MS planning to tackle leaked WinXP keys with SP1?

Mass zeroing of corporate keys mooted

Microsoft may be readying the next escalation in the Product Activation wars for the release of WinXP Service Pack 1, according to a report at BetaONE. The site claims that Microsoft has done a rewrite of the way corporate product activation keys are generated, and that although this feature is currently switched off in the SP1 beta, it'll be unleashed when SP1 goes live, the idea being to ambush all of the people using leaked corporate XP Professional keys.

BetaONE says that the existence of the rewritten code can be verified if SP1 is applied to XP via a "slipstreamed" or integrated install, i.e. using a central distribution folder to update workstations on a network. This is how the people who've been issued corporate keys would likely do it, hence it seems a logical place to attack leaked corporate keys. The site says it tried 75 keys under these circumstances, and none of them worked. This is considerably more than the one that Microsoft casually said would be blocked by SP1 earlier this year.

The slipstream install patches the key-generating DLLs rather than replacing them, which means it won't be possible simply to slipstream a non-corporate version of XP then apply the corporate files. File version numbers and signatures are also checked, which will impede the crackers further. The new system does not have any effect on slipstreamed installs on non-corporate versions of XP with legal keys, so BetaONE concludes that the new key generation system is only being applied to corporate versions.

So where does this get Microsoft? If it really does go with this kind of procedure with SP1, a fair distance at something of a price. Considerable effort was expended by the warez community on circumventing WPA in XP, but although they succeeded via several routes, these were really just harmless heroics from Microsoft's point of view. The real problem has been leaked corporate keys that can just be applied to a standard XP distribution (as opposed to a patched one). These are used by pirates, by what Microsoft terms casual copiers, and by large numbers of techies who want to avoid the hassle of reactivation when they've changed too much hardware.

If Microsoft therefore tightened up on the protection applied to non-corporate copies while doing nothing about the corporate ones, it could conceivably find itself in the bizarre situation where there were more installations using leaked corporate keys than ones that had been activated via the approved procedure. It's clearly untenable, so either you pull WPA or you tighten up on corp.

The procedure BetaONE envisages (and it's about the only one we can see would have an effect) is that all corporate customers will be issued with new keys that are recognised by the new code in SP1. So if that's correct, all current corporate keys are dead, the luckless corporate techies will likely get somewhat irritated about having to reactivate, but hey, activation with a corporate key is supposed to be trivially easy, right?

The new key generation system may be more difficult to get round than the last one; indeed, if it isn't, there isn't a lot of point in Microsoft implementing it. That, however, is not the problem. Microsoft's difficulties arise not from people actually cracking the key system but from corporate keys leaking, so no matter how good the system, if a key is leakable, it gets circumvented.

So, Microsoft not being stupid (perversely, persistently irritating yes, stupid no), there has to be another shoe. Some sabre-rattling to discourage customers from leaking might have some effect, but as the company can't even stop its own people leaking betas, we think not a massive one. Sure, Microsoft can threaten legal action against companies whose keys escape, but how do the companies stop them escaping? Many of the people at the sharp end of deploying these keys don't even like their employers, so they should care if the firm gets whacked for an additional 20,000 licence fees.

Inexorably, one is drawn to phoning home as the real shoe two. The EULAs are being amended so that Microsoft reserves the right to check the validity of machines' licences, which means the company will be able to check online for leaked keys, and take what it deems appropriate action. Checking via Windows Update would allow the identification of corporate keys that had leaked out of the corporate market, and this could be followed up with the owner of the key. It wouldn't have an effect on the new "owners" of the key of course unless Microsoft decided to remote-bomb suspect installations on a regular basis, rather than just whacking them at Service Pack stage.

Microsoft would need a tightening up of the corporate auditing procedure to go alongside this, but its auditing procedures get ever-tighter anyway. If at some point in the future Windows client machines always wanted to either check in with a licence server system on the Web or with one on the corporate network that Microsoft itself could check with, then businesses using pirate software would be a lot easier to track, and they're a better source of low-hanging revenue fruit than playground copiers anyway.

There is however one last snaggette to the system we've just been roughing out. If there is no change to the key system used for non-corporate copies, then the easy workaround becomes key generation rather than a leaked corporate key. There are several pieces of software available on the Web that produce keys that seem to be recognised by Microsoft's WPA system as valid. So next, Microsoft will surely have to deal with that aspect of the compromised key system. ®

Sponsored: How to determine if cloud backup is right for your servers