Feeds

WinXP Product Activation decoded and analysed

German outfit goes public with the truth and the proof

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

German techies Fully Licensed GmbH claim - convincingly - to have unravelled the Windows Product Activation (WPA) system used in the latest versions of Microsoft software, including Office XP and Windows XP. The bottom line, according to the company, is that WPA is not particularly intrusive, does not invade anybody's privacy, and is a lot more forgiving of hardware changes than has been speculated.

That speculation is, as Fully Licensed points out, entirely Microsoft's fault, as the company has been intentionally vague about the precise nature of the sending and checking carried out. As Fully Licensed says: "The current public discussion of Windows Product Activation (WPA) is characterized by uncertainty and speculation. In this paper we supply the technical details of WPA - as implemented in Windows XP - that Microsoft should have published long ago."

Fully Licensed, incidentally, supports WPA. Says managing director and CTO Thomas Lopatic: "Software piracy is still a major problem for all software companies. And we think that [Microsoft's] interest in raising the bar for software pirates is absolutely justified."

The company analysed WPA as shipped in WinXP RC1, and found that ten hardware components are used to generate the "individual" hardware ID for the machine XP is installed on. "However, due to the method employed to generate the hardware ID, it is very likely that many hardware configurations result in the same ID. Consequently, determining the actual hardware configuration corresponding to a given hardware ID is an infeasible task. In addition to the hardware ID only information derived from the product key - a kind of serial number accompanying each distributed copy of Windows XP - is transmitted."

So Microsoft does not have any mechanism for finding out what hardware you're running. From the WPA process, anyway. The hardware checked is as follows: Serial number of system volume; NIC MAC address; CDROM; graphics adapter; CPU; hard drive; SCSI adapter; IDE controller; processor model; RAM size. There's also a check to see if the hardware is dockable or not. The company reckons that there's likely to be duplication in the components (i.e. different products might produce the same ID), and that the system is pretty forgiving.

You're only likely to have to repeat the activation process and get a new unlock key if you change more than three of these components, and if you're using a portable in conjunction with a docking station, it's effectively a lot more flexible than that.

The information transmitted, the company says, is "completely innocuous", consisting solely of the hardware ID (which can't be used to identify specific hardware) and the product key that comes with XP. Of itself the system is therefore no threat. WPA does however take us closer to Microsoft's goal of chaining a particular piece of software to a particular piece of hardware, making it easier for the company to claim the Microsoft tax every time you buy a new machine. Fully Licensed doesn't cover that part of the deal, but obviously if you install, say, Office XP on one machine then you want to use it on an entirely new machine when you upgrade, you're going to have to call up Microsoft and get permission. The Register reckons it's therefore still objectionable from that point of view.

Nor does Fully Licensed cover other aspects of 'generation XP' that have the effect of garnering information about you and your hardware. There is, for example, a deal of checking of the local configuration already present in Windows Update, and the automated bug-reporting in XP potentially gives Microsoft far more information than you'd conceive of being sent via WPA. This latter system kicks in when your machine has a problem, but only sometimes, frequently not when you had a big problem you're personally well aware of, rather more frequently when you didn't even notice a problem at all.

The intention of this system is positive - Microsoft reckons that if people can send fully detailed bug reports just by clicking OK, it'll be able analyse them in volume, to zero in on major problems with its software a lot faster than in the past, and be far more effective in prioritising fixes. But although you get the option of not sending this and of inspecting what's going to be sent, it's practically impossible to understand what's being sent - quite a bit of information about local configuration, however, will certainly be in it, so it's likely a lot of people will click on no.

But Fully Licensed set out solely to analyse the WPA process, and it seems to have done a fairly thorough job of this. In addition to the analysis of the hardware identifier, it's also done a deconstruct of the product key itself, explaining how the important part is buried inside the printed product key, and which components are likely to be checks (to allow for the call centre operative typing it in wrong, for example). It's not clear whether or not this information will be of any help to people who might have a need to generate product keys (no, we don't know why they'd want to do that either). But Fully Licensed probably would not have published the info if this was the case.

In addition to the results of its analysis, the company has also made XPDec, a command line utility that can be used to verify the information, available for download along with the source code for XPDec. It notes that "we have removed an important cryptographic key from the XPDec source [so] recompiling the source code will fail to produce a working executable."

Related links:
Fully Licensed's Inside Windows Product Activation paper
The company's press release
Download area for XPDec utility and source

Providing a secure and efficient Helpdesk

More from The Register

next story
Preview redux: Microsoft ships new Windows 10 build with 7,000 changes
Latest bleeding-edge bits borrow Action Center from Windows Phone
Google opens Inbox – email for people too thick to handle email
Print this article out and give it to someone tech-y if you get stuck
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
UNIX greybeards threaten Debian fork over systemd plan
'Veteran Unix Admins' fear desktop emphasis is betraying open source
Entity Framework goes 'code first' as Microsoft pulls visual design tool
Visual Studio database diagramming's out the window
Google+ goes TITSUP. But WHO knew? How long? Anyone ... Hello ...
Wobbly Gmail, Contacts, Calendar on the other hand ...
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
Redmond top man Satya Nadella: 'Microsoft LOVES Linux'
Open-source 'love' fairly runneth over at cloud event
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.