WinXP Product Activation decoded and analysed

German outfit goes public with the truth and the proof

  • alert
  • submit to reddit

Remote control for virtualized desktops

German techies Fully Licensed GmbH claim - convincingly - to have unravelled the Windows Product Activation (WPA) system used in the latest versions of Microsoft software, including Office XP and Windows XP. The bottom line, according to the company, is that WPA is not particularly intrusive, does not invade anybody's privacy, and is a lot more forgiving of hardware changes than has been speculated.

That speculation is, as Fully Licensed points out, entirely Microsoft's fault, as the company has been intentionally vague about the precise nature of the sending and checking carried out. As Fully Licensed says: "The current public discussion of Windows Product Activation (WPA) is characterized by uncertainty and speculation. In this paper we supply the technical details of WPA - as implemented in Windows XP - that Microsoft should have published long ago."

Fully Licensed, incidentally, supports WPA. Says managing director and CTO Thomas Lopatic: "Software piracy is still a major problem for all software companies. And we think that [Microsoft's] interest in raising the bar for software pirates is absolutely justified."

The company analysed WPA as shipped in WinXP RC1, and found that ten hardware components are used to generate the "individual" hardware ID for the machine XP is installed on. "However, due to the method employed to generate the hardware ID, it is very likely that many hardware configurations result in the same ID. Consequently, determining the actual hardware configuration corresponding to a given hardware ID is an infeasible task. In addition to the hardware ID only information derived from the product key - a kind of serial number accompanying each distributed copy of Windows XP - is transmitted."

So Microsoft does not have any mechanism for finding out what hardware you're running. From the WPA process, anyway. The hardware checked is as follows: Serial number of system volume; NIC MAC address; CDROM; graphics adapter; CPU; hard drive; SCSI adapter; IDE controller; processor model; RAM size. There's also a check to see if the hardware is dockable or not. The company reckons that there's likely to be duplication in the components (i.e. different products might produce the same ID), and that the system is pretty forgiving.

You're only likely to have to repeat the activation process and get a new unlock key if you change more than three of these components, and if you're using a portable in conjunction with a docking station, it's effectively a lot more flexible than that.

The information transmitted, the company says, is "completely innocuous", consisting solely of the hardware ID (which can't be used to identify specific hardware) and the product key that comes with XP. Of itself the system is therefore no threat. WPA does however take us closer to Microsoft's goal of chaining a particular piece of software to a particular piece of hardware, making it easier for the company to claim the Microsoft tax every time you buy a new machine. Fully Licensed doesn't cover that part of the deal, but obviously if you install, say, Office XP on one machine then you want to use it on an entirely new machine when you upgrade, you're going to have to call up Microsoft and get permission. The Register reckons it's therefore still objectionable from that point of view.

Nor does Fully Licensed cover other aspects of 'generation XP' that have the effect of garnering information about you and your hardware. There is, for example, a deal of checking of the local configuration already present in Windows Update, and the automated bug-reporting in XP potentially gives Microsoft far more information than you'd conceive of being sent via WPA. This latter system kicks in when your machine has a problem, but only sometimes, frequently not when you had a big problem you're personally well aware of, rather more frequently when you didn't even notice a problem at all.

The intention of this system is positive - Microsoft reckons that if people can send fully detailed bug reports just by clicking OK, it'll be able analyse them in volume, to zero in on major problems with its software a lot faster than in the past, and be far more effective in prioritising fixes. But although you get the option of not sending this and of inspecting what's going to be sent, it's practically impossible to understand what's being sent - quite a bit of information about local configuration, however, will certainly be in it, so it's likely a lot of people will click on no.

But Fully Licensed set out solely to analyse the WPA process, and it seems to have done a fairly thorough job of this. In addition to the analysis of the hardware identifier, it's also done a deconstruct of the product key itself, explaining how the important part is buried inside the printed product key, and which components are likely to be checks (to allow for the call centre operative typing it in wrong, for example). It's not clear whether or not this information will be of any help to people who might have a need to generate product keys (no, we don't know why they'd want to do that either). But Fully Licensed probably would not have published the info if this was the case.

In addition to the results of its analysis, the company has also made XPDec, a command line utility that can be used to verify the information, available for download along with the source code for XPDec. It notes that "we have removed an important cryptographic key from the XPDec source [so] recompiling the source code will fail to produce a working executable."

Related links:
Fully Licensed's Inside Windows Product Activation paper
The company's press release
Download area for XPDec utility and source

Internet Security Threat Report 2014

More from The Register

next story
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
NSA SOURCE CODE LEAK: Information slurp tools to appear online
Now you can run your own intelligence agency
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
Facebook, working on Facebook at Work, works on Facebook. At Work
You don't want your cat or drunk pics at the office
Soz, web devs: Google snatches its Wallet off the table
Killing off web service in 3 months... but app-happy bonkers are fine
First in line to order a Nexus 6? AT&T has a BRICK for you
Black Screen of Death plagues early Google-mobe batch
prev story


Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.