All Products
Search

This Product

    :What do I do if the Windows operating system of an ECS instance fails to be activated?

    Document Center

    :What do I do if the Windows operating system of an ECS instance fails to be activated?

    Last Updated:Oct 29, 2025

    This topic describes the causes of and solutions for Windows operating system activation failures on Elastic Compute Service (ECS) instances.

    Possible causes

    By default, a Windows ECS instance includes an activation script. The instance communicates with a Key Management Service (KMS) server to activate the system. However, activation can fail for the following reasons:

    Software Protection exceptions

    Symptoms

    When you run the slmgr -ato command to activate the Windows system, the following error message is displayed.

    Run 'slui.exe 0x2a 0x80070002' to display the error text.

    The system displays a message similar to the following:

    Cause

    The Software Protection service is not running. System activation is affected if this service is disabled.

    Solution

    Important

    Before you modify the registry, make sure that you are familiar with the Windows operating system. To prevent system issues or data loss from incorrect modifications to the registry, create snapshots of the system disk and data disks. For more information, see Create a disk snapshot.

    1. Remotely connect to the Windows ECS instance.

      For more information, see Connect to a Windows instance.

    2. Click the Server Manager icon in the lower-left corner. In the upper-right corner of the page, select Tools > Services. Find and double-click Software Protection.

    3. In the window that appears, click Start.

      Note

      If the Software Protection service starts abnormally or is missing, rebuild the service as follows:

      1. Run the regedit command to open the registry. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sppsvc, right-click it, and select Export to back up the current key to C:\sppsvc_bak.reg.

      2. On a working ECS instance that runs the same OS version, use the same method to export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sppsvc to a file named sppsvc_good.reg.

      3. Copy the sppsvc_good.reg file to the problematic instance and double-click it. When prompted to confirm the import, click Yes. A message is displayed indicating that the registry was successfully imported. Start the service and try to activate the system again.

      4. If the activation fails, double-click the backed-up C:\sppsvc_bak.reg file to restore the original registry key.

    Network exceptions

    Symptoms

    The "Windows is not genuine" message appears in the lower-right corner of the desktop. When you manually activate the system as described in How to use a KMS domain name to activate a Windows instance in a VPC, the following error message is displayed.

    0xC004F074 The Software Licensing Service reported that the computer could not be activated. The Key Management Service (KMS) could not be contacted.

    The system displays a message similar to the following:

    Cause

    This error usually indicates a network issue that prevents communication between the instance and the Key Management Service (KMS) server. The issue may be caused by the system firewall, an IP security policy, or other network security software on the Windows ECS instance that is blocking the connection.

    Note

    The KMS activation server uses the kms.cloud.aliyuncs.com domain name, the TCP protocol, and port 1688.

    Solution

    1. Add an entry in the format <IP address of the KMS activation server> kms.cloud.aliyuncs.com to the C:\Windows\System32\drivers\etc\hosts file. This ensures that the domain name of the KMS activation server can be resolved.

      Note

      You can run the ping kms.cloud.aliyuncs.com command to obtain the IP address of the KMS activation server.

    2. Check if the system firewall is blocking TCP port 1688 for kms.cloud.aliyuncs.com. If you find an inbound or outbound rule that blocks TCP port 1688, delete the rule.

      For more information about how to view inbound and outbound rules, see the Add port rules section of Set up a firewall for a Windows instance for remote connection.

    3. Check if an IP security policy is configured to block access to the IP address resolved from kms.cloud.aliyuncs.com. If such a policy exists, delete it.

      For more information about how to view IP security policies, see the Check whether IP security policies are set section of Troubleshoot general faults when you ping a public IP address from a server.

    4. Check if other security software is blocking access to TCP port 1688 for kms.cloud.aliyuncs.com.

    5. Run the route print command to check if the internal routes on the instance are correct. If a route is missing, add it manually.

    6. After completing the troubleshooting steps, execute the telnet kms.cloud.aliyuncs.com command on the instance and then try to reactivate the instance.

    An unsynchronized server clock causes activation failure

    Symptoms

    When you run the slmgr -ato command to activate the Windows system, a message indicates that activation failed.

    Cause

    The instance clock must be synchronized with the Key Management Service (KMS) server clock. A time drift can cause activation to fail.

    Solution

    Check the current system time in the lower-right corner of the desktop. If there is a significant time drift, you can change the time manually. Alternatively, you can run the following commands to synchronize the clock. After the synchronization is complete, try to activate the system again.

    net start W32Time
w32tm /resync

    Full disk space

    Symptoms

    When you attempt to activate the system, a "Product not found" message is displayed.

    Cause

    This error can occur if the system disk is full, leaving insufficient space for activation.

    Solution

    Clear space on the C drive to free up disk space, and then try to manually activate the system again.

    Incorrect activation code

    Symptoms

    During activation, you receive error code C004F015 or 0xC004C003, which indicates that the activation server has blocked the specified product key.

    Cause

    This can happen if the activation code does not match the system version, which is usually caused by manual changes made during activation.

    Solution

    1. Find the correct activation code for your operating system version. For more information, see the official Microsoft documentation.

    2. Run the slmgr /ipk <$Setup_Key> command to replace the activation code. Then, run the slmgr -ato command to activate the system.

      Note

      <$Setup_Key> represents the system activation code.

    License file corruption causes activation failure

    Symptoms

    Causes

    Activation fails because the C:\windows\system32\spp\store\2.0\tokens.dat file and other related license files are corrupted.

    Solution

    Reinstall the license files and activate the system.

    Stop the sppsvc service by running the following command: Stop-Service SppSvc.

    Rename the C:\Windows\System32\spp\store\2.0\tokens.dat file.

    Reinstall the license files by running the following command: slmgr /rilc.

    Activate the system by running the following command: slmgr /ato.

    Restart the instance. The system is activated successfully.