Feeds

WinXP Product Activation decoded and analysed

German outfit goes public with the truth and the proof

  • alert
  • submit to reddit

Providing a secure and efficient Helpdesk

German techies Fully Licensed GmbH claim - convincingly - to have unravelled the Windows Product Activation (WPA) system used in the latest versions of Microsoft software, including Office XP and Windows XP. The bottom line, according to the company, is that WPA is not particularly intrusive, does not invade anybody's privacy, and is a lot more forgiving of hardware changes than has been speculated.

That speculation is, as Fully Licensed points out, entirely Microsoft's fault, as the company has been intentionally vague about the precise nature of the sending and checking carried out. As Fully Licensed says: "The current public discussion of Windows Product Activation (WPA) is characterized by uncertainty and speculation. In this paper we supply the technical details of WPA - as implemented in Windows XP - that Microsoft should have published long ago."

Fully Licensed, incidentally, supports WPA. Says managing director and CTO Thomas Lopatic: "Software piracy is still a major problem for all software companies. And we think that [Microsoft's] interest in raising the bar for software pirates is absolutely justified."

The company analysed WPA as shipped in WinXP RC1, and found that ten hardware components are used to generate the "individual" hardware ID for the machine XP is installed on. "However, due to the method employed to generate the hardware ID, it is very likely that many hardware configurations result in the same ID. Consequently, determining the actual hardware configuration corresponding to a given hardware ID is an infeasible task. In addition to the hardware ID only information derived from the product key - a kind of serial number accompanying each distributed copy of Windows XP - is transmitted."

So Microsoft does not have any mechanism for finding out what hardware you're running. From the WPA process, anyway. The hardware checked is as follows: Serial number of system volume; NIC MAC address; CDROM; graphics adapter; CPU; hard drive; SCSI adapter; IDE controller; processor model; RAM size. There's also a check to see if the hardware is dockable or not. The company reckons that there's likely to be duplication in the components (i.e. different products might produce the same ID), and that the system is pretty forgiving.

You're only likely to have to repeat the activation process and get a new unlock key if you change more than three of these components, and if you're using a portable in conjunction with a docking station, it's effectively a lot more flexible than that.

The information transmitted, the company says, is "completely innocuous", consisting solely of the hardware ID (which can't be used to identify specific hardware) and the product key that comes with XP. Of itself the system is therefore no threat. WPA does however take us closer to Microsoft's goal of chaining a particular piece of software to a particular piece of hardware, making it easier for the company to claim the Microsoft tax every time you buy a new machine. Fully Licensed doesn't cover that part of the deal, but obviously if you install, say, Office XP on one machine then you want to use it on an entirely new machine when you upgrade, you're going to have to call up Microsoft and get permission. The Register reckons it's therefore still objectionable from that point of view.

Nor does Fully Licensed cover other aspects of 'generation XP' that have the effect of garnering information about you and your hardware. There is, for example, a deal of checking of the local configuration already present in Windows Update, and the automated bug-reporting in XP potentially gives Microsoft far more information than you'd conceive of being sent via WPA. This latter system kicks in when your machine has a problem, but only sometimes, frequently not when you had a big problem you're personally well aware of, rather more frequently when you didn't even notice a problem at all.

The intention of this system is positive - Microsoft reckons that if people can send fully detailed bug reports just by clicking OK, it'll be able analyse them in volume, to zero in on major problems with its software a lot faster than in the past, and be far more effective in prioritising fixes. But although you get the option of not sending this and of inspecting what's going to be sent, it's practically impossible to understand what's being sent - quite a bit of information about local configuration, however, will certainly be in it, so it's likely a lot of people will click on no.

But Fully Licensed set out solely to analyse the WPA process, and it seems to have done a fairly thorough job of this. In addition to the analysis of the hardware identifier, it's also done a deconstruct of the product key itself, explaining how the important part is buried inside the printed product key, and which components are likely to be checks (to allow for the call centre operative typing it in wrong, for example). It's not clear whether or not this information will be of any help to people who might have a need to generate product keys (no, we don't know why they'd want to do that either). But Fully Licensed probably would not have published the info if this was the case.

In addition to the results of its analysis, the company has also made XPDec, a command line utility that can be used to verify the information, available for download along with the source code for XPDec. It notes that "we have removed an important cryptographic key from the XPDec source [so] recompiling the source code will fail to produce a working executable."

Related links:
Fully Licensed's Inside Windows Product Activation paper
The company's press release
Download area for XPDec utility and source

Secure remote control for conventional and virtual desktops

More from The Register

next story
Microsoft WINDOWS 10: Seven ATE Nine. Or Eight did really
Windows NEIN skipped, tech preview due out on Wednesday
Business is back, baby! Hasta la VISTA, Win 8... Oh, yeah, Windows 9
Forget touchscreen millennials, Microsoft goes for mouse crowd
Apple: SO sorry for the iOS 8.0.1 UPDATE BUNGLE HORROR
Apple kills 'upgrade'. Hey, Microsoft. You sure you want to be like these guys?
ARM gives Internet of Things a piece of its mind – the Cortex-M7
32-bit core packs some DSP for VIP IoT CPU LOL
Microsoft on the Threshold of a new name for Windows next week
Rebranded OS reportedly set to be flung open by Redmond
Lotus Notes inventor Ozzie invents app to talk to people on your phone
Imagine that. Startup floats with voice collab app for Win iPhone
'Google is NOT the gatekeeper to the web, as some claim'
Plus: 'Pretty sure iOS 8.0.2 will just turn the iPhone into a fax machine'
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.