ones, nor they are the cause of the problems I face.

I'd be really grateful for advice and experience from you how I must

a) accurately troubleshoot this problem to find out where exactly the problems stem from: missing activation, certificates outdated, or something different

b) fix it.

Thnx for reading this quite long post, and trying to help, if you need more diagnostics please let me know what you need.

The machine is on Windows 10 x64 version 2004 (10.0.19041.985).

Greetings from Germany,

Armin.

Edit: to keep me busy, I followed leads how tod eal with ssps service not starting with "Access denied". One led to checking the permissions (make sure network services have Read permissions) of the folder "C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionFolder". The folder does not exist on my system (system and hidden folder display is on). According to sources, it should contain a file named "tokens.dat", but there isn't such a file. A file with that name is contained in C:\Windows\System32\spp\store\2.0. Folder name looks somewhat similar. Permissions on that folder are System:F, Administartors:F, NT Service\sppsvc: F, Users:R. Did Microsoft move the folder?

Answer 1

Finally I got progress.

I did like Ramhound suggested and tried to use the Upgrade Assistant tool. Unfortunately, after downloading and starting, it tries to get an activation code from me. None of the various codes I tried worked. I could then skip this step, after which the tool tried to load something from Microsoft, an EULA I guess. Since, like already stated, this machine was not able to communicate with any Microsoft server through SSL, this is where the game ended and I got more "smart tips" to check my Internet connection or contact my Administrator (talk to myself !?) or call Microsoft Support. Nah.

Next attempt was to download the latest 21H1 update ISO from somewhere and install offline, so nothing needs to be loaded in the background. Remember, I can download any file via ths browser, it's "only" installers and services loading files in the background (from the Microsoft CDN?) which fail. I followed numerous Links claiming to lead to the full ISO in some way, but I always ended at something telling me that my only option was to get the version via Windows Update, since I a not an "Enterprise Customer" but as already mentioned, Windows Update service was unable to communicate too. I found no source where I could download the ISO file directly. Stalemate.

Finally I remembered I had subscribed to the "Windows Insider" program years ago, and there you can indeed download the last preview (Release Candidate, Build 19043.928) of the 21H1 version in ISO format, which, for my purposes, was as suitable as the final Release build. I downloaded the 5.6GB file via the browser (which works via Firefox), installed it in Update Mode over my non-working Windows 10 from the ISO, and after a couple of reboots, gee, suddenly everything fell into place by itself: all the sudden my machine was activated again, my license code was valid again, I could install whatever program I liked, including Teams and Minecraft and others who try to load files from Microsoft servers in the background, no more errors in the eventlog, guess the installation fixed the problem the repair has caused.

Regarding the non-existing tokens.dat in C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionFolder: the directory doesn't exist on the now working 21H1 machine as well, so it seems any information dtrying to mess with tokens.dat in that directory is wrong or at least outdated.

Since Windows Update recovered too I was finally able to pull in the Release Version of Windows 10 21H1 (10.0.19043.1052) via Windows Update.

Looking into the Certificate store I found that many certificates, inlcuding the suspiciously looking from above, are still expired, this seems to be normal. Whatever caused secure communication break, it seems it was not the certificates.

Anyway, though the root problem was not found, I got my machine into a working state again, thanks for all who tried to help, and for your patience.

Armin.