Feeds

WinXP Product Activation decoded and analysed

German outfit goes public with the truth and the proof

  • alert
  • submit to reddit

Combat fraud and increase customer satisfaction

German techies Fully Licensed GmbH claim - convincingly - to have unravelled the Windows Product Activation (WPA) system used in the latest versions of Microsoft software, including Office XP and Windows XP. The bottom line, according to the company, is that WPA is not particularly intrusive, does not invade anybody's privacy, and is a lot more forgiving of hardware changes than has been speculated.

That speculation is, as Fully Licensed points out, entirely Microsoft's fault, as the company has been intentionally vague about the precise nature of the sending and checking carried out. As Fully Licensed says: "The current public discussion of Windows Product Activation (WPA) is characterized by uncertainty and speculation. In this paper we supply the technical details of WPA - as implemented in Windows XP - that Microsoft should have published long ago."

Fully Licensed, incidentally, supports WPA. Says managing director and CTO Thomas Lopatic: "Software piracy is still a major problem for all software companies. And we think that [Microsoft's] interest in raising the bar for software pirates is absolutely justified."

The company analysed WPA as shipped in WinXP RC1, and found that ten hardware components are used to generate the "individual" hardware ID for the machine XP is installed on. "However, due to the method employed to generate the hardware ID, it is very likely that many hardware configurations result in the same ID. Consequently, determining the actual hardware configuration corresponding to a given hardware ID is an infeasible task. In addition to the hardware ID only information derived from the product key - a kind of serial number accompanying each distributed copy of Windows XP - is transmitted."

So Microsoft does not have any mechanism for finding out what hardware you're running. From the WPA process, anyway. The hardware checked is as follows: Serial number of system volume; NIC MAC address; CDROM; graphics adapter; CPU; hard drive; SCSI adapter; IDE controller; processor model; RAM size. There's also a check to see if the hardware is dockable or not. The company reckons that there's likely to be duplication in the components (i.e. different products might produce the same ID), and that the system is pretty forgiving.

You're only likely to have to repeat the activation process and get a new unlock key if you change more than three of these components, and if you're using a portable in conjunction with a docking station, it's effectively a lot more flexible than that.

The information transmitted, the company says, is "completely innocuous", consisting solely of the hardware ID (which can't be used to identify specific hardware) and the product key that comes with XP. Of itself the system is therefore no threat. WPA does however take us closer to Microsoft's goal of chaining a particular piece of software to a particular piece of hardware, making it easier for the company to claim the Microsoft tax every time you buy a new machine. Fully Licensed doesn't cover that part of the deal, but obviously if you install, say, Office XP on one machine then you want to use it on an entirely new machine when you upgrade, you're going to have to call up Microsoft and get permission. The Register reckons it's therefore still objectionable from that point of view.

Nor does Fully Licensed cover other aspects of 'generation XP' that have the effect of garnering information about you and your hardware. There is, for example, a deal of checking of the local configuration already present in Windows Update, and the automated bug-reporting in XP potentially gives Microsoft far more information than you'd conceive of being sent via WPA. This latter system kicks in when your machine has a problem, but only sometimes, frequently not when you had a big problem you're personally well aware of, rather more frequently when you didn't even notice a problem at all.

The intention of this system is positive - Microsoft reckons that if people can send fully detailed bug reports just by clicking OK, it'll be able analyse them in volume, to zero in on major problems with its software a lot faster than in the past, and be far more effective in prioritising fixes. But although you get the option of not sending this and of inspecting what's going to be sent, it's practically impossible to understand what's being sent - quite a bit of information about local configuration, however, will certainly be in it, so it's likely a lot of people will click on no.

But Fully Licensed set out solely to analyse the WPA process, and it seems to have done a fairly thorough job of this. In addition to the analysis of the hardware identifier, it's also done a deconstruct of the product key itself, explaining how the important part is buried inside the printed product key, and which components are likely to be checks (to allow for the call centre operative typing it in wrong, for example). It's not clear whether or not this information will be of any help to people who might have a need to generate product keys (no, we don't know why they'd want to do that either). But Fully Licensed probably would not have published the info if this was the case.

In addition to the results of its analysis, the company has also made XPDec, a command line utility that can be used to verify the information, available for download along with the source code for XPDec. It notes that "we have removed an important cryptographic key from the XPDec source [so] recompiling the source code will fail to produce a working executable."

Related links:
Fully Licensed's Inside Windows Product Activation paper
The company's press release
Download area for XPDec utility and source

3 Big data security analytics techniques

More from The Register

next story
OpenBSD founder wants to bin buggy OpenSSL library, launches fork
One Heartbleed vuln was too many for Theo de Raadt
Got Windows 8.1 Update yet? Get ready for YET ANOTHER ONE – rumor
Leaker claims big release due this fall as Microsoft herds us into the CLOUD
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Ubuntu 14.04 LTS: Great changes, but sssh don't mention the...
Why HELLO Amazon! You weren't here last time
Patch iOS, OS X now: PDFs, JPEGs, URLs, web pages can pwn your kit
Plus: iThings and desktops at risk of NEW SSL attack flaw
Next Windows obsolescence panic is 450 days from … NOW!
The clock is ticking louder for Windows Server 2003 R2 users
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Red Hat to ship RHEL 7 release candidate with a taste of container tech
Grab 'near-final' version of next Enterprise Linux next week
Apple inaugurates free OS X beta program for world+dog
Prerelease software now open to anyone, not just developers – as long as you keep quiet
prev story

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.