MS to intro product key check in WinXP SP1 WPA

And uncrack cracked systems

  • alert
  • submit to reddit

Providing a secure and efficient Helpdesk

Microsoft has released details of the changes being made in Windows Product Activation (WPA) with WinXP Service Pack 1. As expected, SP1 will fail to install if either of "two well-known pirated product keys" has previously been used to activate the system, and such systems will also be denied access to Windows Update. But the changes will have a far wider impact than this, as Microsoft appears to be trying to cover all currently known holes in WPA security.

Activations taking place after SP1 has been applied (largely on new systems, one presumes) will include the product key in the installation ID. According to Allen Nieman, lead technical product manager i/c WPA, the full key will be sent to Microsoft in an internet activation, while telephone activations will include a hash value of the key, " in order to limit the increase in size of the telephone Installation ID." Nieman says "we should have included this in the Installation ID from the beginning," and now they have.

This installation ID previously consisted of product ID and hardware hash, so the addition of the product key takes the components to three. The major impact of this change is that Microsoft can now check a product key "to determine its validity," which perhaps means that Microsoft does have a list of valid keys of some sort, and that key generation software will cease to function. If however Microsoft does not have such a list for products already shipped, it most certainly will have in the future. Failing that, the change at least gives Microsoft a mechanism for swiftly cracking down on new leaked keys.

As Windows Update will also now be checking keys, Microsoft can deny access to updates even if SP1 has been successfully applied on a system whose key is subsequently determined to be compromised. No bombs vaping systems as yet though - it still seems to be the intention simply to freeze systems by denying them updates. Apart from...

"Service Pack 1 for Windows XP will contain fixes to cracks used by software pirates to circumvent activation. Installations of Windows XP patched by a crack will require activation after SP1 has been installed." So, although as far as leaked product keys are concerned, Microsoft is sticking to its promise of just freezing the system state at pre-SP1, users of patched versions applying SP1 will be bombed.

Why the differentiation? People using cracks are badder than people using dodgy corporate keys? Market research? Possibly, Microsoft recognises that users of leaked keys stand a greater chance of being genuine customers using the keys either deliberately or obliviously, and that it stands some chance of shooting its friends by mistake.

Windows Update, by the way, will not be validating product keys until 2nd October, according to Nieman, which means until then the product key data is simply discarded. After that date it will be used for validation and then discarded, he says. But, um, hang on a moment there Mr Nieman. If Microsoft has a list of valid keys, and if it checks my key against that list, then must it not place some form of tick on the list, in order to cater for my known propensity to pass on my product key to my neighbours, pets and passing tradespeople? (I jest, please stop trying to break down that door.)

Anyway, the nature of 'discarded' here seems to us to warrant further investigation, and the importance of the 2nd October switchover is probably that Microsoft wants to avoid the possibility of two sets of changes going horribly wrong at the same time.

There is one small relaxation in the new model, in that users forced to reactivate after making hardware changes will now have three days in which to do so, rather than having their system break instantly, and being forced to fix it then. From the user's perspective this probably does not amount to a particularly large hill of beans, but it will likely make them less cross when they phone up, and it does look like a concession.

As regards corporate customers, an encryption feature has been added, "to allow the encryption of the VLK for unattended setups of Windows XP with Service Pack 1. Customers who place their VLK in an unattended setup file (unattend.txt) will be able to encrypt the VLK such that it will be time limited and hidden from plain text. This means that the VLK could be encrypted in the unattend.txt on a network share install point, RIS, CD-based install, etc."

The implications of this aren't immediately clear to us, and rather depend on what that "time limited and hidden from plain text" means. It should not mean that corporate customers will need to be issued with new keys for existing installations (as Nieman hotly denied when we suggested this might be the case), but it does seem to suggest new 'disposable' keys are envisaged for new slipstreamed installations. Limited time keys would certainly make sense, considering what techies are like.

Microsoft puts all of this in its very own way. The changes are "ensuring licensed customers receive full benefits" and "raising the bar on pirates" who "have been busy engineering circumventions to digital rights technologies including Microsoft's own product activation." So there you have it - WPA is a digital rights technology. Which may remind you of something. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Microsoft WINDOWS 10: Seven ATE Nine. Or Eight did really
Windows NEIN skipped, tech preview due out on Wednesday
Business is back, baby! Hasta la VISTA, Win 8... Oh, yeah, Windows 9
Forget touchscreen millennials, Microsoft goes for mouse crowd
Apple: SO sorry for the iOS 8.0.1 UPDATE BUNGLE HORROR
Apple kills 'upgrade'. Hey, Microsoft. You sure you want to be like these guys?
ARM gives Internet of Things a piece of its mind – the Cortex-M7
32-bit core packs some DSP for VIP IoT CPU LOL
Microsoft on the Threshold of a new name for Windows next week
Rebranded OS reportedly set to be flung open by Redmond
Lotus Notes inventor Ozzie invents app to talk to people on your phone
Imagine that. Startup floats with voice collab app for Win iPhone
'Google is NOT the gatekeeper to the web, as some claim'
Plus: 'Pretty sure iOS 8.0.2 will just turn the iPhone into a fax machine'
prev story


Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.